In SERVER-31400 mongod started attempting to read netstat metrics from /proc/net and store them in FTDC. The problem is that on RHEL 7 the following is true (by default):
- SELinux is enabled and in enforcing mode
- There is an SELinux module for mongodb that is also enabled
- The mongodb module does not explicitly allow {open read} on /proc/net
Because of this, mongod – when installed via our YUM repos – will fail to capture netstat data in FTDC and continually log the access violations in the audit.log:
tail -f /var/log/audit/audit.log | grep -i ftdc | grep denied type=AVC msg=audit(1544632097.000:44959): avc: denied { read } for pid=8171 comm="ftdc" name="snmp" dev="proc" ino=4026532002 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 type=AVC msg=audit(1544632229.000:45233): avc: denied { open } for pid=8171 comm="ftdc" path="/proc/8171/net/snmp" dev="proc" ino=4026532002 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
- depends on
-
SERVER-56544 SELINUX: create a code patch, post for review; address the CR comments, get approval and merge
- Closed
- is caused by
-
SERVER-31400 Record Linux netstat metrics in ftdc
- Closed
- links to