dears, in order to get mongodb 6.0 to work properly under rhel 8.8 w/ selinux enabled, we had to create an additional policy – above and beyond (mongodb_cgroup_memory.te, mongodb_proc_net.te) policies listed under mongodb 6.0 documentation – as follows:
module mongodb_audit_allow 1.0;
require {
type tmp_t;
type default_t;
type mongod_log_t;
type mongod_var_lib_t;
type init_t;
type mongod_var_run_t;
class file { append create execute execute_no_trans lock map open read rename setattr unlink write };
class sock_file { create setattr unlink };
class dir { add_name remove_name };
class lnk_file read;
}
#============= init_t ==============
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow init_t default_t:file map;
allow init_t default_t:file { execute execute_no_trans open read };
allow init_t default_t:lnk_file read;
allow init_t mongod_log_t:file { append open };
allow init_t mongod_var_lib_t:dir { add_name remove_name };
allow init_t mongod_var_lib_t:file { append create lock open read rename unlink write };
allow init_t mongod_var_run_t:file { create setattr write };
allow init_t tmp_t:sock_file { create setattr unlink };
we ran the following commands on a running system to create this additional policy:
# grep mongod /var/log/audit/audit.log | audit2allow -a -M mongodb_audit_allow
# semodule -i mongodb_audit_allow.pp
we’re wondering if this is a legitimate approach. also, is it possible that mongo 6.0 documentation lacks in that regard and it needs to be updated to create such a policy for proper operations.
thank you & regards to all,