On Tue, Jan 17, 2012 at 2:12 PM, Jon VanAlten <jon.vanalten@xxxxxxxxxx> wrote:
Good catch! However, I'm not sure what the best way to fix this is. Any SELinux folk care to comment?
> --
----- Original Message -----
> From: "Nathaniel McCallum" <nathaniel@xxxxxxxxxxxxxxxx>
> To: "Development discussions related to Fedora" <devel@xxxxxxxxxxxxxxxxxxxxxxx>
> Sent: Tuesday, January 17, 2012 1:24:25 PM
> Subject: Testing needed (mongodb)
>
> I've built packages of MongoDB 2.0.2 for f15, f16 and f17. This
> should be a
> drop in replacement for your 1.8.x server. See
> http://www.mongodb.org/display/DOCS/2.0+Release+Notes#2.0ReleaseNotes-Upgradingfor
> further details.
>
> However, I had to rewrite the patch providing js 1.8.5 support. So
> I'd like
> some hands on testing before I push out this update.
>
> The builds should appear shortly in updates-testing and you can
> provide here:
> https://admin.fedoraproject.org/updates/mongodb-2.0.2-5.fc15
> https://admin.fedoraproject.org/updates/mongodb-2.0.2-5.fc16
>
> Thanks!
>
> Nathaniel
>
> devel mailing list
> devel@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/devel
Hi,
Am using the java driver not _javascript_ so I can't really comment to your rewritten patch, but I can say that the F15 packages seem to be functioning fine as dropin replacement.
Great! And in fact you are using the _javascript_ patch, it is used internally by mongod. The patch itself, though long, is pretty much a menial changing of function signatures, so I don't see a lot of risk here (or the compiler would have yelled at me!).
There is, however, a new SELinux alert (pasted below). I don't see anything terrible in /var/log/mongodb/mongodb.log and this alert doesn't seem to affect functionality.
cheers,
jon
SELinux is preventing /usr/bin/mongod from getattr access on the file /proc/sys/vm/zone_reclaim_mode.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that mongod should be allowed getattr access on the zone_reclaim_mode file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mongod /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:mongod_t:s0
Target Context system_u:object_r:sysctl_vm_t:s0
Target Objects /proc/sys/vm/zone_reclaim_mode [ file ]
Source mongod
Source Path /usr/bin/mongod
Port <Unknown>
Host <HOST>
Source RPM Packages mongodb-server-2.0.2-5.fc15
Target RPM Packages
Policy RPM selinux-policy-3.9.16-48.fc15
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name toxin
Platform Linux <HOST> 2.6.41.4-1.fc15.x86_64 #1 SMP Tue Nov
29 11:53:48 UTC 2011 x86_64 x86_64
Alert Count 3
First Seen Tue 17 Jan 2012 02:00:14 PM EST
Last Seen Tue 17 Jan 2012 02:02:46 PM EST
Local ID bc6ed9f8-5013-4aff-8b7d-c45c3add2e04
Raw Audit Messages
type=AVC msg=audit(1326826966.315:388): avc: denied { getattr } for pid=28298 comm="mongod" path="/proc/sys/vm/zone_reclaim_mode" dev=proc ino=515586 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
