chris-gaona
commented
1 year ago Following messeages is seen in audit log for MongoDB 6.0 type=AVC msg=audit(1679898913.000:2101220): avc: denied { search } for pid=314191 comm="ftdc" name="nfs" dev="dm-6" ino=6292236 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:var_lib_nfs_t:s0 tclass=dir permissive=0
Adding following to mongodb.te and unloading, compiling and adding rules again helped. Seems the rule was lost between MongoDB 4.4 and 5.0
Patch file:
--- mongodb.te.orig 2023-03-27 15:50:01.215714756 +0200 +++ mongodb.te 2023-03-27 15:50:57.510360567 +0200 @@ -65,6 +65,16 @@ allow mongod_t var_run_t:dir { open read getattr lock search ioctl add_name remove_name write }; type_transition mongod_t var_run_t:dir mongod_runtime_t; +require { + type var_lib_nfs_t; + type autofs_t; + type mongod_t; + class dir search; +} +#============= mongod_t ============== +allow mongod_t autofs_t:dir search; +allow mongod_t var_lib_nfs_t:dir search; + # this is required to create mongodb-XXXXX.sock files files_rw_generic_tmp_dir(mongod_t) fs_manage_tmpfs_sockets(mongod_t)
Thank you for posting this fix 👍🏻. We recently ran into this selinux denial issue when we migrated our servers to Oracle Linux 8 & the denial caused a good deal of memory to be consumed. Adding the part you mentioned fixed the denial issue for us.
Following messeages is seen in audit log for MongoDB 6.0 type=AVC msg=audit(1679898913.000:2101220): avc: denied { search } for pid=314191 comm="ftdc" name="nfs" dev="dm-6" ino=6292236 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:var_lib_nfs_t:s0 tclass=dir permissive=0
Adding following to mongodb.te and unloading, compiling and adding rules again helped. Seems the rule was lost between MongoDB 4.4 and 5.0
Patch file: