CentOS7 SELinux prevents MongoDB from starting __linux

Source: Internet
Author: User
Tags mongodb file permissions
Problem Description:

On the newly installed CentOS7, install the MongoDB3.4, mount a large data disk, modify the/etc/mongo.conf, put the log and data directory in the configuration file under the new data disk, and modify the file access rights. Mongo.conf after the change:

# mongod.conf

# for documentation of the all options, and:
#   http://docs.mongodb.org/manual/reference/ configuration-options/

# Where to write logging data.
Systemlog:
  destination:file
  logappend:true
  path:/data/mongodb/log/mongod.log

# Where and how to Store data.
Storage:
  dbpath:/data/mongodb/data
...

File permissions:

# Ls-alh
drwxr-xr-x.  5 Mongod mongod 4.0K November  1 14:53 mongodb

# cd MongoDB
# Ls-alh
drwxr-xr-x. 3 mongod mongod 4.0K November 
  9 19:08 Data
drwxr-xr-x. 2 mongod mongod 4.0K November  9 19:06 log
drwxr-xr-x. 2 mongod mongod 4.0K November 
  
   1 14:54 Run
  

After performing the systemctl start Mongod command, view the status discovery and did not start, view the/var/log/message, and find the following error

Nov 9 06:06:44 [localhost] setroubleshoot:failed to retrieve rpm info for/data/mongodb/run/mongod.pid Nov 9 06:06:44 [ LocalHost] setroubleshoot:selinux is preventing/usr/bin/mongod from write access on the File/data/mongodb/run/mongod.pi D. For complete SELinux messages run:sealert-l f7148e11-b126-401e-ba9f-a9a87c1e54ae Nov 9 06:06:44 [localhost] python: SELinux is preventing/usr/bin/mongod from write access on the file/data/mongodb/run/mongod.pid. #012 #012***** Plugin Res Torecon (94.8 confidence) suggests ************************ #012 #012if to fix the label. #012/data/mongodb/run/mongod.pid default label should be default_t. #012Then can run Restorecon. #012Do #012#/sbin/ Restorecon-v/data/mongodb/run/mongod.pid#012#012***** Plugin catchall_labels (5.21 confidence) suggests ************ #012 #012if you want to allow Mongod to have write access on the Mongod.pid file#012then your need to change the Labe L on/data/mongodb/run/mongod.pid#012do#012# Semanage Fcontext-a-T File_type '/data/mongodb/run/mongod.pid ' #012where File_type is one of the following:afs_cache_t, initrc_t mp_t, mongod_log_t, mongod_tmp_t, mongod_var_lib_t, mongod_var_run_t, puppet_tmp_t, user_cron_spool_t. #012Then Execute: #012restorecon-V '/data/mongodb/run/mongod.pid ' #012 #012#012***** Plugin catchall (1.44 confidence) suggests * #012 #012if you believe that Mongod should is allowed write access on the Mongod.pid file by Defau Lt. #012Then you should the as a bug. #012You can generate a local policy module to allow this access. #012Do #012allo W This access is executing: #012 # ausearch-c ' Mongod '--raw | Audit2allow-m my-mongod#012# semodule-i my-mongod.pp#012

You can see from the hint that the SELinux is a protective feature that prevents access. resolution process:

The information in the/var/log/message looks more strenuous, with a hint:

For complete SELinux messages Run:sealert-l e73ba9e8-f74d-4835-9b53-85667546b28c

Follow the prompts:

# sealert-l e73ba9e8-f74d-4835-9b53-85667546b28c
SELinux is preventing/usr/bin/mongod from write access on the Direc Tory/data/mongodb/log.  Plugin Catchall_labels (83.8 confidence) suggests   *******************

If you want to allow Mongod to ha ve write access on the log directory
Then must change the label in/data/mongodb/log
do
# semanage fcontext-a-T File_type ' /data/mongodb/log '
File_type is one of the following: mongod_log_t, mongod_tmp_t, mongod_var_lib_t, mongod_var_run_t, tmp_t, var_lib_t, var_log_t, var_run_t.
then execute:
restorecon-v '/data/mongodb/log '


* * * *  Plugin catchall (17.1 confidence) suggests   * *************************
......

This indicates that the output already contains the workaround:

# semanage fcontext-a-T mongo_log_t '/data/mongodb/log ' restorecon-v '/data/mongodb/log ' Restorecon
reset/d Ata/mongodb/log Context Unconfined_u:object_r:unlabeled_t:s0->unconfined_u:object_r:mongod_log_t:s0

Once the above command has been executed, the file permissions problem for the/data/mongodb/log directory is resolved.

The same approach, and then solve the problem of/data/mongodb/data and/data/mongodb/run directory.

Start Mongod, problem solving.

Nov  9 06:08:51 [localhost] systemd:starting high-performance, schema-free document-oriented database ...
Nov  9 06:08:51 [localhost] systemd:started high-performance, Schema-free document-oriented database.
Nov  9 06:08:51 [localhost] mongod:about to fork child process, waiting until the server is ready for connections.
Nov  9 06:08:51 [localhost] mongod:forked process:18218
Nov  9 06:08:51 [localhost] mongod:child process STA RTed successfully, parent exiting

P.S. In addition to the above by prompting information to solve the problem, there is a more violent way, directly close the SELinux, but not very recommended.

# Setenforce 0
# getenforce
Permissive

The above is temporarily closed, if it is permanently closed, you need to edit the/etc/selinux/config file, the selinux=enforcing changed to selinux=disabled, but only after the restart will play a role.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.