MongoDB - can't run because of SELinux is preventing mongod from open access on the file /proc/sys/net/ipv4/tcp_fastopen

Question

After install, my mongod server was running well. I have created user and restart the server without issue.

But now when modified gonfi file by adding 0.0.0.0 to bindip, server wont restart. Error message are

Jan 24 11:59:53 localhost.localdomain setroubleshoot[4656]: failed to retrieve rpm info for /proc/sys/net/ipv4/tcp_fastopen
Jan 24 11:59:54 localhost.localdomain setroubleshoot[4656]: SELinux is preventing mongod from open access on the file /proc/sys/net/ipv4/tcp_fastopen. For complete SELinux messag>
Jan 24 11:59:54 localhost.localdomain setroubleshoot[4656]: SELinux is preventing mongod from open access on the file /proc/sys/net/ipv4/tcp_fastopen.
                                                            
                                                            *****  Plugin catchall (100. confidence) suggests   **************************
                                                            
                                                            If you believe that mongod should be allowed open access on the tcp_fastopen file by default.
                                                            Then you should report this as a bug.
                                                            You can generate a local policy module to allow this access.
                                                            Do
                                                            allow this access for now by executing:
                                                            # ausearch -c 'mongod' --raw | audit2allow -M my-mongod
                                                            # semodule -X 300 -i my-mongod.pp

ausearch -c 'mongod' --raw | audit2allow -M my-mongod

semodule -X 300 -i my-mongod.pp

does not solved the problem.

Mongodb doc say that version 4 activate by default use of tcp_fastopen I can't find out how to apply semanage permissive to use tcp_fastopen.

Thanks in advance

Answer 1

Verify your operating system is supported by MongoDB.

Install a vanilla version of your operating system, do not change any settings, use published MongoDB documentation to install MongoDB and get it working.

Identify differences between your current installation and the vanilla installation.

Update your question with findings.

Answer 2

I couldn't find an answer to this exact error. I was starting to pull my hair out. I ended up looking at the mongod.log file. It had a permission denied error in there. journalctl showed the tcp_fastopen, so I was troubleshooting SELinux while it was actually a permission denied error. Hopefully this will help someone else running into this error.

Answer 3

I had the same problem after upgrading mongod to 4.4.6. I ended up applying what is suggested here, compiling the module manually. Now it works! I did many tries, so I am not 100% sure that what I did is more than necessary. The audit2allow command does not include the rule

allow mongod_t sysctl_net_t:file { getattr read open };

# cat > mongodb_sysctl_net.te << EOF
module mongodb_sysctl_net 1.0;

require {
    type mongod_t;
    type sysctl_net_t;
    class dir search;
    class file { getattr read open };
}

#============= mongod_t ==============
allow mongod_t sysctl_net_t:dir search;
allow mongod_t sysctl_net_t:file { getattr read open };
EOF

# checkmodule -M -m -o  mongodb_sysctl_net.mod mongodb_sysctl_net.te
# semodule_package -o mongodb_sysctl_net.pp -m mongodb_sysctl_net.mod
# semodule -i mongodb_sysctl_net.pp
# systemctl start mongod.service
 

NOTE: I already had policy modules installed from the previous installation written according to the mongodb documentation

Answer 4

I had the same issue (semodule error about accessing tcp_fastopen) with a mongo 4.4 replica-set configuration. It couldn't be an os (oracle linux 8) issue, since I had the error on just one of three identical replica-set nodes (same update status). The system already had the selinux configuration as suggested in the official documentation, with

semodule -l | grep mongo

returning

mongodb
mongodb_cgroup_memory
mongodb_proc_net

Digging inside mongod.log I finally found:

"Failed to unlink socket file","attr":{"path":"/tmp/mongodb-27017.sock","error":"Operation not permitted"}}

I don't know which condition led to this status, but when I unlinked the socket (as root), the mongo daemon started again without errors so far.

Answer 5

If you're running on RHEL, CentOS, or Oracle Linux, follow the instructions for the official SELinux policy for the MongoDB server:

sudo yum install -y git make checkpolicy policycoreutils selinux-policy-devel

git clone https://github.com/mongodb/mongodb-selinux
cd mongodb-selinux
make
sudo make install