Unable to start MongoDB service after an upgrade

Post author:admin
Post published:August 8, 2024
Post category:IT / RedHat

After upgrading MongoDB to version 6.16, I was uanble to restart the service. tail -n 100 /var/log/mongodb/mongod.log had the following errors:

Aug  7 08:59:34 mongo-db3 systemd[1]: Started SETroubleshoot daemon for processing new SELinux denial logs.
Aug  7 08:59:35 mongo-db3 setroubleshoot[11150]: failed to retrieve rpm info for path '/proc/sys/net/ipv4/tcp_fastopen':
Aug  7 08:59:35 mongo-db3 systemd[1]: Started dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@2.service.
Aug  7 08:59:36 mongo-db3 setroubleshoot[11150]: SELinux is preventing /usr/bin/mongod from search access on the directory /proc/sys/net/ipv4/tcp_fastopen. For complete SELinux messages run: sealert -l 699536c8-51a6-4439-9873-a54def099eb1
Aug  7 08:59:36 mongo-db3 setroubleshoot[11150]: SELinux is preventing /usr/bin/mongod from search access on the directory /proc/sys/net/ipv4/tcp_fastopen.#012#012*  Plugin catchall (100. confidence) suggests   **#012#012If you believe that mongod should be allowed search access on the tcp_fastopen directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'mongod' --raw | audit2allow -M my-mongod#012# semodule -X 300 -i my-mongod.pp#012

Resolution

Based on the log output from above, it appears that SELinux is preventing the mongod service from starting due to security restrictions. The key issue is that mongod is being blocked from accessing the /proc/sys/net/ipv4/tcp_fastopen directory.
Here’s a breakdown of the situation and some steps you can take to resolve it:

SELinux Issue:
SELinux is preventing /usr/bin/mongod from having search access on the directory /proc/sys/net/ipv4/tcp_fastopen.
Suggested Solution:
The setroubleshoot service suggests creating a local policy module to allow this access. Here are the steps to do this:
a. Run the following command to generate a policy module:

ausearch -c 'mongod' --raw | audit2allow -M my-mongod

b. Install the generated policy module:

semodule -X 300 -i my-mongod.pp

I am a goal-oriented Infrastructure System Engineer and Information System Security Officer with over 10 years’ of experience in planning and implementation of network, servers, virtualization and security technologies . Background includes hands-on experience with multi-platform, LAN/WAN environments, assessing and implementation of security controls in using ODAA and RMF guidance. Demonstrated record of success in migrating, troubleshooting Servers and increasing efficiency.

You Might Also Like

SharePoint 2016 Certificate Error

DistributedCacheService keeps crashing

Problem deploying EXE and don’t know the switches