|
1 | 1 | .. important:: |
2 | 2 |
|
3 | 3 | If SELinux is in ``enforcing`` mode, you must customize your SELinux |
4 | | - policy for MongoDB. |
| 4 | + policy for MongoDB by making the following two policy adjustments: |
| 5 | + |
| 6 | +Permit Access to ``cgroup`` |
| 7 | ++++++++++++++++++++++++++++ |
5 | 8 |
|
6 | 9 | .. container:: |
7 | 10 |
|
|
48 | 51 | The MongoDB process is now able to access the correct files with |
49 | 52 | SELinux set to ``enforcing``. |
50 | 53 |
|
| 54 | +Permit Access to ``netstat`` for FTDC |
| 55 | ++++++++++++++++++++++++++++++++++++++ |
| 56 | +
|
| 57 | +.. container:: |
| 58 | +
|
| 59 | + The current SELinux Policy does not allow the MongoDB process to open |
| 60 | + and read ``/proc/net/netstat``, which is required for |
| 61 | + :ref:`Full Time Diagnostic Data Capture (FTDC) <ftdc-stub>`. |
| 62 | + If you intend to run SELinux in |
| 63 | + ``enforcing`` mode, you will need to make the following adjustment |
| 64 | + to your SELinux policy: |
| 65 | +
|
| 66 | + #. Ensure your system has the ``checkpolicy`` package installed: |
| 67 | +
|
| 68 | + .. code-block:: sh |
| 69 | +
|
| 70 | + sudo yum install checkpolicy |
| 71 | +
|
| 72 | + #. Create a custom policy file :file:`mongodb_proc_net.te`: |
| 73 | +
|
| 74 | + .. code-block:: sh |
| 75 | +
|
| 76 | + cat > mongodb_proc_net.te <<EOF |
| 77 | + module mongodb_proc_net 1.0; |
| 78 | +
|
| 79 | + require { |
| 80 | + type proc_net_t; |
| 81 | + type mongod_t; |
| 82 | + class file { open read }; |
| 83 | + } |
| 84 | +
|
| 85 | + #============= mongod_t ============== |
| 86 | + allow mongod_t proc_net_t:file { open read }; |
| 87 | + EOF |
| 88 | +
|
| 89 | + #. Once created, compile and load the custom policy module by |
| 90 | + running these three commands: |
| 91 | +
|
| 92 | + .. code-block:: sh |
| 93 | +
|
| 94 | + checkmodule -M -m -o mongodb_proc_net.mod mongodb_proc_net.te |
| 95 | + semodule_package -o mongodb_proc_net.pp -m mongodb_proc_net.mod |
| 96 | + sudo semodule -i mongodb_proc_net.pp |
| 97 | +
|
51 | 98 | .. important:: |
52 | 99 |
|
53 | | - You will also need to further customize your SELinux policy in the |
54 | | - following two cases if SELinux is in ``enforcing`` mode: |
| 100 | + In addition to the above, you will also need to further customize |
| 101 | + your SELinux policy in the following two cases if SELinux is in |
| 102 | + ``enforcing`` mode: |
55 | 103 |
|
56 | | - - You are **not** using the default MongoDB directories (for RHEL 7.0), and/or |
| 104 | + - You are using a **custom directory path** instead of using the |
| 105 | + default :setting:`~storage.dbPath`, :setting:`systemLog.path`, or |
| 106 | + :setting:`~processManagement.pidFilePath` in RHEL 7.0 or later, |
| 107 | + and/or |
57 | 108 |
|
58 | | - - You are **not** using :doc:`default MongoDB ports |
| 109 | + - You are using a **custom port** instead of using the :doc:`default MongoDB ports |
59 | 110 | </reference/default-mongodb-port>`. |
60 | 111 |
|
61 | | -Non-Default MongoDB Directory Path(s) |
| 112 | +Using a Custom MongoDB Directory Path |
62 | 113 | +++++++++++++++++++++++++++++++++++++ |
63 | 114 |
|
64 | 115 | .. container:: |
@@ -127,58 +178,11 @@ Non-Default MongoDB Directory Path(s) |
127 | 178 | restorecon -R -v '/mongodb/log' |
128 | 179 |
|
129 | 180 |
|
130 | | -Non-Default MongoDB Ports |
131 | | -+++++++++++++++++++++++++ |
| 181 | +Using a Custom MongoDB Port |
| 182 | ++++++++++++++++++++++++++++ |
132 | 183 |
|
133 | 184 | .. container:: |
134 | 185 |
|
135 | 186 | .. code-block:: sh |
136 | 187 |
|
137 | 188 | sudo semanage port -a -t mongod_port_t -p tcp <portnumber> |
138 | | -
|
139 | | -*Optional.* Suppress ``FTDC`` Warnings |
140 | | -++++++++++++++++++++++++++++++++++++++ |
141 | | -
|
142 | | -.. container:: |
143 | | -
|
144 | | - The current SELinux Policy does not allow the MongoDB process to open |
145 | | - and read ``/proc/net/netstat`` for :ref:`param-ftdc` (FTDC). As such, |
146 | | - the audit log may include numerous messages regarding lack of access |
147 | | - to this path. |
148 | | -
|
149 | | - To track the proposed fix, see `<https://github.com/fedora-selinux/selinux-policy-contrib/pull/79>`__. |
150 | | -
|
151 | | - Optionally, as a temporary fix, you can manually adjust the SELinux |
152 | | - Policy: |
153 | | -
|
154 | | - #. Ensure your system has the ``checkpolicy`` package installed: |
155 | | -
|
156 | | - .. code-block:: sh |
157 | | -
|
158 | | - sudo yum install checkpolicy |
159 | | -
|
160 | | - #. Create a custom policy file :file:`mongodb_proc_net.te`: |
161 | | -
|
162 | | - .. code-block:: sh |
163 | | -
|
164 | | - cat > mongodb_proc_net.te <<EOF |
165 | | - module mongodb_proc_net 1.0; |
166 | | -
|
167 | | - require { |
168 | | - type proc_net_t; |
169 | | - type mongod_t; |
170 | | - class file { open read }; |
171 | | - } |
172 | | -
|
173 | | - #============= mongod_t ============== |
174 | | - allow mongod_t proc_net_t:file { open read }; |
175 | | - EOF |
176 | | -
|
177 | | - #. Once created, compile and load the custom policy module by |
178 | | - running these three commands: |
179 | | -
|
180 | | - .. code-block:: sh |
181 | | -
|
182 | | - checkmodule -M -m -o mongodb_proc_net.mod mongodb_proc_net.te |
183 | | - semodule_package -o mongodb_proc_net.pp -m mongodb_proc_net.mod |
184 | | - sudo semodule -i mongodb_proc_net.pp |
|
0 commit comments