DOCSP-10075 create an SELinux profile

mungitoperrito · jeff-allen-mongo · commit 3ae1dfd86aa5 · 2021-10-15T12:45:40.000-04:00
diff --git a/source/includes/fact-selinux-redhat-customization.rst b/source/includes/fact-selinux-redhat-customization.rst
@@ -0,0 +1,77 @@
+
+.. _selinux-custom-policy-howto:
+
+Using a Custom MongoDB Directory Path
++++++++++++++++++++++++++++++++++++++
+
+#. Update the SELinux policy to allow the ``mongod`` service
+   to use the new directory:
+
+   .. code-block:: bash
+
+      sudo semanage fcontext -a -t <type> </some/MongoDB/directory.*>
+
+   Specify one of the following types as appropriate:
+
+   - ``mongod_var_lib_t`` for data directory
+
+   - ``mongod_log_t`` for log file directory
+
+   - ``mongod_var_run_t`` for pid file directory
+
+   .. note::
+
+      Be sure to include the ``.*`` at the end of the directory.
+
+#. Update the SELinux user policy for the new directory:
+
+   .. code-block:: bash
+
+      sudo chcon -Rv -u system_u -t <type> </some/MongoDB/directory>
+
+   Specify one of the following types as appropriate:
+
+   - ``mongod_var_lib_t`` for data directory
+
+   - ``mongod_log_t`` for log directory
+
+   - ``mongod_var_run_t`` for pid file directory
+
+#. Apply the updated SELinux policies to the directory:
+
+   .. code-block:: bash
+
+      restorecon -R -v </some/MongoDB/directory>
+
+For example:
+
+.. tip::
+
+   Be sure to include the ``.*`` at the end of the directory for the
+   ``semanage fcontext`` operations.
+
+- If using a non-default MongoDB data path of ``/mongodb/data``:
+
+  .. code-block:: bash
+
+     sudo semanage fcontext -a -t mongod_var_lib_t '/mongodb/data.*'
+     sudo chcon -Rv -u system_u -t mongod_var_lib_t '/mongodb/data'
+     restorecon -R -v '/mongodb/data'
+
+- If using a non-default MongoDB log directory of ``/mongodb/log``
+  (e.g. if the log file path is ``/mongodb/log/mongod.log``):
+
+  .. code-block:: bash
+
+     sudo semanage fcontext -a -t mongod_log_t '/mongodb/log.*'
+     sudo chcon -Rv -u system_u -t mongod_log_t '/mongodb/log'
+     restorecon -R -v '/mongodb/log' 
+
+
+Using a Custom MongoDB Port
++++++++++++++++++++++++++++
+
+.. code-block:: bash
+
+   sudo semanage port -a -t mongod_port_t -p tcp <portnumber>
+
diff --git a/source/includes/fact-selinux-redhat-options.rst b/source/includes/fact-selinux-redhat-options.rst
@@ -1,7 +1,16 @@
-.. important::
+.. _selinux-installation-instructions:
+
+.. warning::
+
+   An improperly configured SELinux policy might be insecure or may
+   stop your :binary:`mongod` instance from working.
 
    If SELinux is in ``enforcing`` mode, you must customize your SELinux
-   policy for MongoDB by making the following two policy adjustments:
+   policy for MongoDB to 
+   
+   - Permit Access to ``cgroup``
+   - Permit Access to ``netstat``
+
 
 Permit Access to ``cgroup``
 +++++++++++++++++++++++++++
@@ -91,90 +100,5 @@ to your SELinux policy:
       semodule_package -o mongodb_proc_net.pp -m mongodb_proc_net.mod
       sudo semodule -i mongodb_proc_net.pp
 
-.. important::
-
-   In addition to the above, you will also need to further customize
-   your SELinux policy in the following two cases if SELinux is in
-   ``enforcing`` mode:
-
-   - You are using a **custom directory path** instead of using the
-     default :setting:`~storage.dbPath`, :setting:`systemLog.path`, or
-     :setting:`~processManagement.pidFilePath` in RHEL 7.0 or later,
-     and/or
-
-   - You are using a **custom port** instead of using the :doc:`default MongoDB ports
-     </reference/default-mongodb-port>`.
-
-Using a Custom MongoDB Directory Path
-+++++++++++++++++++++++++++++++++++++
-
-#. Update the SELinux policy to allow the ``mongod`` service
-   to use the new directory:
-
-   .. code-block:: bash
-
-      sudo semanage fcontext -a -t <type> </some/MongoDB/directory.*>
-
-   where specify one of the following types as appropriate:
-
-   - ``mongod_var_lib_t`` for data directory
-
-   - ``mongod_log_t`` for log file directory
-
-   - ``mongod_var_run_t`` for pid file directory
-
-   .. note::
-
-      Be sure to include the ``.*`` at the end of the directory.
-
-#. Update the SELinux user policy for the new directory:
-
-   .. code-block:: bash
-
-      sudo chcon -Rv -u system_u -t <type> </some/MongoDB/directory>
-
-   where specify one of the following types as appropriate:
-
-   - ``mongod_var_lib_t`` for data directory
-
-   - ``mongod_log_t`` for log directory
-
-   - ``mongod_var_run_t`` for pid file directory
-
-#. Apply the updated SELinux policies to the directory:
-
-   .. code-block:: bash
-
-      restorecon -R -v </some/MongoDB/directory>
-
-For example:
-
-.. tip::
-
-   Be sure to include the ``.*`` at the end of the directory for the
-   ``semanage fcontext`` operations.
-
-- If using a non-default MongoDB data path of ``/mongodb/data``:
-
-  .. code-block:: bash
-
-     sudo semanage fcontext -a -t mongod_var_lib_t '/mongodb/data.*'
-     sudo chcon -Rv -u system_u -t mongod_var_lib_t '/mongodb/data'
-     restorecon -R -v '/mongodb/data'
-
-- If using a non-default MongoDB log directory of ``/mongodb/log``
-  (e.g. if the log file path is ``/mongodb/log/mongod.log``):
-
-  .. code-block:: bash
-
-     sudo semanage fcontext -a -t mongod_log_t '/mongodb/log.*'
-     sudo chcon -Rv -u system_u -t mongod_log_t '/mongodb/log'
-     restorecon -R -v '/mongodb/log' 
-
-
-Using a Custom MongoDB Port
-+++++++++++++++++++++++++++
-
-.. code-block:: bash
+.. include:: /includes/fact-selinux-redhat-customization.rst
 
-   sudo semanage port -a -t mongod_port_t -p tcp <portnumber>
diff --git a/source/includes/fact-selinux-redhat-with-policy.rst b/source/includes/fact-selinux-redhat-with-policy.rst
@@ -0,0 +1,92 @@
+Starting in MongoDB 5.0, a new SELinux policy is available for 
+MongoDB installations that:
+
+- Use an ``.rpm`` installer.
+- Use default configuration settings.
+- Run on RHEL7 or RHEL8.
+
+If your installation does not meet these requirements, refer to the
+:ref:`SELinux Instructions
+<install-enterprise-tarball-rhel-configure-selinux>` for ``.tgz``
+packages.
+
+.. note::
+
+   If your MongoDB deployment uses custom settings for any of the
+   following:
+
+   - :doc:`MongoDB connection ports </reference/default-mongodb-port>`
+   - :setting:`~storage.dbPath`
+   - :setting:`systemLog.path`
+   - :setting:`~processManagement.pidFilePath`
+
+   You cannot use the MongoDB supplied SELinux policy. An alternative
+   is to create a :ref:`custom SELinux policy
+   <install-enterprise-tarball-rhel-configure-selinux>`, however an 
+   improperly written custom policy may be less secure or may stop your
+   :binary:`mongod` instance from working.
+
+Install the SELinux Policy
+++++++++++++++++++++++++++
+
+#. Ensure you have the following packages installed:
+
+   - ``git``
+   - ``make``
+   - ``checkpolicy``
+   - ``policycoreutils``
+   - ``selinux-policy-devel``
+
+   .. code-block:: bash
+
+      sudo yum install git make checkpolicy policycoreutils selinux-policy-devel
+
+#. Download the policy repository.
+
+   .. code-block:: bash
+
+      git clone https://github.com/mongodb/mongodb-selinux
+
+#. Build the policy.
+
+   .. code-block:: bash
+
+      cd mongodb-selinux
+      make
+
+#. Apply the policy.
+
+   .. code-block:: bash
+
+      sudo make install
+
+SELinux Policy Considerations
++++++++++++++++++++++++++++++
+
+- The SELinux policy is designed to work with the configuration that
+  results from a standard MongoDB ``.rpm`` package installation. See 
+  `standard installation assumptions
+  <https://github.com/mongodb/mongodb-selinux/blob/master/README.md#standard-installation>`__
+  for more details.
+
+- The SELinux policy is designed for :binary:`~bin.mongod` servers. It
+  does not apply to other MongoDB daemons or tools such as: 
+
+  - :binary:`~bin.mongos`
+  - :binary:`~bin.mongosh`
+  - :ref:`mongocryptd`
+
+- The `reference policy
+  <https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/services/mongodb.if>`__ 
+  supplied by the SELinux Project includes a ``mongodb_admin`` macro.
+  This macro is not included in the MongoDB SELinux policy. An
+  administrator in the ``unconfined_t`` domain can manage
+  :binary:`mongod`.
+
+- To uninstall the policy, go to the directory where you downloaded the
+  policy repository and run: 
+
+  .. code-block:: bash
+
+     sudo make uninstall
+
diff --git a/source/includes/important-selinux-customizations.rst b/source/includes/important-selinux-customizations.rst
@@ -0,0 +1,17 @@
+.. important::
+
+   In addition to the above, if SELinux is in ``enforcing`` mode you
+   will also need to further customize your SELinux policy for each of
+   these situations:
+
+   - You are using a **custom directory path** instead of using the
+     default path for any combination of:
+     
+     - :setting:`~storage.dbPath`
+     - :setting:`systemLog.path`
+     - :setting:`~processManagement.pidFilePath`
+
+   - You are using a **custom port** instead of using the :doc:`default
+     MongoDB port </reference/default-mongodb-port>`.
+   - If you have made other modifications to your MongoDB installation. 
+
diff --git a/source/release-notes/5.1.txt b/source/release-notes/5.1.txt
@@ -165,6 +165,20 @@ Starting in MongoDB 5.1, when starting a :binary:`mongod` with the
 :option:`--shardsvr <mongod --shardsvr>` option you must also 
 specify a :option:`--replSet <mongod --replSet>`.
 
+Security
+--------
+
+SELinux
+~~~~~~~
+
+Starting in MongoDB 5.1, there is a new SE Linux Policy for:
+
+- :ref:`MongoDB Enterprise Server <install-enterprise-rhel-configure-selinux>`
+- :ref:`MongoDB Community Edition Server <install-rhel-configure-selinux>`
+
+running on Red Hat Linux. The SELinux policy is for use with default
+installations using ``rpm`` installer packages.
+  
 Report an Issue
 ---------------
 
diff --git a/source/tutorial/install-mongodb-enterprise-on-red-hat-tarball.txt b/source/tutorial/install-mongodb-enterprise-on-red-hat-tarball.txt
@@ -173,6 +173,7 @@ Configure SELinux
 `````````````````
 
 .. include:: /includes/fact-selinux-redhat-options.rst
+.. include:: /includes/important-selinux-customizations.rst
 
 .. |mongod-user| replace:: ``mongod``
 .. |mongod-datadir| replace:: ``/var/lib/mongo``
diff --git a/source/tutorial/install-mongodb-enterprise-on-red-hat.txt b/source/tutorial/install-mongodb-enterprise-on-red-hat.txt
@@ -110,7 +110,8 @@ directories:
    If you change the user that runs the MongoDB process, you **must**
    give the new user access to these directories.
 
-#. Configure SELinux if enforced.  See :ref:`install-rhel-configure-selinux`.
+#. Configure SELinux if enforced. See
+   :ref:`install-enterprise-rhel-configure-selinux`.
 
 .. _install-enterprise-selinux-data-directory:
 
@@ -119,8 +120,7 @@ directories:
 Configure SELinux
 `````````````````
 
-.. include:: /includes/fact-selinux-redhat-options.rst
-
+.. include:: /includes/fact-selinux-redhat-with-policy.rst
 
 .. |mongod-user| replace:: ``mongod``
 .. |mongod-datadir| replace:: ``/var/lib/mongo``
diff --git a/source/tutorial/install-mongodb-on-red-hat-tarball.txt b/source/tutorial/install-mongodb-on-red-hat-tarball.txt
@@ -153,6 +153,7 @@ Configure SELinux
 `````````````````
 
 .. include:: /includes/fact-selinux-redhat-options.rst
+.. include:: /includes/important-selinux-customizations.rst
 
 .. |mongod-user| replace:: ``mongod``
 .. |mongod-datadir| replace:: ``/var/lib/mongo``
diff --git a/source/tutorial/install-mongodb-on-red-hat.txt b/source/tutorial/install-mongodb-on-red-hat.txt
@@ -117,7 +117,7 @@ directories:
 Configure SELinux
 `````````````````
 
-.. include:: /includes/fact-selinux-redhat-options.rst
+.. include:: /includes/fact-selinux-redhat-with-policy.rst
 
 .. |mongod-user| replace:: ``mongod``
 .. |mongod-datadir| replace:: ``/var/lib/mongo``
