CentOS7 SELinux blocking MongoDB startup issues

Source: Internet
Author: User


Problem Description:


On the newly installed CentOS7, install the MongoDB3.4, mount a large data disk, modify the/etc/mongo.conf, the log and data directories in the configuration file are placed under the new data disk, and modify the file access rights. Mongo.conf after the change:

# mongod.conf

# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/

# where to write logging data.
systemLog:
  destination: file
  logAppend: true
  path: /data/mongodb/log/mongod.log

# Where and how to store data.
storage:
  dbPath: / data / mongodb / data
.....
file permission:

# ls -alh
drwxr-xr-x. 5 mongod mongod 4.0K Nov 1 14:53 mongodb

# cd mongodb
# ls -alh
drwxr-xr-x. 3 mongod mongod 4.0K Nov 9 19:08 data
drwxr-xr-x. 2 mongod mongod 4.0K Nov 9 19:06 log
drwxr-xr-x. 2 mongod mongod 4.0K Nov 1 14:54 run
After running the systemctl start mongod command, check the status and find that it has not started. Check / var / log / message and find the following error

Nov 9 06:06:44 [localhost] setroubleshoot: failed to retrieve rpm info for /data/mongodb/run/mongod.pid
Nov 9 06:06:44 [localhost] setroubleshoot: SELinux is preventing / usr / bin / mongod from write access on the file /data/mongodb/run/mongod.pid. For complete SELinux messages run: sealert -l f7148e11-b126 -401e-ba9f-a9a87c1e54ae
Nov 9 06:06:44 [localhost] python: SELinux is preventing / usr / bin / mongod from write access on the file /data/mongodb/run/mongod.pid.#012#012***** Plugin restorecon ( 94.8 confidence) suggests ************************ # 012 # 012If you want to fix the label. # 012 / data / mongodb / run / mongod. pid default label should be default_t. # 012Then you can run restorecon. # 012Do # 012 # / sbin / restorecon -v /data/mongodb/run/mongod.pid#012#012***** Plugin catchall_labels (5.21 confidence) suggests ******************* # 012 # 012If you want to allow mongod to have write access on the mongod.pid file # 012Then you need to change the label on / data /mongodb/run/mongod.pid#012Do#012# semanage fcontext -a -t FILE_TYPE '/data/mongodb/run/mongod.pid'#012where FILE_TYPE is one of the following: afs_cache_t, initrc_tmp_t, mongod_log_t, mongod_tmp_t, mongod_td_t , mongod_var_run_t, puppet_tmp_t, user_cron_spool_t. # 012Then execute: # 012restorecon -v '/data/mongodb/run/mongod.pid'#012#012#012***** Plugin catchal l (1.44 confidence) suggests ************************** # 012 # 012If you believe that mongod should be allowed write access on the mongod.pid file by default. # 012Then you should report this as a bug. # 012You can generate a local policy module to allow this access. # 012Do # 012allow this access for now by executing: # 012 # ausearch -c 'mongod' --raw | audit2allow -M my-mongod # 012 # semodule -i my-mongod.pp # 012
It can be seen from the prompt that the protection function of SELinux prevents access.

Resolution process:
The information in / var / log / message looks more laborious, and there is a hint inside:

For complete SELinux messages run: sealert -l e73ba9e8-f74d-4835-9b53-85667546b28c
Follow the prompts:

# sealert -l e73ba9e8-f74d-4835-9b53-85667546b28c
SELinux is preventing / usr / bin / mongod from write access on the directory / data / mongodb / log.

***** Plugin catchall_labels (83.8 confidence) suggests *******************

If you want to allow mongod to have write access on the log directory
Then the labels in / data / mongodb / log must be changed
Do
# semanage fcontext -a -t FILE_TYPE ‘/ data / mongodb / log’
Where FILE_TYPE is one of: mongod_log_t, mongod_tmp_t, mongod_var_lib_t, mongod_var_run_t, tmp_t, var_lib_t, var_log_t, var_run_t.
Then execute:
restorecon -v ‘/ data / mongodb / log’


***** Plugin catchall (17.1 confidence) suggests **************************
...
The above prompt output is already included, the solution:

# semanage fcontext -a -t mongo_log_t ‘/ data / mongodb / log’
# restorecon -v ‘/ data / mongodb / log’
restorecon reset / data / mongodb / log context unconfined_u: object_r: unlabeled_t: s0-> unconfined_u: object_r: mongod_log_t: s0
After the above command is executed, the file permission problem of the / data / mongodb / log directory is resolved.

In the same way, solve the problem of the / data / mongodb / data and / data / mongodb / run directories.

Start mongod and the problem is solved.

Nov 9 06:08:51 [localhost] systemd: Starting High-performance, schema-free document-oriented database ...
Nov 9 06:08:51 [localhost] systemd: Started High-performance, schema-free document-oriented database.
Nov 9 06:08:51 [localhost] mongod: about to fork child process, waiting until server is ready for connections.
Nov 9 06:08:51 [localhost] mongod: forked process: 18218
Nov 9 06:08:51 [localhost] mongod: child process started successfully, parent exiting
P.S. In addition to the above information to solve the problem, there is a more violent way to directly close SELinux, but it is not recommended.

# setenforce 0
# getenforce
Permissive
The above is temporarily closed. If it is permanently closed, you need to edit the / etc / selinux / config file and change SELINUX = enforcing to SELINUX = disabled, but it will only take effect after restarting.

CentOS7 SELinux issues preventing MongoDB from starting

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.