Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   Policy for CouchDB (http://www.linux-archive.org/fedora-selinux-support/546106-policy-couchdb.html)

Michael Milverton 06-29-2011 04:20 PM

Policy for CouchDB
 
Hi,
I'm in the process of writing a policy for couchdb (nosql database). I'm using the selinux-polgengui and eclipse slide tools to help. I've hit a road block because it won't start but I'm not getting any more AVC's. I'm wondering if anybody might be able to offer some clue about getting more AVC's from it because if it won't talk to me I can't get much further.

The only entries in audit.log are:
type=CRED_ACQ msg=audit(1309362790.614:1343): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1309362790.619:1344): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1309362790.640:1345): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1309362790.641:1346): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1309362790.676:1347): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="couchdb" exe=2F62696E2F73797374656D64202864656C6574656429 hostname=? addr=? terminal=? res=failed'


Now, it will start fine (and run) when it is unlabeled (not what I want of course).*Couchdb runs under the username/group couchdb but I haven't added any transition rules for this yet (any help on this would be appreciated).

FC FILE:/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
/usr/bin/couchjs * *-- *gen_context(system_u:object_r:couchdb_exec_t,s0)*
TE FILE:policy_module(couchdb,1.0.0)*require {* * type bin_t;* * type fs_t;
* * type proc_t;}

type couchdb_t;
domain_type(couchdb_t)permissive couchdb_t;
# Access to shared libraries
libs_use_ld_so(couchdb_t)libs_use_shared_libs(couc hdb_t)miscfiles_read_localization(couchdb_t)dev_re ad_urand(couchdb_t)

# Type for the daemontype couchdb_exec_t;files_type(couchdb_exec_t)domain_en try_file(couchdb_t, couchdb_exec_t)init_daemon_domain(couchdb_t, couchdb_exec_t)

# Logginglogging_send_syslog_msg(couchdb_t) logging_log_file(couchdb_t)
# Temp files
type couchdb_tmp_t;files_tmp_file(couchdb_tmp_t)manage_ dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file })


#type couchdb_config_t;files_read_etc_files(couchdb_t)*
# /bin/basename and some othersallow couchdb_t bin_t:file { read getattr open execute execute_no_trans };
allow couchdb_t fs_t:filesystem getattr;allow couchdb_t proc_t:file { read getattr open };allow couchdb_t self:fifo_file { read write getattr };
# Not sure about this
auth_domtrans_chk_passwd(couchdb_t)
# Not sure about this either.domain_use_interactive_fds(couchdb_t)

Any clues, tips, advice would be most appreciated

Thanks

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Michael Milverton 06-29-2011 04:20 PM

Policy for CouchDB
 
Hi,
I'm in the process of writing a policy for couchdb (nosql database). I'm using the selinux-polgengui and eclipse slide tools to help. I've hit a road block because it won't start but I'm not getting any more AVC's. I'm wondering if anybody might be able to offer some clue about getting more AVC's from it because if it won't talk to me I can't get much further.

The only entries in audit.log are:
type=CRED_ACQ msg=audit(1309362790.614:1343): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1309362790.619:1344): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1309362790.640:1345): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1309362790.641:1346): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1309362790.676:1347): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="couchdb" exe=2F62696E2F73797374656D64202864656C6574656429 hostname=? addr=? terminal=? res=failed'


Now, it will start fine (and run) when it is unlabeled (not what I want of course).*Couchdb runs under the username/group couchdb but I haven't added any transition rules for this yet (any help on this would be appreciated).

FC FILE:/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
/usr/bin/couchjs * *-- *gen_context(system_u:object_r:couchdb_exec_t,s0)*
TE FILE:policy_module(couchdb,1.0.0)*require {* * type bin_t;* * type fs_t;
* * type proc_t;}

type couchdb_t;
domain_type(couchdb_t)permissive couchdb_t;
# Access to shared libraries
libs_use_ld_so(couchdb_t)libs_use_shared_libs(couc hdb_t)miscfiles_read_localization(couchdb_t)dev_re ad_urand(couchdb_t)

# Type for the daemontype couchdb_exec_t;files_type(couchdb_exec_t)domain_en try_file(couchdb_t, couchdb_exec_t)init_daemon_domain(couchdb_t, couchdb_exec_t)

# Logginglogging_send_syslog_msg(couchdb_t) logging_log_file(couchdb_t)
# Temp files
type couchdb_tmp_t;files_tmp_file(couchdb_tmp_t)manage_ dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file })


#type couchdb_config_t;files_read_etc_files(couchdb_t)*
# /bin/basename and some othersallow couchdb_t bin_t:file { read getattr open execute execute_no_trans };
allow couchdb_t fs_t:filesystem getattr;allow couchdb_t proc_t:file { read getattr open };allow couchdb_t self:fifo_file { read write getattr };
# Not sure about this
auth_domtrans_chk_passwd(couchdb_t)
# Not sure about this either.domain_use_interactive_fds(couchdb_t)

Any clues, tips, advice would be most appreciated

Thanks

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Michael Milverton 06-29-2011 04:31 PM

Policy for CouchDB
 
Dang, I think I spoke too soon. I looked on bugzilla and found this bug 712681, long story short is that it now starts so skip this question for the moment, I've got to sleep and can't test it anymore but it did start and I'm getting waves of denials in my logs again. Excellent.

On Thu, Jun 30, 2011 at 12:20 AM, Michael Milverton <m.milverton@gmail.com> wrote:

Hi,
I'm in the process of writing a policy for couchdb (nosql database). I'm using the selinux-polgengui and eclipse slide tools to help. I've hit a road block because it won't start but I'm not getting any more AVC's. I'm wondering if anybody might be able to offer some clue about getting more AVC's from it because if it won't talk to me I can't get much further.


The only entries in audit.log are:
type=CRED_ACQ msg=audit(1309362790.614:1343): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'

type=USER_START msg=audit(1309362790.619:1344): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'

type=USER_END msg=audit(1309362790.640:1345): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'

type=CRED_DISP msg=audit(1309362790.641:1346): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'

type=SERVICE_START msg=audit(1309362790.676:1347): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="couchdb" exe=2F62696E2F73797374656D64202864656C6574656429 hostname=? addr=? terminal=? res=failed'



Now, it will start fine (and run) when it is unlabeled (not what I want of course).*Couchdb runs under the username/group couchdb but I haven't added any transition rules for this yet (any help on this would be appreciated).


FC FILE:/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
/usr/bin/couchjs * *-- *gen_context(system_u:object_r:couchdb_exec_t,s0)*
TE FILE:policy_module(couchdb,1.0.0)*require {* * type bin_t;
* * type fs_t;
* * type proc_t;}

type couchdb_t;
domain_type(couchdb_t)permissive couchdb_t;
# Access to shared libraries

libs_use_ld_so(couchdb_t)libs_use_shared_libs(couc hdb_t)miscfiles_read_localization(couchdb_t)dev_re ad_urand(couchdb_t)

# Type for the daemontype couchdb_exec_t;files_type(couchdb_exec_t)domain_en try_file(couchdb_t, couchdb_exec_t)init_daemon_domain(couchdb_t, couchdb_exec_t)


# Logginglogging_send_syslog_msg(couchdb_t) logging_log_file(couchdb_t)
# Temp files
type couchdb_tmp_t;files_tmp_file(couchdb_tmp_t)manage_ dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file })



#type couchdb_config_t;files_read_etc_files(couchdb_t)*
# /bin/basename and some othersallow couchdb_t bin_t:file { read getattr open execute execute_no_trans };

allow couchdb_t fs_t:filesystem getattr;allow couchdb_t proc_t:file { read getattr open };allow couchdb_t self:fifo_file { read write getattr };
# Not sure about this

auth_domtrans_chk_passwd(couchdb_t)
# Not sure about this either.domain_use_interactive_fds(couchdb_t)

Any clues, tips, advice would be most appreciated


Thanks



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Michael Milverton 06-29-2011 04:31 PM

Policy for CouchDB
 
Dang, I think I spoke too soon. I looked on bugzilla and found this bug 712681, long story short is that it now starts so skip this question for the moment, I've got to sleep and can't test it anymore but it did start and I'm getting waves of denials in my logs again. Excellent.

On Thu, Jun 30, 2011 at 12:20 AM, Michael Milverton <m.milverton@gmail.com> wrote:

Hi,
I'm in the process of writing a policy for couchdb (nosql database). I'm using the selinux-polgengui and eclipse slide tools to help. I've hit a road block because it won't start but I'm not getting any more AVC's. I'm wondering if anybody might be able to offer some clue about getting more AVC's from it because if it won't talk to me I can't get much further.


The only entries in audit.log are:
type=CRED_ACQ msg=audit(1309362790.614:1343): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'

type=USER_START msg=audit(1309362790.619:1344): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'

type=USER_END msg=audit(1309362790.640:1345): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'

type=CRED_DISP msg=audit(1309362790.641:1346): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'

type=SERVICE_START msg=audit(1309362790.676:1347): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="couchdb" exe=2F62696E2F73797374656D64202864656C6574656429 hostname=? addr=? terminal=? res=failed'



Now, it will start fine (and run) when it is unlabeled (not what I want of course).*Couchdb runs under the username/group couchdb but I haven't added any transition rules for this yet (any help on this would be appreciated).


FC FILE:/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
/usr/bin/couchjs * *-- *gen_context(system_u:object_r:couchdb_exec_t,s0)*
TE FILE:policy_module(couchdb,1.0.0)*require {* * type bin_t;
* * type fs_t;
* * type proc_t;}

type couchdb_t;
domain_type(couchdb_t)permissive couchdb_t;
# Access to shared libraries

libs_use_ld_so(couchdb_t)libs_use_shared_libs(couc hdb_t)miscfiles_read_localization(couchdb_t)dev_re ad_urand(couchdb_t)

# Type for the daemontype couchdb_exec_t;files_type(couchdb_exec_t)domain_en try_file(couchdb_t, couchdb_exec_t)init_daemon_domain(couchdb_t, couchdb_exec_t)


# Logginglogging_send_syslog_msg(couchdb_t) logging_log_file(couchdb_t)
# Temp files
type couchdb_tmp_t;files_tmp_file(couchdb_tmp_t)manage_ dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file })



#type couchdb_config_t;files_read_etc_files(couchdb_t)*
# /bin/basename and some othersallow couchdb_t bin_t:file { read getattr open execute execute_no_trans };

allow couchdb_t fs_t:filesystem getattr;allow couchdb_t proc_t:file { read getattr open };allow couchdb_t self:fifo_file { read write getattr };
# Not sure about this

auth_domtrans_chk_passwd(couchdb_t)
# Not sure about this either.domain_use_interactive_fds(couchdb_t)

Any clues, tips, advice would be most appreciated


Thanks



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 06-29-2011 04:58 PM

Policy for CouchDB
 
On Thu, 2011-06-30 at 00:20 +0800, Michael Milverton wrote:
> Hi,
>
> I'm in the process of writing a policy for couchdb (nosql database). I'm
> using the selinux-polgengui and eclipse slide tools to help. I've hit a road
> block because it won't start but I'm not getting any more AVC's. I'm
> wondering if anybody might be able to offer some clue about getting more
> AVC's from it because if it won't talk to me I can't get much further.

Hi,

Could you try the policy template enclosed and provide any avc denials
that you will be seeing when it is tested?

steps to test:

1. put the couchdb.{te,fc} files in a project directory for example
~/couchdb

2. change to this project directory for example cd ~/couchdb

3. try to build the policy: make -f /usr/share/selinux/devel/Makefile
couchdb.pp

4. if it builds, try to install the binary representation of the policy
module: sudo semodule -i couchdb.pp

5. restore the context of each patch specified in the file context
specification file. for example:

restorecon -R -v /etc/couchdb
restorecon -R -v /etc/rc.d/init.d/couchdb
restorecon -R -v /var/lib/couchdb
restorecon -R -v /var/log/couchdb
restorecon -R -v /var/run/couchdb
restorecon -R -v /etc/sysconfig/couchdb
restorecon -R -v /usr/bin/couchdb

5. for testing purposes set selinux to permissive mode if possible:
setenforce 0

6. unload any rules that silently deny access (note this will cause much
logging and may upset setroubelshoot if you have it running):

semodule -DB

7. make a note of the current system time: date

8. start the couchdb service (service couchdb start)

9. collect all the avc denials that occured since you have noted the
current system time: example: ausearch -m avc -ts 18:52

enclose the full list of avc denials.

Attachements:

couchdb.fc
http://pastebin.com/3QP4ecFP

couchdb.te
http://pastebin.com/VtxP7YnN

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 03:34 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.