Constant SELinux errors on Graylog MongoDB nodes

Hi again!

Since installing Graylog 2.4.6 on my cluster, I’ve noticed that the three MongoDB hosts keep spamming SELinux warnings. I’d installed MongoDB as per the instructions from both Mongo and Graylog and everything works just fine. Except those odd errors :slight_smile: And they do add up in time! Over 200.000 message each day, per server! That’s a lot of spam to go into Graylog.

Stuff you might see in /var/log/audit/audit.log:

type=AVC msg=audit (...): avc: denied { open } for pid=NNN comm="ftdc"  path="/proc/NNN/net/netstat" dev="proc" ino=NNN scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit (...): avc: denied { read } for pid=NNN comm="ftdc"  path="/proc/NNN/net/netstat" dev="proc" ino=NNN scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file

So, what exactly is this ftdc? It’s MongoDB’s built-in statistics/analytics/performance tooling. It’s used to check on MongoDB’s internal workings.

One way to prevent this huge amount of messages from appearing in your Graylog environment is to disable FTDC. But apparently that’s frowned upon. So alternatively, we can make sure that SELinux no longer refuses access to FTDC’s accessing of this specific filetype.

Mind you: DO NOT make these changes without discussing them with your systems administrator. You may be breaking security policies by adding new rules to SELinux.

  1. Create a file called mongodb_ftdc.te in your homedir. Give it the following contents:
module mongodb-ftdc 1.0;

require {
	type proc_net_t;
	type mongod_t;
	class file open;
	class file read;
}

allow mongod_t proc_net_t:file open;
allow mongod_t proc_net_t:file read;
  1. Compile the configuration into an SELinux policy module:
    make -f /usr/share/selinux/strict/include/Makefile mongodb-ftdc.pp

  2. Import the new SELinux policy module:
    sudo semodule -i ./mongodb-ftdc.pp

These changes will survive a reboot of your server. They are permanent.

For more details about this process:

https://wiki.gentoo.org/wiki/SELinux/Tutorials/Creating_your_own_policy_module_file

3 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.