Skip to content

DOCSP-10075 create an SELinux profile #6005

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 15, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
77 changes: 77 additions & 0 deletions source/includes/fact-selinux-redhat-customization.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@

.. _selinux-custom-policy-howto:

Using a Custom MongoDB Directory Path
+++++++++++++++++++++++++++++++++++++

#. Update the SELinux policy to allow the ``mongod`` service
to use the new directory:

.. code-block:: bash

sudo semanage fcontext -a -t <type> </some/MongoDB/directory.*>

Specify one of the following types as appropriate:

- ``mongod_var_lib_t`` for data directory

- ``mongod_log_t`` for log file directory

- ``mongod_var_run_t`` for pid file directory

.. note::

Be sure to include the ``.*`` at the end of the directory.

#. Update the SELinux user policy for the new directory:

.. code-block:: bash

sudo chcon -Rv -u system_u -t <type> </some/MongoDB/directory>

Specify one of the following types as appropriate:

- ``mongod_var_lib_t`` for data directory

- ``mongod_log_t`` for log directory

- ``mongod_var_run_t`` for pid file directory

#. Apply the updated SELinux policies to the directory:

.. code-block:: bash

restorecon -R -v </some/MongoDB/directory>

For example:

.. tip::

Be sure to include the ``.*`` at the end of the directory for the
``semanage fcontext`` operations.

- If using a non-default MongoDB data path of ``/mongodb/data``:

.. code-block:: bash

sudo semanage fcontext -a -t mongod_var_lib_t '/mongodb/data.*'
sudo chcon -Rv -u system_u -t mongod_var_lib_t '/mongodb/data'
restorecon -R -v '/mongodb/data'

- If using a non-default MongoDB log directory of ``/mongodb/log``
(e.g. if the log file path is ``/mongodb/log/mongod.log``):

.. code-block:: bash

sudo semanage fcontext -a -t mongod_log_t '/mongodb/log.*'
sudo chcon -Rv -u system_u -t mongod_log_t '/mongodb/log'
restorecon -R -v '/mongodb/log'


Using a Custom MongoDB Port
+++++++++++++++++++++++++++

.. code-block:: bash

sudo semanage port -a -t mongod_port_t -p tcp <portnumber>

100 changes: 12 additions & 88 deletions source/includes/fact-selinux-redhat-options.rst
Original file line number Diff line number Diff line change
@@ -1,7 +1,16 @@
.. important::
.. _selinux-installation-instructions:

.. warning::

An improperly configured SELinux policy might be insecure or may
stop your :binary:`mongod` instance from working.

If SELinux is in ``enforcing`` mode, you must customize your SELinux
policy for MongoDB by making the following two policy adjustments:
policy for MongoDB to

- Permit Access to ``cgroup``
- Permit Access to ``netstat``


Permit Access to ``cgroup``
+++++++++++++++++++++++++++
Expand Down Expand Up @@ -91,90 +100,5 @@ to your SELinux policy:
semodule_package -o mongodb_proc_net.pp -m mongodb_proc_net.mod
sudo semodule -i mongodb_proc_net.pp

.. important::

In addition to the above, you will also need to further customize
your SELinux policy in the following two cases if SELinux is in
``enforcing`` mode:

- You are using a **custom directory path** instead of using the
default :setting:`~storage.dbPath`, :setting:`systemLog.path`, or
:setting:`~processManagement.pidFilePath` in RHEL 7.0 or later,
and/or

- You are using a **custom port** instead of using the :doc:`default MongoDB ports
</reference/default-mongodb-port>`.

Using a Custom MongoDB Directory Path
+++++++++++++++++++++++++++++++++++++

#. Update the SELinux policy to allow the ``mongod`` service
to use the new directory:

.. code-block:: bash

sudo semanage fcontext -a -t <type> </some/MongoDB/directory.*>

where specify one of the following types as appropriate:

- ``mongod_var_lib_t`` for data directory

- ``mongod_log_t`` for log file directory

- ``mongod_var_run_t`` for pid file directory

.. note::

Be sure to include the ``.*`` at the end of the directory.

#. Update the SELinux user policy for the new directory:

.. code-block:: bash

sudo chcon -Rv -u system_u -t <type> </some/MongoDB/directory>

where specify one of the following types as appropriate:

- ``mongod_var_lib_t`` for data directory

- ``mongod_log_t`` for log directory

- ``mongod_var_run_t`` for pid file directory

#. Apply the updated SELinux policies to the directory:

.. code-block:: bash

restorecon -R -v </some/MongoDB/directory>

For example:

.. tip::

Be sure to include the ``.*`` at the end of the directory for the
``semanage fcontext`` operations.

- If using a non-default MongoDB data path of ``/mongodb/data``:

.. code-block:: bash

sudo semanage fcontext -a -t mongod_var_lib_t '/mongodb/data.*'
sudo chcon -Rv -u system_u -t mongod_var_lib_t '/mongodb/data'
restorecon -R -v '/mongodb/data'

- If using a non-default MongoDB log directory of ``/mongodb/log``
(e.g. if the log file path is ``/mongodb/log/mongod.log``):

.. code-block:: bash

sudo semanage fcontext -a -t mongod_log_t '/mongodb/log.*'
sudo chcon -Rv -u system_u -t mongod_log_t '/mongodb/log'
restorecon -R -v '/mongodb/log'


Using a Custom MongoDB Port
+++++++++++++++++++++++++++

.. code-block:: bash
.. include:: /includes/fact-selinux-redhat-customization.rst

sudo semanage port -a -t mongod_port_t -p tcp <portnumber>
92 changes: 92 additions & 0 deletions source/includes/fact-selinux-redhat-with-policy.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
Starting in MongoDB 5.0, a new SELinux policy is available for
MongoDB installations that:

- Use an ``.rpm`` installer.
- Use default configuration settings.
- Run on RHEL7 or RHEL8.

If your installation does not meet these requirements, refer to the
:ref:`SELinux Instructions
<install-enterprise-tarball-rhel-configure-selinux>` for ``.tgz``
packages.

.. note::

If your MongoDB deployment uses custom settings for any of the
following:

- :doc:`MongoDB connection ports </reference/default-mongodb-port>`
- :setting:`~storage.dbPath`
- :setting:`systemLog.path`
- :setting:`~processManagement.pidFilePath`

You cannot use the MongoDB supplied SELinux policy. An alternative
is to create a :ref:`custom SELinux policy
<install-enterprise-tarball-rhel-configure-selinux>`, however an
improperly written custom policy may be less secure or may stop your
:binary:`mongod` instance from working.

Install the SELinux Policy
++++++++++++++++++++++++++

#. Ensure you have the following packages installed:

- ``git``
- ``make``
- ``checkpolicy``
- ``policycoreutils``
- ``selinux-policy-devel``

.. code-block:: bash

sudo yum install git make checkpolicy policycoreutils selinux-policy-devel

#. Download the policy repository.

.. code-block:: bash

git clone https://github.com/mongodb/mongodb-selinux

#. Build the policy.

.. code-block:: bash

cd mongodb-selinux
make

#. Apply the policy.

.. code-block:: bash

sudo make install

SELinux Policy Considerations
+++++++++++++++++++++++++++++

- The SELinux policy is designed to work with the configuration that
results from a standard MongoDB ``.rpm`` package installation. See
`standard installation assumptions
<https://github.com/mongodb/mongodb-selinux/blob/master/README.md#standard-installation>`__
for more details.

- The SELinux policy is designed for :binary:`~bin.mongod` servers. It
does not apply to other MongoDB daemons or tools such as:

- :binary:`~bin.mongos`
- :binary:`~bin.mongosh`
- :ref:`mongocryptd`

- The `reference policy
<https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/services/mongodb.if>`__
supplied by the SELinux Project includes a ``mongodb_admin`` macro.
This macro is not included in the MongoDB SELinux policy. An
administrator in the ``unconfined_t`` domain can manage
:binary:`mongod`.

- To uninstall the policy, go to the directory where you downloaded the
policy repository and run:

.. code-block:: bash

sudo make uninstall

17 changes: 17 additions & 0 deletions source/includes/important-selinux-customizations.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
.. important::

In addition to the above, if SELinux is in ``enforcing`` mode you
will also need to further customize your SELinux policy for each of
these situations:

- You are using a **custom directory path** instead of using the
default path for any combination of:

- :setting:`~storage.dbPath`
- :setting:`systemLog.path`
- :setting:`~processManagement.pidFilePath`

- You are using a **custom port** instead of using the :doc:`default
MongoDB port </reference/default-mongodb-port>`.
- If you have made other modifications to your MongoDB installation.

14 changes: 14 additions & 0 deletions source/release-notes/5.1.txt
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,20 @@ Starting in MongoDB 5.1, when starting a :binary:`mongod` with the
:option:`--shardsvr <mongod --shardsvr>` option you must also
specify a :option:`--replSet <mongod --replSet>`.

Security
--------

SELinux
~~~~~~~

Starting in MongoDB 5.1, there is a new SE Linux Policy for:

- :ref:`MongoDB Enterprise Server <install-enterprise-rhel-configure-selinux>`
- :ref:`MongoDB Community Edition Server <install-rhel-configure-selinux>`

running on Red Hat Linux. The SELinux policy is for use with default
installations using ``rpm`` installer packages.

Report an Issue
---------------

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,7 @@ Configure SELinux
`````````````````

.. include:: /includes/fact-selinux-redhat-options.rst
.. include:: /includes/important-selinux-customizations.rst

.. |mongod-user| replace:: ``mongod``
.. |mongod-datadir| replace:: ``/var/lib/mongo``
Expand Down
6 changes: 3 additions & 3 deletions source/tutorial/install-mongodb-enterprise-on-red-hat.txt
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,8 @@ directories:
If you change the user that runs the MongoDB process, you **must**
give the new user access to these directories.

#. Configure SELinux if enforced. See :ref:`install-rhel-configure-selinux`.
#. Configure SELinux if enforced. See
:ref:`install-enterprise-rhel-configure-selinux`.

.. _install-enterprise-selinux-data-directory:

Expand All @@ -119,8 +120,7 @@ directories:
Configure SELinux
`````````````````

.. include:: /includes/fact-selinux-redhat-options.rst

.. include:: /includes/fact-selinux-redhat-with-policy.rst

.. |mongod-user| replace:: ``mongod``
.. |mongod-datadir| replace:: ``/var/lib/mongo``
Expand Down
1 change: 1 addition & 0 deletions source/tutorial/install-mongodb-on-red-hat-tarball.txt
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,7 @@ Configure SELinux
`````````````````

.. include:: /includes/fact-selinux-redhat-options.rst
.. include:: /includes/important-selinux-customizations.rst

.. |mongod-user| replace:: ``mongod``
.. |mongod-datadir| replace:: ``/var/lib/mongo``
Expand Down
2 changes: 1 addition & 1 deletion source/tutorial/install-mongodb-on-red-hat.txt
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ directories:
Configure SELinux
`````````````````

.. include:: /includes/fact-selinux-redhat-options.rst
.. include:: /includes/fact-selinux-redhat-with-policy.rst

.. |mongod-user| replace:: ``mongod``
.. |mongod-datadir| replace:: ``/var/lib/mongo``
Expand Down