Join Log in
Score:0
Scott Anderson avatar Server

SELinux is preventing /usr/bin/mongod from search access

bn flag
Scott Anderson

My question is similar to others, such as SELinux preventing mongod search access. In this case, I installed snapd for a reason entirely unrelated to Mongodb. That was about a week ago (2/5/2023). That package created /var/lib/snapd.

Just this morning, MongoDB decided it wanted to search that directory, and it has generated 2207 SELinux denials, trying to search it.

But why has MongoDB decided to try to search /var/lib/snapd and how can I convince it to stop?

Here is the report from "sealert".

found 1 alerts in /var/log/audit/audit.log
---------------------------------------------

SELinux is preventing /usr/bin/mongod from search access on the directory /var/lib/snapd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that mongod should be allowed search access on the snapd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ftdc' --raw | audit2allow -M my-ftdc
# semodule -i my-ftdc.pp


Additional Information:
Source Context                system_u:system_r:mongod_t:s0
Target Context                system_u:object_r:snappy_var_lib_t:s0
Target Objects                /var/lib/snapd [ dir ]
Source                        ftdc
Source Path                   /usr/bin/mongod
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           mongodb-org-server-4.2.23-1.el7.x86_64
Target RPM Packages           snapd-2.57.6-2.el7.x86_64
Policy RPM                    selinux-policy-3.13.1-268.el7_9.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     tempest
Platform                      Linux tempest 3.10.0-1160.81.1.el7.x86_64 #1 SMP
                              Fri Dec 16 17:29:43 UTC 2022 x86_64 x86_64
Alert Count                   2207
First Seen                    2023-02-16 09:47:11 EST
Last Seen                     2023-02-16 10:18:16 EST
Local ID                      1b1e89fc-b993-4261-be54-36b61b36c408

Notice the short time interval between the first seen and the last seen (I shut down MongoDB at that point). 2207 denials in about 30 minutes. With no reason to have started in the first place.

My configuration of Mongodb is similar to the earlier poster's:

# mongod.conf

# for documentation of all options, see:
#   http://docs.mongodb.org/manual/reference/configuration-options/

# where to write logging data.
systemLog:
  destination: file
  logAppend: true
  path: /var/log/mongodb/mongod.log

# Where and how to store data.
storage:
  dbPath: /var/lib/mongo
  journal:
    enabled: true
#  engine:
#  wiredTiger:

# how the process runs
processManagement:
  fork: true  # fork and run in background
  pidFilePath: /var/run/mongodb/mongod.pid  # location of pidfile
  timeZoneInfo: /usr/share/zoneinfo

# network interfaces
net:
  port: 27017
  bindIp: 127.0.0.1  # Enter 0.0.0.0,:: to bind to all IPv4 and IPv6 addresses or, alternatively, use the net.bindIpAll setting.

I appreciate any help you can give.

300
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.