1306995 – SELinux prevents Mongodb from writing to syslog

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1306995 - SELinux prevents Mongodb from writing to syslog

Summary: SELinux prevents Mongodb from writing to syslog

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:	1306819
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-12 12:10 UTC by Marek Skalický
Modified:	2020-09-20 13:34 UTC (History)
CC List:	20 users (show)
Fixed In Version:	selinux-policy-3.13.1-81.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1306819
Environment:
Last Closed:	2016-11-04 02:42:48 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2283	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2016-11-03 13:36:25 UTC

Description Marek Skalický 2016-02-12 12:10:33 UTC

+++ This bug was initially created as a clone of Bug #1306819 +++

Description of problem:
Mongod cannot start when configured to log to syslog.

Version-Release number of selected component (if applicable):
mongodb.x86_64         2.6.11-1.el7
mongodb-server.x86_64  2.6.11-1.el7                                 

How reproducible:
Always.

Steps to Reproduce:
1. Install mongodb-server

2. Configure to use syslog loging. Edit /etc/mongod.conf and set the following:

syslog = true
syslogFacility = user
#logpath = /var/log/mongodb/mongod.log


3. Start mongod

# systemctl start mongod



Actual results:

Lots of denials.

From /var/log/messages

Feb 11 18:57:47 happy setroubleshoot: SELinux is preventing /usr/bin/mongod from create access on the unix_dgram_socket Unknown. For complete SELinux messages. run sealert -l 93b4d9c4-7003-4caa-b882-ac5b0d4ab85e

Feb 11 18:57:47 happy python: SELinux is preventing /usr/bin/mongod from create access on the unix_dgram_socket Unknown.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that mongod should be allowed create access on the Unknown unix_dgram_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep mongod /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012




Expected results:

Mongod writes out to syslog and no selinux denials. Maybe this should/does require an sebool?

Additional info:

--- Additional comment from Marek Skalický on 2016-02-12 06:11:30 EST ---

Moving to selinux-policy.

This bug affect all versions of Fedora and also EPEL.


SELinux info from F23:

SELinux is preventing mongod from create access on the unix_dgram_socket Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that mongod should be allowed create access on the Unknown unix_dgram_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mongod /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:mongod_t:s0
Target Context                system_u:system_r:mongod_t:s0
Target Objects                Unknown [ unix_dgram_socket ]
Source                        mongod
Source Path                   mongod
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-158.4.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.3.5-300.fc23.x86_64
                              #1 SMP Mon Feb 1 03:18:41 UTC 2016 x86_64 x86_64
Alert Count                   18
First Seen                    2016-02-12 11:55:02 CET
Last Seen                     2016-02-12 11:55:04 CET
Local ID                      e337899f-d93d-4e16-87cc-946bb15094ca

Raw Audit Messages
type=AVC msg=audit(1455274504.344:4698): avc:  denied  { create } for  pid=10112 comm="mongod" scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:mongod_t:s0 tclass=unix_dgram_socket permissive=0


Hash: mongod,mongod_t,mongod_t,unix_dgram_socket,create

Comment 1 Marek Skalický 2016-02-12 12:13:09 UTC

This bug also prevent from starting all MongoDB Software Collections with enabled syslog logging (not by default)

Collections: rh-mongodb26 and new collections prepared fro RHSCL 2.2

Comment 3 Milos Malik 2016-02-12 12:45:05 UTC

Following AVC appeared in enforcing mode:
----
type=SYSCALL msg=audit(02/12/2016 13:43:13.584:621) : arch=x86_64 syscall=socket success=no exit=-13(Permission denied) a0=local a1=SOCK_DGRAM a2=ip a3=0x34 items=0 ppid=1 pid=12123 auid=unset uid=mongodb gid=mongodb euid=mongodb suid=mongodb fsuid=mongodb egid=mongodb sgid=mongodb fsgid=mongodb tty=(none) ses=unset comm=mongod exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) 
type=AVC msg=audit(02/12/2016 13:43:13.584:621) : avc:  denied  { create } for  pid=12123 comm=mongod scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:mongod_t:s0 tclass=unix_dgram_socket 
----

Comment 4 Milos Malik 2016-02-12 12:48:16 UTC

Following AVCs appeared after switching the mongod_t type to permissive mode:
----
type=SYSCALL msg=audit(02/12/2016 13:46:45.318:634) : arch=x86_64 syscall=socket success=yes exit=4 a0=local a1=SOCK_DGRAM a2=ip a3=0x6f items=0 ppid=23510 pid=23511 auid=unset uid=mongodb gid=mongodb euid=mongodb suid=mongodb fsuid=mongodb egid=mongodb sgid=mongodb fsgid=mongodb tty=(none) ses=unset comm=mongod exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) 
type=AVC msg=audit(02/12/2016 13:46:45.318:634) : avc:  denied  { create } for  pid=23511 comm=mongod scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:mongod_t:s0 tclass=unix_dgram_socket 
----
type=PATH msg=audit(02/12/2016 13:46:45.320:635) : item=0 name=/dev/log inode=6960 dev=00:05 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:devlog_t:s0 objtype=NORMAL 
type=CWD msg=audit(02/12/2016 13:46:45.320:635) :  cwd=/ 
type=SOCKADDR msg=audit(02/12/2016 13:46:45.320:635) : saddr=local /dev/log 
type=SYSCALL msg=audit(02/12/2016 13:46:45.320:635) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x4 a1=0x7f96e6df1740 a2=0x6e a3=0x6f items=1 ppid=23510 pid=23511 auid=unset uid=mongodb gid=mongodb euid=mongodb suid=mongodb fsuid=mongodb egid=mongodb sgid=mongodb fsgid=mongodb tty=(none) ses=unset comm=mongod exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) 
type=AVC msg=audit(02/12/2016 13:46:45.320:635) : avc:  denied  { sendto } for  pid=23511 comm=mongod path=/dev/log scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket 
type=AVC msg=audit(02/12/2016 13:46:45.320:635) : avc:  denied  { write } for  pid=23511 comm=mongod name=log dev="devtmpfs" ino=6960 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file 
type=AVC msg=audit(02/12/2016 13:46:45.320:635) : avc:  denied  { connect } for  pid=23511 comm=mongod scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:mongod_t:s0 tclass=unix_dgram_socket 
----

Comment 5 Seth Kress 2016-04-21 12:10:15 UTC

Any chance we can get this pushed out to RHEL 7 with the next selinux-policy patch?

Comment 10 Veiko Kukk 2016-07-21 10:01:52 UTC

This still happens. Any solution/update coming soon?

Comment 14 errata-xmlrpc 2016-11-04 02:42:48 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.

admiller
dominick.grift
dwalsh
extras-qa
jdornak
johan.o.hedin
jpacner
kresss
lvrabec
mgrepl
mmalik
mskalick
npmccallum
plautrba
pvrabec
srandhaw
ssekidde
strobert
tdawson
veiko