Shulou(Shulou.com)05/31 Report--

This article mainly shows you the "CentOS 7 system SELinux how to prevent MongoDB startup", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn "CentOS 7 system SELinux how to prevent MongoDB startup" this article.

Problem description:

Recently, a problem was found that MongoDB3.4 was installed on the newly installed CentOS7, and after mounting a large data disk, modify / etc/mongo.conf, put the log and data directories in the configuration file under the new data disk, and modify the file access rights.

The modified mongo.conf:

# mongod.conf# for documentation of all options, see:# http://docs.mongodb.org/manual/reference/configuration-options/# where to write logging data.systemLog: destination: file logAppend: true path: / data/mongodb/log/mongod.log# Where and how to store data.storage: dbPath: / data/mongodb/data.

File permissions:

# ls-alhdrwxr-xr-x. 5 mongod mongod 4.0K November 1 14:53 mongodb# cd mongodb# ls-alhdrwxr-xr-x. 3 mongod mongod 4.0K November 9 19:08 datadrwxr-xr-x. 2 mongod mongod 4.0K November 9 19:06 logdrwxr-xr-x. 2 mongod mongod 4.0K November 1 14:54 run

After executing the systemctl start mongod command, check the status and find that it is not started. Check / var/log/message and find the following error

Nov 9 06:06:44 [localhost] setroubleshoot: failed to retrieve rpm info for / data/mongodb/run/mongod.pidNov 9 06:06:44 [localhost] setroubleshoot: SELinux is preventing / usr/bin/mongod from write access on the file / data/mongodb/run/mongod.pid. For complete SELinux messages run: sealert-l f7148e11-b126-401e-ba9f-a9a87c1e54aeNov 9 06:06:44 [localhost] python: SELinux is preventing / usr/bin/mongod from write access on the file / data/mongodb/run/mongod.pid.#012#012* Plugin restorecon (94.8 confidence) suggests * 012#012If you want to fix the label. # 012/data/mongodb/run/mongod.pid default label should be default_t.#012Then you can run restorecon.#012Do#012# / sbin/restorecon-v / data/mongodb/run/mongod.pid#012#012* Plugin catchall_labels (5.21 confidence) suggests * # 012#012If you want to allow mongod to have write access on the mongod.pid file#012Then you need to change the label on / data/mongodb / run/mongod.pid#012Do#012# semanage fcontext-a-t FILE_TYPE'/ data/mongodb/run/mongod.pid'#012where FILE_TYPE is one of the following: afs_cache_t Initrc_tmp_t, mongod_log_t, mongod_tmp_t, mongod_var_lib_t, mongod_var_run_t, puppet_tmp_t User_cron_spool_t.#012Then execute:#012restorecon-v'/ data/mongodb/run/mongod.pid'#012#012#012* Plugin catchall (1.44 confidence) suggests * * # 012#012If you believe that mongod should be allowed write access on the mongod.pid file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.# 012Do#012allow this access for now by executing:#012# ausearch-c 'mongod'-- raw | audit2allow-M my-mongod#012# semodule-I my-mongod.pp#012

It can be seen from the prompt that it is the protection function of SELinux that prevents access.

SELinux

The full name of SELinux is Security Enhanced Linux, which is the Linux of security enhancement. Before SELinux, the root account can access all documents and services at will; if a file is set to 777, then any user can access or even delete it; this method is called DAC (active access mechanism), which is very insecure.

DAC autonomous access control: users decide the operation of the file according to their own file permissions, that is, according to the own,group,other/r,w,x permissions of the file. Root has the highest permissions and cannot be restricted. The division of authority is too rough. Restrictions cannot be implemented for different processes.

SELinux is based on MAC (mandatory access mechanism). To put it simply, there is a security label (that is, selinux context) on both the program and the access object, and only the corresponding tag can allow access. Otherwise, even if the permission is 777, it cannot be accessed.

In SELinux, the access control attribute is called a security context. All objects (files, inter-process communication channels, sockets, network hosts, etc.) and subjects (processes) have security contexts associated with them. A security context consists of three parts: user (u), role (r), and type (t) identifiers. But what we are most concerned about is the third part.

When the program accesses the resource, the subject program must pass the rules in the selinux policy and then compare the security context with the target resource. If the comparison fails, the target cannot be accessed, and if the comparison is successful, it can start to access the target. Finally, whether the access target can be accessed or not depends on the setting of the rwx permission of the file system. So when there is a permission discrepancy after enabling selinux, you have to analyze the possible problems step by step.

Resolution process:

The information in / var/log/message looks laborious, with a hint:

For complete SELinux messages run: sealert-l e73ba9e8-f74d-4835-9b53-85667546b28c

Follow the prompts:

# sealert-l e73ba9e8-f74d-4835-9b53-85667546b28cSELinux is preventing / usr/bin/mongod from write access on the directory / data/mongodb/log.* Plugin catchall_labels (83.8 confidence) suggests * If you want to allow mongod to have write access on the log directoryThen must change the label Do# semanage fcontext-a-t FILE_TYPE'/ data/mongodb/log' in / data/mongodb/log

FILE_TYPE is one of the following: mongod_log_t, mongod_tmp_t, mongod_var_lib_t, mongod_var_run_t, tmp_t, var_lib_t, var_log_t, var_run_t.

Then execute:

Restorecon-v'/ data/mongodb/log'* Plugin catchall (17.1 confidence) suggests.

The solution is already included in the output of the above prompt:

# semanage fcontext-a-t mongo_log_t'/ data/mongodb/log'# restorecon-v'/ data/mongodb/log'restorecon reset / data/mongodb/log context unconfined_u:object_r:unlabeled_t:s0- > unconfined_u:object_r:mongod_log_t:s0

After the above command is executed, the problem of file permissions in the / data/mongodb/log directory is resolved.

In the same way, solve the problem with the / data/mongodb/data and / data/mongodb/run directories.

Start mongod and resolve the problem.

Nov 9 06:08:51 [localhost] systemd: Starting High-performance, schema-free document-oriented database...Nov 9 06:08:51 [localhost] systemd: Started High-performance, schema-free document-oriented database.Nov 9 06:08:51 [localhost] mongod: about to fork child process, waiting until server is ready for connections.Nov 9 06:08:51 [localhost] mongod: forked process: 18218Nov 9 06:08:51 [localhost] mongod: child process started successfully, parent exiting

P.S. In addition to solving the problem with prompts above, there is a more violent way to turn off SELinux directly, but it is not recommended.

# setenforce 0# getenforcePermissive

The above is a temporary shutdown, if it is a permanent shutdown, you need to edit the / etc/selinux/config file and change SELINUX=enforcing to SELINUX=disabled, but it won't work until you restart it.

The above is all the contents of the article "how to prevent SELinux from starting MongoDB in CentOS 7". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.