Constant SELinux errors on Graylog MongoDB nodes

Totally_Not_A_Robot · November 21, 2018, 8:23am

Hi again!

Since installing Graylog 2.4.6 on my cluster, I’ve noticed that the three MongoDB hosts keep spamming SELinux warnings. I’d installed MongoDB as per the instructions from both Mongo and Graylog and everything works just fine. Except those odd errors And they do add up in time! Over 200.000 message each day, per server! That’s a lot of spam to go into Graylog.

Stuff you might see in /var/log/audit/audit.log:

type=AVC msg=audit (...): avc: denied { open } for pid=NNN comm="ftdc"  path="/proc/NNN/net/netstat" dev="proc" ino=NNN scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit (...): avc: denied { read } for pid=NNN comm="ftdc"  path="/proc/NNN/net/netstat" dev="proc" ino=NNN scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file

So, what exactly is this ftdc? It’s MongoDB’s built-in statistics/analytics/performance tooling. It’s used to check on MongoDB’s internal workings.

One way to prevent this huge amount of messages from appearing in your Graylog environment is to disable FTDC. But apparently that’s frowned upon. So alternatively, we can make sure that SELinux no longer refuses access to FTDC’s accessing of this specific filetype.

Mind you: DO NOT make these changes without discussing them with your systems administrator. You may be breaking security policies by adding new rules to SELinux.

Create a file called mongodb_ftdc.te in your homedir. Give it the following contents:

module mongodb-ftdc 1.0;

require {
	type proc_net_t;
	type mongod_t;
	class file open;
	class file read;
}

allow mongod_t proc_net_t:file open;
allow mongod_t proc_net_t:file read;

Compile the configuration into an SELinux policy module:
make -f /usr/share/selinux/strict/include/Makefile mongodb-ftdc.pp
Import the new SELinux policy module:
sudo semodule -i ./mongodb-ftdc.pp

These changes will survive a reboot of your server. They are permanent.

For more details about this process:

https://wiki.gentoo.org/wiki/SELinux/Tutorials/Creating_your_own_policy_module_file

system · December 5, 2018, 8:25am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Selinux errors for mongod Graylog Central (peer support)	3	920	May 27, 2022
No more messages flowing inbound? Started over twice now... what am I doing wrong? Graylog Central (peer support) elastic	5	959	February 24, 2022
Upgrade Assistance from 2.4.6 to 2.4.7 Graylog Central (peer support)	25	855	December 6, 2020
No messages incoming Graylog Central (peer support)	2	946	September 10, 2018
Unhealthy Graylog docker image Graylog Central (peer support)	4	510	October 4, 2023

Constant SELinux errors on Graylog MongoDB nodes

Related Topics