From 6c0fbcdd2863a5c251ed756bb6513a0ba337aad1 Mon Sep 17 00:00:00 2001
From: Matt Lord <mattalord@gmail.com>
Date: Wed, 19 Dec 2018 16:30:22 -0500
Subject: [PATCH] In MongoDB 3.4.16, 3.6.6, 4.0.0 and later, mongod reads
 netstat info from proc and stores it in its diagnostic system (FTDC). See:
 https://jira.mongodb.org/browse/SERVER-31400 This means that we need to
 adjust the policy so that the mongod process is allowed to open and read
 /proc/net/netstat, which typically has symlinks (e.g. /proc/net/snmp).

---
 mongodb.te | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/mongodb.te b/mongodb.te
index 4a0aebce77..59a5d9c733 100644
--- a/mongodb.te
+++ b/mongodb.te
@@ -60,6 +60,15 @@ manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
 manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
 files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })
 
+## In MongoDB 3.4.16, 3.6.6, 4.0.0 and later, mongod tries to read netstat
+## info from /proc/net and store it in its diagnostic system (FTDC).
+## See: https://jira.mongodb.org/browse/SERVER-31400
+## This means that we need to adjust the policy so that the mongod
+## process is allowed to open and read /proc/net/netstat, which
+## also typically has symlinks (e.g. /proc/net/snmp).
+kernel_list_proc(mongod_t)
+kernel_read_proc_symlinks(mongod_t)
+
 kernel_read_system_state(mongod_t)
 kernel_read_network_state(mongod_t)
 kernel_read_vm_sysctls(mongod_t)