diff --git a/source/includes/fact-selinux-redhat-customization.rst b/source/includes/fact-selinux-redhat-customization.rst new file mode 100644 index 00000000000..686262489dd --- /dev/null +++ b/source/includes/fact-selinux-redhat-customization.rst @@ -0,0 +1,77 @@ + +.. _selinux-custom-policy-howto: + +Using a Custom MongoDB Directory Path ++++++++++++++++++++++++++++++++++++++ + +#. Update the SELinux policy to allow the ``mongod`` service + to use the new directory: + + .. code-block:: bash + + sudo semanage fcontext -a -t + + Specify one of the following types as appropriate: + + - ``mongod_var_lib_t`` for data directory + + - ``mongod_log_t`` for log file directory + + - ``mongod_var_run_t`` for pid file directory + + .. note:: + + Be sure to include the ``.*`` at the end of the directory. + +#. Update the SELinux user policy for the new directory: + + .. code-block:: bash + + sudo chcon -Rv -u system_u -t + + Specify one of the following types as appropriate: + + - ``mongod_var_lib_t`` for data directory + + - ``mongod_log_t`` for log directory + + - ``mongod_var_run_t`` for pid file directory + +#. Apply the updated SELinux policies to the directory: + + .. code-block:: bash + + restorecon -R -v + +For example: + +.. tip:: + + Be sure to include the ``.*`` at the end of the directory for the + ``semanage fcontext`` operations. + +- If using a non-default MongoDB data path of ``/mongodb/data``: + + .. code-block:: bash + + sudo semanage fcontext -a -t mongod_var_lib_t '/mongodb/data.*' + sudo chcon -Rv -u system_u -t mongod_var_lib_t '/mongodb/data' + restorecon -R -v '/mongodb/data' + +- If using a non-default MongoDB log directory of ``/mongodb/log`` + (e.g. if the log file path is ``/mongodb/log/mongod.log``): + + .. code-block:: bash + + sudo semanage fcontext -a -t mongod_log_t '/mongodb/log.*' + sudo chcon -Rv -u system_u -t mongod_log_t '/mongodb/log' + restorecon -R -v '/mongodb/log' + + +Using a Custom MongoDB Port ++++++++++++++++++++++++++++ + +.. code-block:: bash + + sudo semanage port -a -t mongod_port_t -p tcp + diff --git a/source/includes/fact-selinux-redhat-options.rst b/source/includes/fact-selinux-redhat-options.rst index 5642952170a..60f8ab73143 100644 --- a/source/includes/fact-selinux-redhat-options.rst +++ b/source/includes/fact-selinux-redhat-options.rst @@ -1,7 +1,16 @@ -.. important:: +.. _selinux-installation-instructions: + +.. warning:: + + An improperly configured SELinux policy might be insecure or may + stop your :binary:`mongod` instance from working. If SELinux is in ``enforcing`` mode, you must customize your SELinux - policy for MongoDB by making the following two policy adjustments: + policy for MongoDB to + + - Permit Access to ``cgroup`` + - Permit Access to ``netstat`` + Permit Access to ``cgroup`` +++++++++++++++++++++++++++ @@ -91,90 +100,5 @@ to your SELinux policy: semodule_package -o mongodb_proc_net.pp -m mongodb_proc_net.mod sudo semodule -i mongodb_proc_net.pp -.. important:: - - In addition to the above, you will also need to further customize - your SELinux policy in the following two cases if SELinux is in - ``enforcing`` mode: - - - You are using a **custom directory path** instead of using the - default :setting:`~storage.dbPath`, :setting:`systemLog.path`, or - :setting:`~processManagement.pidFilePath` in RHEL 7.0 or later, - and/or - - - You are using a **custom port** instead of using the :doc:`default MongoDB ports - `. - -Using a Custom MongoDB Directory Path -+++++++++++++++++++++++++++++++++++++ - -#. Update the SELinux policy to allow the ``mongod`` service - to use the new directory: - - .. code-block:: bash - - sudo semanage fcontext -a -t - - where specify one of the following types as appropriate: - - - ``mongod_var_lib_t`` for data directory - - - ``mongod_log_t`` for log file directory - - - ``mongod_var_run_t`` for pid file directory - - .. note:: - - Be sure to include the ``.*`` at the end of the directory. - -#. Update the SELinux user policy for the new directory: - - .. code-block:: bash - - sudo chcon -Rv -u system_u -t - - where specify one of the following types as appropriate: - - - ``mongod_var_lib_t`` for data directory - - - ``mongod_log_t`` for log directory - - - ``mongod_var_run_t`` for pid file directory - -#. Apply the updated SELinux policies to the directory: - - .. code-block:: bash - - restorecon -R -v - -For example: - -.. tip:: - - Be sure to include the ``.*`` at the end of the directory for the - ``semanage fcontext`` operations. - -- If using a non-default MongoDB data path of ``/mongodb/data``: - - .. code-block:: bash - - sudo semanage fcontext -a -t mongod_var_lib_t '/mongodb/data.*' - sudo chcon -Rv -u system_u -t mongod_var_lib_t '/mongodb/data' - restorecon -R -v '/mongodb/data' - -- If using a non-default MongoDB log directory of ``/mongodb/log`` - (e.g. if the log file path is ``/mongodb/log/mongod.log``): - - .. code-block:: bash - - sudo semanage fcontext -a -t mongod_log_t '/mongodb/log.*' - sudo chcon -Rv -u system_u -t mongod_log_t '/mongodb/log' - restorecon -R -v '/mongodb/log' - - -Using a Custom MongoDB Port -+++++++++++++++++++++++++++ - -.. code-block:: bash +.. include:: /includes/fact-selinux-redhat-customization.rst - sudo semanage port -a -t mongod_port_t -p tcp diff --git a/source/includes/fact-selinux-redhat-with-policy.rst b/source/includes/fact-selinux-redhat-with-policy.rst new file mode 100644 index 00000000000..8df0fdeaf8b --- /dev/null +++ b/source/includes/fact-selinux-redhat-with-policy.rst @@ -0,0 +1,92 @@ +Starting in MongoDB 5.0, a new SELinux policy is available for +MongoDB installations that: + +- Use an ``.rpm`` installer. +- Use default configuration settings. +- Run on RHEL7 or RHEL8. + +If your installation does not meet these requirements, refer to the +:ref:`SELinux Instructions +` for ``.tgz`` +packages. + +.. note:: + + If your MongoDB deployment uses custom settings for any of the + following: + + - :doc:`MongoDB connection ports ` + - :setting:`~storage.dbPath` + - :setting:`systemLog.path` + - :setting:`~processManagement.pidFilePath` + + You cannot use the MongoDB supplied SELinux policy. An alternative + is to create a :ref:`custom SELinux policy + `, however an + improperly written custom policy may be less secure or may stop your + :binary:`mongod` instance from working. + +Install the SELinux Policy +++++++++++++++++++++++++++ + +#. Ensure you have the following packages installed: + + - ``git`` + - ``make`` + - ``checkpolicy`` + - ``policycoreutils`` + - ``selinux-policy-devel`` + + .. code-block:: bash + + sudo yum install git make checkpolicy policycoreutils selinux-policy-devel + +#. Download the policy repository. + + .. code-block:: bash + + git clone https://github.com/mongodb/mongodb-selinux + +#. Build the policy. + + .. code-block:: bash + + cd mongodb-selinux + make + +#. Apply the policy. + + .. code-block:: bash + + sudo make install + +SELinux Policy Considerations ++++++++++++++++++++++++++++++ + +- The SELinux policy is designed to work with the configuration that + results from a standard MongoDB ``.rpm`` package installation. See + `standard installation assumptions + `__ + for more details. + +- The SELinux policy is designed for :binary:`~bin.mongod` servers. It + does not apply to other MongoDB daemons or tools such as: + + - :binary:`~bin.mongos` + - :binary:`~bin.mongosh` + - :ref:`mongocryptd` + +- The `reference policy + `__ + supplied by the SELinux Project includes a ``mongodb_admin`` macro. + This macro is not included in the MongoDB SELinux policy. An + administrator in the ``unconfined_t`` domain can manage + :binary:`mongod`. + +- To uninstall the policy, go to the directory where you downloaded the + policy repository and run: + + .. code-block:: bash + + sudo make uninstall + diff --git a/source/includes/important-selinux-customizations.rst b/source/includes/important-selinux-customizations.rst new file mode 100644 index 00000000000..00a1170e8c1 --- /dev/null +++ b/source/includes/important-selinux-customizations.rst @@ -0,0 +1,17 @@ +.. important:: + + In addition to the above, if SELinux is in ``enforcing`` mode you + will also need to further customize your SELinux policy for each of + these situations: + + - You are using a **custom directory path** instead of using the + default path for any combination of: + + - :setting:`~storage.dbPath` + - :setting:`systemLog.path` + - :setting:`~processManagement.pidFilePath` + + - You are using a **custom port** instead of using the :doc:`default + MongoDB port `. + - If you have made other modifications to your MongoDB installation. + diff --git a/source/release-notes/5.1.txt b/source/release-notes/5.1.txt index fc0a1d6630d..7be1a83affb 100644 --- a/source/release-notes/5.1.txt +++ b/source/release-notes/5.1.txt @@ -165,6 +165,20 @@ Starting in MongoDB 5.1, when starting a :binary:`mongod` with the :option:`--shardsvr ` option you must also specify a :option:`--replSet `. +Security +-------- + +SELinux +~~~~~~~ + +Starting in MongoDB 5.1, there is a new SE Linux Policy for: + +- :ref:`MongoDB Enterprise Server ` +- :ref:`MongoDB Community Edition Server ` + +running on Red Hat Linux. The SELinux policy is for use with default +installations using ``rpm`` installer packages. + Report an Issue --------------- diff --git a/source/tutorial/install-mongodb-enterprise-on-red-hat-tarball.txt b/source/tutorial/install-mongodb-enterprise-on-red-hat-tarball.txt index fb006c7cc58..abec69230dd 100644 --- a/source/tutorial/install-mongodb-enterprise-on-red-hat-tarball.txt +++ b/source/tutorial/install-mongodb-enterprise-on-red-hat-tarball.txt @@ -173,6 +173,7 @@ Configure SELinux ````````````````` .. include:: /includes/fact-selinux-redhat-options.rst +.. include:: /includes/important-selinux-customizations.rst .. |mongod-user| replace:: ``mongod`` .. |mongod-datadir| replace:: ``/var/lib/mongo`` diff --git a/source/tutorial/install-mongodb-enterprise-on-red-hat.txt b/source/tutorial/install-mongodb-enterprise-on-red-hat.txt index 3c672aa7fa0..07a5f3212df 100644 --- a/source/tutorial/install-mongodb-enterprise-on-red-hat.txt +++ b/source/tutorial/install-mongodb-enterprise-on-red-hat.txt @@ -110,7 +110,8 @@ directories: If you change the user that runs the MongoDB process, you **must** give the new user access to these directories. -#. Configure SELinux if enforced. See :ref:`install-rhel-configure-selinux`. +#. Configure SELinux if enforced. See + :ref:`install-enterprise-rhel-configure-selinux`. .. _install-enterprise-selinux-data-directory: @@ -119,8 +120,7 @@ directories: Configure SELinux ````````````````` -.. include:: /includes/fact-selinux-redhat-options.rst - +.. include:: /includes/fact-selinux-redhat-with-policy.rst .. |mongod-user| replace:: ``mongod`` .. |mongod-datadir| replace:: ``/var/lib/mongo`` diff --git a/source/tutorial/install-mongodb-on-red-hat-tarball.txt b/source/tutorial/install-mongodb-on-red-hat-tarball.txt index 4e59de83c8f..b50f09f71f1 100644 --- a/source/tutorial/install-mongodb-on-red-hat-tarball.txt +++ b/source/tutorial/install-mongodb-on-red-hat-tarball.txt @@ -153,6 +153,7 @@ Configure SELinux ````````````````` .. include:: /includes/fact-selinux-redhat-options.rst +.. include:: /includes/important-selinux-customizations.rst .. |mongod-user| replace:: ``mongod`` .. |mongod-datadir| replace:: ``/var/lib/mongo`` diff --git a/source/tutorial/install-mongodb-on-red-hat.txt b/source/tutorial/install-mongodb-on-red-hat.txt index c2fce0ba04e..9938d932f14 100644 --- a/source/tutorial/install-mongodb-on-red-hat.txt +++ b/source/tutorial/install-mongodb-on-red-hat.txt @@ -117,7 +117,7 @@ directories: Configure SELinux ````````````````` -.. include:: /includes/fact-selinux-redhat-options.rst +.. include:: /includes/fact-selinux-redhat-with-policy.rst .. |mongod-user| replace:: ``mongod`` .. |mongod-datadir| replace:: ``/var/lib/mongo``