New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
This is a proposed fix for https://jira.mongodb.org/browse/SERVER-38704 #79
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use mentioned interface instead of raw allow rule and I'll merge this.
Thanks for you help!
Lukas
mongodb.te
Outdated
## This means that we need to adjust the policy so that the mongod | ||
## process is allowed to open and read /proc/net/netstat, which | ||
## also typically has symlinks (e.g. /proc/net/snmp). | ||
allow mongod_t proc_net_t:file { open read }; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can use following interface "kernel_read_network_state" instead of using raw allow rule.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @wrabcak,
It already has kernel_read_network_state, so I'm assuming you mean that these two new options are sufficient additions to that which then eliminates the need for the explicit allow:
kernel_list_proc(mongod_t)
kernel_read_proc_symlinks(mongod_t)
I'll adjust the PR accordingly for now and can correct again if I'm misunderstanding anything.
Thank you for the help!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, that's done. I'll leave the conversation open in case I misunderstood the request. Thanks again!
Hi Mattlord, Could you squash these commits to 1 commit? Then, I'll merge it. Thanks, |
…from proc and stores it in its diagnostic system (FTDC). See: https://jira.mongodb.org/browse/SERVER-31400 This means that we need to adjust the policy so that the mongod process is allowed to open and read /proc/net/netstat, which typically has symlinks (e.g. /proc/net/snmp).
Hi Lukas, I squashed my two commits and cleaned things up so that it should be an easy 1 commit merge. Thank you again for all of your help and patience! I appreciate it. Best Regards, Matt |
Hi Mattlord, Thank you for help on SELinux policies. :) Backporting PR to Fedora 29 and Fedora 28. |
In MongoDB 3.4.16, 3.6.6, 4.0.0 and later, mongod tries to read netstat info from /proc/net and store it in its diagnostic system (FTDC). See: https://jira.mongodb.org/browse/SERVER-31400
This means that we need to adjust the policy so that the mongod process is allowed to open and read /proc/net/netstat, which also typically has symlinks (e.g. /proc/net/snmp).