After applying these to RHEL9.2 all users including root loose systemctl control over mongod

[zerxen]

If I apply this selinxu policies, root and all users loose control of mongod using systemctl:

[root@phapi207 mongodb-selinux]# make install
cp build/targeted/mongodb.pp /usr/share/selinux/targeted/mongodb.pp
/usr/sbin/semodule --priority 200 --store targeted --install /usr/share/selinux/targeted/mongodb.pp
libsemanage.semanage_direct_install_info: Overriding mongodb module at lower priority 100 with module at priority 200.
/sbin/fixfiles -R mongodb-enterprise-server restore || true
mongodb-enterprise-server not found

/sbin/fixfiles -R mongodb-org-server restore || true
2k
/sbin/restorecon -R /var/lib/mongo || true
/sbin/restorecon -R /run/mongodb || true
[root@phapi207 mongodb-selinux]# systemctl status mongod
Failed to get properties: Access denied

If I remove simply wiht "make uninstall" systemctl access is restored. Any hints what changed ? RHEL 9.1 and 8.8 systems do not have this issue.

[zerxen]

Ok, I think I found the issue, on newere RHEL9.2 image, my mongod was runninng BEFORE applying the selinix policy from this package. This caused it to loose control over some tmp system files that systemctl relies on for control .

Maybe a recommendation, an interactive check if mongod is already running if "make install" is issued OR extending this package to manually change selinux attributes on all mongod temporary files that exist during mongo's run.

For myself I solved this simply with "make uninstall", stopping mongoDB, "make install" and starting MongoDB again :). It was just not obvious quickly.

[richip]

Had the same and turns out it was this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1224211

A systemctl daemon-reexec fixes.