Skip to content

Commit 3ae1dfd

Browse files
mungitoperritojeff-allen-mongo
authored andcommitted
DOCSP-10075 create an SELinux profile
1 parent bef2891 commit 3ae1dfd

9 files changed

+218
-92
lines changed
Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
2+
.. _selinux-custom-policy-howto:
3+
4+
Using a Custom MongoDB Directory Path
5+
+++++++++++++++++++++++++++++++++++++
6+
7+
#. Update the SELinux policy to allow the ``mongod`` service
8+
to use the new directory:
9+
10+
.. code-block:: bash
11+
12+
sudo semanage fcontext -a -t <type> </some/MongoDB/directory.*>
13+
14+
Specify one of the following types as appropriate:
15+
16+
- ``mongod_var_lib_t`` for data directory
17+
18+
- ``mongod_log_t`` for log file directory
19+
20+
- ``mongod_var_run_t`` for pid file directory
21+
22+
.. note::
23+
24+
Be sure to include the ``.*`` at the end of the directory.
25+
26+
#. Update the SELinux user policy for the new directory:
27+
28+
.. code-block:: bash
29+
30+
sudo chcon -Rv -u system_u -t <type> </some/MongoDB/directory>
31+
32+
Specify one of the following types as appropriate:
33+
34+
- ``mongod_var_lib_t`` for data directory
35+
36+
- ``mongod_log_t`` for log directory
37+
38+
- ``mongod_var_run_t`` for pid file directory
39+
40+
#. Apply the updated SELinux policies to the directory:
41+
42+
.. code-block:: bash
43+
44+
restorecon -R -v </some/MongoDB/directory>
45+
46+
For example:
47+
48+
.. tip::
49+
50+
Be sure to include the ``.*`` at the end of the directory for the
51+
``semanage fcontext`` operations.
52+
53+
- If using a non-default MongoDB data path of ``/mongodb/data``:
54+
55+
.. code-block:: bash
56+
57+
sudo semanage fcontext -a -t mongod_var_lib_t '/mongodb/data.*'
58+
sudo chcon -Rv -u system_u -t mongod_var_lib_t '/mongodb/data'
59+
restorecon -R -v '/mongodb/data'
60+
61+
- If using a non-default MongoDB log directory of ``/mongodb/log``
62+
(e.g. if the log file path is ``/mongodb/log/mongod.log``):
63+
64+
.. code-block:: bash
65+
66+
sudo semanage fcontext -a -t mongod_log_t '/mongodb/log.*'
67+
sudo chcon -Rv -u system_u -t mongod_log_t '/mongodb/log'
68+
restorecon -R -v '/mongodb/log'
69+
70+
71+
Using a Custom MongoDB Port
72+
+++++++++++++++++++++++++++
73+
74+
.. code-block:: bash
75+
76+
sudo semanage port -a -t mongod_port_t -p tcp <portnumber>
77+
Lines changed: 12 additions & 88 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,16 @@
1-
.. important::
1+
.. _selinux-installation-instructions:
2+
3+
.. warning::
4+
5+
An improperly configured SELinux policy might be insecure or may
6+
stop your :binary:`mongod` instance from working.
27

38
If SELinux is in ``enforcing`` mode, you must customize your SELinux
4-
policy for MongoDB by making the following two policy adjustments:
9+
policy for MongoDB to
10+
11+
- Permit Access to ``cgroup``
12+
- Permit Access to ``netstat``
13+
514

615
Permit Access to ``cgroup``
716
+++++++++++++++++++++++++++
@@ -91,90 +100,5 @@ to your SELinux policy:
91100
semodule_package -o mongodb_proc_net.pp -m mongodb_proc_net.mod
92101
sudo semodule -i mongodb_proc_net.pp
93102
94-
.. important::
95-
96-
In addition to the above, you will also need to further customize
97-
your SELinux policy in the following two cases if SELinux is in
98-
``enforcing`` mode:
99-
100-
- You are using a **custom directory path** instead of using the
101-
default :setting:`~storage.dbPath`, :setting:`systemLog.path`, or
102-
:setting:`~processManagement.pidFilePath` in RHEL 7.0 or later,
103-
and/or
104-
105-
- You are using a **custom port** instead of using the :doc:`default MongoDB ports
106-
</reference/default-mongodb-port>`.
107-
108-
Using a Custom MongoDB Directory Path
109-
+++++++++++++++++++++++++++++++++++++
110-
111-
#. Update the SELinux policy to allow the ``mongod`` service
112-
to use the new directory:
113-
114-
.. code-block:: bash
115-
116-
sudo semanage fcontext -a -t <type> </some/MongoDB/directory.*>
117-
118-
where specify one of the following types as appropriate:
119-
120-
- ``mongod_var_lib_t`` for data directory
121-
122-
- ``mongod_log_t`` for log file directory
123-
124-
- ``mongod_var_run_t`` for pid file directory
125-
126-
.. note::
127-
128-
Be sure to include the ``.*`` at the end of the directory.
129-
130-
#. Update the SELinux user policy for the new directory:
131-
132-
.. code-block:: bash
133-
134-
sudo chcon -Rv -u system_u -t <type> </some/MongoDB/directory>
135-
136-
where specify one of the following types as appropriate:
137-
138-
- ``mongod_var_lib_t`` for data directory
139-
140-
- ``mongod_log_t`` for log directory
141-
142-
- ``mongod_var_run_t`` for pid file directory
143-
144-
#. Apply the updated SELinux policies to the directory:
145-
146-
.. code-block:: bash
147-
148-
restorecon -R -v </some/MongoDB/directory>
149-
150-
For example:
151-
152-
.. tip::
153-
154-
Be sure to include the ``.*`` at the end of the directory for the
155-
``semanage fcontext`` operations.
156-
157-
- If using a non-default MongoDB data path of ``/mongodb/data``:
158-
159-
.. code-block:: bash
160-
161-
sudo semanage fcontext -a -t mongod_var_lib_t '/mongodb/data.*'
162-
sudo chcon -Rv -u system_u -t mongod_var_lib_t '/mongodb/data'
163-
restorecon -R -v '/mongodb/data'
164-
165-
- If using a non-default MongoDB log directory of ``/mongodb/log``
166-
(e.g. if the log file path is ``/mongodb/log/mongod.log``):
167-
168-
.. code-block:: bash
169-
170-
sudo semanage fcontext -a -t mongod_log_t '/mongodb/log.*'
171-
sudo chcon -Rv -u system_u -t mongod_log_t '/mongodb/log'
172-
restorecon -R -v '/mongodb/log'
173-
174-
175-
Using a Custom MongoDB Port
176-
+++++++++++++++++++++++++++
177-
178-
.. code-block:: bash
103+
.. include:: /includes/fact-selinux-redhat-customization.rst
179104
180-
sudo semanage port -a -t mongod_port_t -p tcp <portnumber>
Lines changed: 92 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,92 @@
1+
Starting in MongoDB 5.0, a new SELinux policy is available for
2+
MongoDB installations that:
3+
4+
- Use an ``.rpm`` installer.
5+
- Use default configuration settings.
6+
- Run on RHEL7 or RHEL8.
7+
8+
If your installation does not meet these requirements, refer to the
9+
:ref:`SELinux Instructions
10+
<install-enterprise-tarball-rhel-configure-selinux>` for ``.tgz``
11+
packages.
12+
13+
.. note::
14+
15+
If your MongoDB deployment uses custom settings for any of the
16+
following:
17+
18+
- :doc:`MongoDB connection ports </reference/default-mongodb-port>`
19+
- :setting:`~storage.dbPath`
20+
- :setting:`systemLog.path`
21+
- :setting:`~processManagement.pidFilePath`
22+
23+
You cannot use the MongoDB supplied SELinux policy. An alternative
24+
is to create a :ref:`custom SELinux policy
25+
<install-enterprise-tarball-rhel-configure-selinux>`, however an
26+
improperly written custom policy may be less secure or may stop your
27+
:binary:`mongod` instance from working.
28+
29+
Install the SELinux Policy
30+
++++++++++++++++++++++++++
31+
32+
#. Ensure you have the following packages installed:
33+
34+
- ``git``
35+
- ``make``
36+
- ``checkpolicy``
37+
- ``policycoreutils``
38+
- ``selinux-policy-devel``
39+
40+
.. code-block:: bash
41+
42+
sudo yum install git make checkpolicy policycoreutils selinux-policy-devel
43+
44+
#. Download the policy repository.
45+
46+
.. code-block:: bash
47+
48+
git clone https://github.com/mongodb/mongodb-selinux
49+
50+
#. Build the policy.
51+
52+
.. code-block:: bash
53+
54+
cd mongodb-selinux
55+
make
56+
57+
#. Apply the policy.
58+
59+
.. code-block:: bash
60+
61+
sudo make install
62+
63+
SELinux Policy Considerations
64+
+++++++++++++++++++++++++++++
65+
66+
- The SELinux policy is designed to work with the configuration that
67+
results from a standard MongoDB ``.rpm`` package installation. See
68+
`standard installation assumptions
69+
<https://github.com/mongodb/mongodb-selinux/blob/master/README.md#standard-installation>`__
70+
for more details.
71+
72+
- The SELinux policy is designed for :binary:`~bin.mongod` servers. It
73+
does not apply to other MongoDB daemons or tools such as:
74+
75+
- :binary:`~bin.mongos`
76+
- :binary:`~bin.mongosh`
77+
- :ref:`mongocryptd`
78+
79+
- The `reference policy
80+
<https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/services/mongodb.if>`__
81+
supplied by the SELinux Project includes a ``mongodb_admin`` macro.
82+
This macro is not included in the MongoDB SELinux policy. An
83+
administrator in the ``unconfined_t`` domain can manage
84+
:binary:`mongod`.
85+
86+
- To uninstall the policy, go to the directory where you downloaded the
87+
policy repository and run:
88+
89+
.. code-block:: bash
90+
91+
sudo make uninstall
92+
Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
.. important::
2+
3+
In addition to the above, if SELinux is in ``enforcing`` mode you
4+
will also need to further customize your SELinux policy for each of
5+
these situations:
6+
7+
- You are using a **custom directory path** instead of using the
8+
default path for any combination of:
9+
10+
- :setting:`~storage.dbPath`
11+
- :setting:`systemLog.path`
12+
- :setting:`~processManagement.pidFilePath`
13+
14+
- You are using a **custom port** instead of using the :doc:`default
15+
MongoDB port </reference/default-mongodb-port>`.
16+
- If you have made other modifications to your MongoDB installation.
17+

source/release-notes/5.1.txt

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -165,6 +165,20 @@ Starting in MongoDB 5.1, when starting a :binary:`mongod` with the
165165
:option:`--shardsvr <mongod --shardsvr>` option you must also
166166
specify a :option:`--replSet <mongod --replSet>`.
167167

168+
Security
169+
--------
170+
171+
SELinux
172+
~~~~~~~
173+
174+
Starting in MongoDB 5.1, there is a new SE Linux Policy for:
175+
176+
- :ref:`MongoDB Enterprise Server <install-enterprise-rhel-configure-selinux>`
177+
- :ref:`MongoDB Community Edition Server <install-rhel-configure-selinux>`
178+
179+
running on Red Hat Linux. The SELinux policy is for use with default
180+
installations using ``rpm`` installer packages.
181+
168182
Report an Issue
169183
---------------
170184

source/tutorial/install-mongodb-enterprise-on-red-hat-tarball.txt

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -173,6 +173,7 @@ Configure SELinux
173173
`````````````````
174174

175175
.. include:: /includes/fact-selinux-redhat-options.rst
176+
.. include:: /includes/important-selinux-customizations.rst
176177

177178
.. |mongod-user| replace:: ``mongod``
178179
.. |mongod-datadir| replace:: ``/var/lib/mongo``

source/tutorial/install-mongodb-enterprise-on-red-hat.txt

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -110,7 +110,8 @@ directories:
110110
If you change the user that runs the MongoDB process, you **must**
111111
give the new user access to these directories.
112112

113-
#. Configure SELinux if enforced. See :ref:`install-rhel-configure-selinux`.
113+
#. Configure SELinux if enforced. See
114+
:ref:`install-enterprise-rhel-configure-selinux`.
114115

115116
.. _install-enterprise-selinux-data-directory:
116117

@@ -119,8 +120,7 @@ directories:
119120
Configure SELinux
120121
`````````````````
121122

122-
.. include:: /includes/fact-selinux-redhat-options.rst
123-
123+
.. include:: /includes/fact-selinux-redhat-with-policy.rst
124124

125125
.. |mongod-user| replace:: ``mongod``
126126
.. |mongod-datadir| replace:: ``/var/lib/mongo``

source/tutorial/install-mongodb-on-red-hat-tarball.txt

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -153,6 +153,7 @@ Configure SELinux
153153
`````````````````
154154

155155
.. include:: /includes/fact-selinux-redhat-options.rst
156+
.. include:: /includes/important-selinux-customizations.rst
156157

157158
.. |mongod-user| replace:: ``mongod``
158159
.. |mongod-datadir| replace:: ``/var/lib/mongo``

source/tutorial/install-mongodb-on-red-hat.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -117,7 +117,7 @@ directories:
117117
Configure SELinux
118118
`````````````````
119119

120-
.. include:: /includes/fact-selinux-redhat-options.rst
120+
.. include:: /includes/fact-selinux-redhat-with-policy.rst
121121

122122
.. |mongod-user| replace:: ``mongod``
123123
.. |mongod-datadir| replace:: ``/var/lib/mongo``

0 commit comments

Comments
 (0)