This is the official SELinux policy for the MongoDB server.
Security-Enhanced Linux (SELinux) is an implementation of mandatory access controls (MAC) in the Linux kernel, checking for allowed operations after standard discretionary access controls (DAC) are checked.
Supplied policies do not cover any daemons or tools other than mongod, such as: mongos, mongocryptd, or mongo shell
You will need to install following packages in order to apply this policy:
git clone https://github.com/mongodb/mongodb-selinux
cd mongodb-selinux
make
sudo make install
sudo make uninstall
Present SELinux policies are automatically applied when mongodb-server package is installed on a supported system.
In order for mongod service to run, following assumptions are made:
/usr/bin/mongod
/var/lib/mongo
/var/log/mongodb/
/var/run/mongodb/
or /run/mongodb/
. On RHEL systems/var/run
is a symbolic link to /run
. This should not be changed/tmp
, which must stay a default location provided by/usr/lib/systemd/system/mongod.service
created by installer is usedmongod_port_t
, which by defaultsnmp_port_t
,There are following selinux booleans provided for use with enterprise features:
mongod_can_connect_snmp mongod_can_connect_ldap mongod_can_use_kerberos
These booleans are disabled by default. They can be turned on using setsebool
command:
setsebool -P mongod_can_connect_snmp on
using -P
switch would persist setting across reboots and re-installations
SELinux "mongodb_admin" macro from reference package is not provided. Mongo daemon could
be managed by a standard superuser running in unconfined_t
domain