Mongodb-server fails to start with selinux enforcing
Daniel J Walsh
dwalsh at redhat.com
Wed Nov 19 19:45:21 UTC 2014
On 11/19/2014 12:38 PM, drago01 wrote:
> On Wed, Nov 19, 2014 at 6:19 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>> On 11/19/2014 09:16 AM, Paul Knox-Kennedy wrote:
>>> On a clean installation built from
>>> Fedora-Live-Workstation-x86_64-21_Beta-4.iso, I installed mongodb-server
>>> but it failed to start due to selinux: "SELinux is preventing mongod
>>> from name_bind access on the tcp_socket port 27017."
>>>
>>> Following the selinux instructions from the journal resolves this:
>>> # grep mongod /var/log/audit/audit.log | audit2allow -M mypol
>>> # semodule -i mypol.pp
>>>
>>> Should I bugzilla this, and if so, is it against mongodb or
>>> selinux-policy?
>> Is this a standard port the mongodb should be listening on?
> http://docs.mongodb.org/manual/reference/default-mongodb-port/
>
> Seems like the answer is yes.
Well I guess this is why you shouldn't fly blind.
Could you actually show me the actual AVC message.
It should be in the bottom of the alert.
Looks like it already is labeled mongod_port_t.
sepolicy network -p 27017
27017: tcp unreserved_port_t 1024-32767
27017: udp unreserved_port_t 1024-32767
27017: tcp mongod_port_t 27017-27019
Looks like I fixed a bug in git back in october
Author: Dan Walsh <dwalsh at redhat.com>
Date: Mon Oct 27 19:18:21 2014 -0400
Allow mongodb to bind to the mongo port and mongos to run as mongod_t
Looks like this has made it into F21 policy and Rawhide, but not in F20.
/selinux-policy-3.13.1-98.fc21
Lukas could you back port this into RHEL7 and F20 policy.
More information about the test
mailing list