FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 03-09-2012, 01:23 AM
Marcos Ortiz
 
Default CouchDB with SELinux

Regards, Lauren, you can see here to Dominick Grift explaining how
to make all this work.

Best wishes



On 06/29/2011 12:58 PM, Dominick Grift wrote:

On Thu, 2011-06-30 at 00:20 +0800, Michael Milverton wrote:


Hi,

I'm in the process of writing a policy for couchdb (nosql database). I'm
using the selinux-polgengui and eclipse slide tools to help. I've hit a road
block because it won't start but I'm not getting any more AVC's. I'm
wondering if anybody might be able to offer some clue about getting more
AVC's from it because if it won't talk to me I can't get much further.



Hi,

Could you try the policy template enclosed and provide any avc denials
that you will be seeing when it is tested?

steps to test:

1. put the couchdb.{te,fc} files in a project directory for example
~/couchdb

2. change to this project directory for example cd ~/couchdb

3. try to build the policy: make -f /usr/share/selinux/devel/Makefile
couchdb.pp

4. if it builds, try to install the binary representation of the policy
module: sudo semodule -i couchdb.pp

5. restore the context of each patch specified in the file context
specification file. for example:

restorecon -R -v /etc/couchdb
restorecon -R -v /etc/rc.d/init.d/couchdb
restorecon -R -v /var/lib/couchdb
restorecon -R -v /var/log/couchdb
restorecon -R -v /var/run/couchdb
restorecon -R -v /etc/sysconfig/couchdb
restorecon -R -v /usr/bin/couchdb

5. for testing purposes set selinux to permissive mode if possible:
setenforce 0

6. unload any rules that silently deny access (note this will cause much
logging and may upset setroubelshoot if you have it running):

semodule -DB

7. make a note of the current system time: date

8. start the couchdb service (service couchdb start)

9. collect all the avc denials that occured since you have noted the
current system time: example: ausearch -m avc -ts 18:52

enclose the full list of avc denials.

Attachements:

couchdb.fc
http://pastebin.com/3QP4ecFP

couchdb.te
http://pastebin.com/VtxP7YnN










--
Marcos Luis Ortíz Valmaseda
Sr. Software Engineer (UCI)
http://marcosluis2186.posterous.com
http://postgresql.uci.cu/blog/38













--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-09-2012, 01:08 PM
Daniel J Walsh
 
Default CouchDB with SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/08/2012 09:23 PM, Marcos Ortiz wrote:
> Regards, Lauren, you can see here to Dominick Grift explaining how
> to make all this work. Best wishes
>
> On 06/29/2011 12:58 PM, Dominick Grift wrote:
>> On Thu, 2011-06-30 at 00:20 +0800, Michael Milverton wrote:
>>> Hi,
>>>
>>> I'm in the process of writing a policy for couchdb (nosql
>>> database). I'm using the selinux-polgengui and eclipse slide
>>> tools to help. I've hit a road block because it won't start but
>>> I'm not getting any more AVC's. I'm wondering if anybody might
>>> be able to offer some clue about getting more AVC's from it
>>> because if it won't talk to me I can't get much further.
>> Hi,
>>
>> Could you try the policy template enclosed and provide any avc
>> denials that you will be seeing when it is tested?
>>
>> steps to test:
>>
>> 1. put the couchdb.{te,fc} files in a project directory for
>> example ~/couchdb
>>
>> 2. change to this project directory for example cd ~/couchdb
>>
>> 3. try to build the policy: make -f
>> /usr/share/selinux/devel/Makefile couchdb.pp
>>
>> 4. if it builds, try to install the binary representation of the
>> policy module: sudo semodule -i couchdb.pp
>>
>> 5. restore the context of each patch specified in the file
>> context specification file. for example:
>>
>> restorecon -R -v /etc/couchdb restorecon -R -v
>> /etc/rc.d/init.d/couchdb restorecon -R -v /var/lib/couchdb
>> restorecon -R -v /var/log/couchdb restorecon -R -v
>> /var/run/couchdb restorecon -R -v /etc/sysconfig/couchdb
>> restorecon -R -v /usr/bin/couchdb
>>
>> 5. for testing purposes set selinux to permissive mode if
>> possible: setenforce 0
>>
>> 6. unload any rules that silently deny access (note this will
>> cause much logging and may upset setroubelshoot if you have it
>> running):
>>
>> semodule -DB
>>
>> 7. make a note of the current system time: date
>>
>> 8. start the couchdb service (service couchdb start)
>>
>> 9. collect all the avc denials that occured since you have noted
>> the current system time: example: ausearch -m avc -ts 18:52
>>
>> enclose the full list of avc denials.
>>
>> Attachements:
>>
>> couchdb.fc http://pastebin.com/3QP4ecFP
>>
>> couchdb.te http://pastebin.com/VtxP7YnN
>>
>>
>>
>
> -- Marcos Luis Ortíz Valmaseda Sr. Software Engineer (UCI)
> http://marcosluis2186.posterous.com
> http://postgresql.uci.cu/blog/38
>
>
>
>
> <http://www.antiterroristas.cu/>
>
>
> <http://www.antiterroristas.cu/>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> <http://www.antiterroristas.cu/>


Does a complete policy exists for couchdb? I would like to put one in
for Fedora 17. Although I currently can not install it.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9aDs0ACgkQrlYvE4MpobOpjgCfXDoGqr4qGG JLGTK7EeyA5+I5
ctYAoIqOltfnrhkCegZ63yKnz95OyT+B
=cu+3
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-12-2012, 07:16 AM
Michael Milverton
 
Default CouchDB with SELinux

Hi all,
This is where the policy was last time I was working with couchdb. I wasn't able to continue using it for various reasons so I haven't had a chance to do more testing with it.

Thanks
Michael


On Fri, Mar 9, 2012 at 10:08 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



On 03/08/2012 09:23 PM, Marcos Ortiz wrote:

> Regards, Lauren, you can see here to Dominick Grift explaining how

> to make all this work. Best wishes

>

> On 06/29/2011 12:58 PM, Dominick Grift wrote:

>> On Thu, 2011-06-30 at 00:20 +0800, Michael Milverton wrote:

>>> Hi,

>>>

>>> I'm in the process of writing a policy for couchdb (nosql

>>> database). I'm using the selinux-polgengui and eclipse slide

>>> tools to help. I've hit a road block because it won't start but

>>> I'm not getting any more AVC's. I'm wondering if anybody might

>>> be able to offer some clue about getting more AVC's from it

>>> because if it won't talk to me I can't get much further.

>> Hi,

>>

>> Could you try the policy template enclosed and provide any avc

>> denials that you will be seeing when it is tested?

>>

>> steps to test:

>>

>> 1. put the couchdb.{te,fc} files in a project directory for

>> example ~/couchdb

>>

>> 2. change to this project directory for example cd ~/couchdb

>>

>> 3. try to build the policy: make -f

>> /usr/share/selinux/devel/Makefile couchdb.pp

>>

>> 4. if it builds, try to install the binary representation of the

>> policy module: sudo semodule -i couchdb.pp

>>

>> 5. restore the context of each patch specified in the file

>> context specification file. for example:

>>

>> restorecon -R -v /etc/couchdb restorecon -R -v

>> /etc/rc.d/init.d/couchdb restorecon -R -v /var/lib/couchdb

>> restorecon -R -v /var/log/couchdb restorecon -R -v

>> /var/run/couchdb restorecon -R -v /etc/sysconfig/couchdb

>> restorecon -R -v /usr/bin/couchdb

>>

>> 5. for testing purposes set selinux to permissive mode if

>> possible: setenforce 0

>>

>> 6. unload any rules that silently deny access (note this will

>> cause much logging and may upset setroubelshoot if you have it

>> running):

>>

>> semodule -DB

>>

>> 7. make a note of the current system time: date

>>

>> 8. start the couchdb service (service couchdb start)

>>

>> 9. collect all the avc denials that occured since you have noted

>> the current system time: example: ausearch -m avc -ts 18:52

>>

>> enclose the full list of avc denials.

>>

>> Attachements:

>>

>> couchdb.fc http://pastebin.com/3QP4ecFP

>>

>> couchdb.te http://pastebin.com/VtxP7YnN

>>

>>

>>

>

> -- Marcos Luis Ortíz Valmaseda Sr. Software Engineer (UCI)

> http://marcosluis2186.posterous.com

> http://postgresql.uci.cu/blog/38

>

>

>

>

> <http://www.antiterroristas.cu/>

>

>

> <http://www.antiterroristas.cu/>

>

> -- selinux mailing list selinux@lists.fedoraproject.org

> https://admin.fedoraproject.org/mailman/listinfo/selinux

> <http://www.antiterroristas.cu/>





Does a complete policy exists for couchdb? *I would like to put one in

for Fedora 17. Although I currently can not install it.







-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.12 (GNU/Linux)

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/



iEYEARECAAYFAk9aDs0ACgkQrlYvE4MpobOpjgCfXDoGqr4qGG JLGTK7EeyA5+I5

ctYAoIqOltfnrhkCegZ63yKnz95OyT+B

=cu+3

-----END PGP SIGNATURE-----

--

selinux mailing list

selinux@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-12-2012, 12:54 PM
Daniel J Walsh
 
Default CouchDB with SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I wrote my own policy for couchdb using sepolgen for Fedora 17.

Totally untested, since I have no idea how to use couchdb.

Fixed avc's created by starting and stopping the service.

ps -eZ | grep couch
system_u:system_r:couchdb_t:s0 4103 ? 00:00:00 couchdb
system_u:system_r:couchdb_t:s0 4113 ? 00:00:00 couchdb
system_u:system_r:couchdb_t:s0 4114 ? 00:00:00 beam.smp
system_u:system_r:couchdb_t:s0 4130 ? 00:00:00 heart

Might want to write separate polciy for heart? beam.smp?

I added port definitions for tcp port couchdb_port_t 5984 and 6984.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9eAAYACgkQrlYvE4MpobNfGgCgqOwQe9Gp4k WTHf48yZJu/j2N
urEAnRBRMadaL2uY2TcRI2CCxaCdfM4w
=9OeU
-----END PGP SIGNATURE-----
policy_module(couchdb, 1.0.0)

########################################
#
# Declarations
#

type couchdb_t;
type couchdb_exec_t;
init_daemon_domain(couchdb_t, couchdb_exec_t)

permissive couchdb_t;

type couchdb_tmp_t;
files_tmp_file(couchdb_tmp_t)

type couchdb_log_t;
logging_log_file(couchdb_log_t)

type couchdb_var_lib_t;
files_type(couchdb_var_lib_t)

type couchdb_var_run_t;
files_pid_file(couchdb_var_run_t)

type couchdb_unit_file_t;
systemd_unit_file(couchdb_unit_file_t)

########################################
#
# couchdb local policy
#
allow couchdb_t self:fifo_file rw_fifo_file_perms;
allow couchdb_t self:unix_stream_socket create_stream_socket_perms;
allow couchdb_t self:tcp_socket create_stream_socket_perms;
allow couchdb_t self:udp_socket create_socket_perms;

manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
manage_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
logging_log_filetrans(couchdb_t, couchdb_log_t, { dir file })

manage_dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file })

manage_dirs_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t)
manage_files_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t)
files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, { dir file })

manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
files_pid_filetrans(couchdb_t, couchdb_var_run_t, { dir file })

can_exec(couchdb_t, couchdb_exec_t)

kernel_read_system_state(couchdb_t)

corecmd_exec_bin(couchdb_t)
corecmd_exec_shell(couchdb_t)

corenet_tcp_bind_generic_node(couchdb_t)
corenet_udp_bind_generic_node(couchdb_t)
corenet_tcp_bind_couchdb_port(couchdb_t)

dev_list_sysfs(couchdb_t)
dev_read_sysfs(couchdb_t)
dev_read_urand(couchdb_t)

domain_use_interactive_fds(couchdb_t)

files_read_etc_files(couchdb_t)

fs_getattr_tmpfs(couchdb_t)

auth_use_nsswitch(couchdb_t)

libs_exec_lib_files(couchdb_t)

miscfiles_read_localization(couchdb_t)


## <summary>policy for couchdb</summary>

########################################
## <summary>
## Transition to couchdb.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`couchdb_domtrans',`
gen_require(`
type couchdb_t, couchdb_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, couchdb_exec_t, couchdb_t)
')
########################################
## <summary>
## Read couchdb's log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`couchdb_read_log',`
gen_require(`
type couchdb_log_t;
')

logging_search_logs($1)
read_files_pattern($1, couchdb_log_t, couchdb_log_t)
')

########################################
## <summary>
## Append to couchdb log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`couchdb_append_log',`
gen_require(`
type couchdb_log_t;
')

logging_search_logs($1)
append_files_pattern($1, couchdb_log_t, couchdb_log_t)
')

########################################
## <summary>
## Manage couchdb log files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`couchdb_manage_log',`
gen_require(`
type couchdb_log_t;
')

logging_search_logs($1)
manage_dirs_pattern($1, couchdb_log_t, couchdb_log_t)
manage_files_pattern($1, couchdb_log_t, couchdb_log_t)
manage_lnk_files_pattern($1, couchdb_log_t, couchdb_log_t)
')

########################################
## <summary>
## Search couchdb lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`couchdb_search_lib',`
gen_require(`
type couchdb_var_lib_t;
')

allow $1 couchdb_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
')

########################################
## <summary>
## Read couchdb lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`couchdb_read_lib_files',`
gen_require(`
type couchdb_var_lib_t;
')

files_search_var_lib($1)
read_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
')

########################################
## <summary>
## Manage couchdb lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`couchdb_manage_lib_files',`
gen_require(`
type couchdb_var_lib_t;
')

files_search_var_lib($1)
manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
')

########################################
## <summary>
## Manage couchdb lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`couchdb_manage_lib_dirs',`
gen_require(`
type couchdb_var_lib_t;
')

files_search_var_lib($1)
manage_dirs_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
')

########################################
## <summary>
## Read couchdb PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`couchdb_read_pid_files',`
gen_require(`
type couchdb_var_run_t;
')

files_search_pids($1)
allow $1 couchdb_var_run_t:file read_file_perms;
')

########################################
## <summary>
## Execute couchdb server in the couchdb domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`couchdb_systemctl',`
gen_require(`
type couchdb_t;
type couchdb_unit_file_t;
')

systemd_exec_systemctl($1)
systemd_read_fifo_file_password_run($1)
allow $1 couchdb_unit_file_t:file read_file_perms;
allow $1 couchdb_unit_file_t:service all_service_perms;

ps_process_pattern($1, couchdb_t)
')


########################################
## <summary>
## All of the rules required to administrate
## an couchdb environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`couchdb_admin',`
gen_require(`
type couchdb_t;
type couchdb_log_t;
type couchdb_var_lib_t;
type couchdb_var_run_t;
type couchdb_unit_file_t;
')

allow $1 couchdb_trocess { ptrace signal_perms };
ps_process_pattern($1, couchdb_t)

logging_search_logs($1)
admin_pattern($1, couchdb_log_t)

files_search_var_lib($1)
admin_pattern($1, couchdb_var_lib_t)

files_search_pids($1)
admin_pattern($1, couchdb_var_run_t)

couchdb_systemctl($1)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
')
/usr/bin/couchdb -- gen_context(system_ubject_r:couchdb_exec_t,s0)

/usr/lib/systemd/system/couchdb.service -- gen_context(system_ubject_r:couchdb_unit_file_t, s0)

/var/lib/couchdb(/.*)? gen_context(system_ubject_r:couchdb_var_lib_t,s0 )

/var/log/couchdb(/.*)? gen_context(system_ubject_r:couchdb_log_t,s0)

/var/run/couchdb(/.*)? gen_context(system_ubject_r:couchdb_var_run_t,s0 )
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-13-2012, 01:04 PM
Michael Milverton
 
Default CouchDB with SELinux

Thanks Dan,

I don't have access to Fedora 17 at the moment so I can't test it but
I will write a small python script this weekend so you can test it if
you like. My feeling is that it won't work properly like it is
because the fc file doesn't include couchjs, the JavaScript compiler.
I think that was the main issue I had if I remember correctly.

Could you test the policy I attached as that seemed to work on Fedora
15 or is it too outdated? It was for couchdb 1.0.2.

P.S If you can wait a couple of weeks I should be able to get Fedora
17 running. It takes time because I have limited bandwidth (wireless)
at the moment.

Thanks
Michael

On 12/03/2012, at 21:54, Daniel J Walsh <dwalsh@redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I wrote my own policy for couchdb using sepolgen for Fedora 17.
>
> Totally untested, since I have no idea how to use couchdb.
>
> Fixed avc's created by starting and stopping the service.
>
> ps -eZ | grep couch
> system_u:system_r:couchdb_t:s0 4103 ? 00:00:00 couchdb
> system_u:system_r:couchdb_t:s0 4113 ? 00:00:00 couchdb
> system_u:system_r:couchdb_t:s0 4114 ? 00:00:00 beam.smp
> system_u:system_r:couchdb_t:s0 4130 ? 00:00:00 heart
>
> Might want to write separate polciy for heart? beam.smp?
>
> I added port definitions for tcp port couchdb_port_t 5984 and 6984.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk9eAAYACgkQrlYvE4MpobNfGgCgqOwQe9Gp4k WTHf48yZJu/j2N
> urEAnRBRMadaL2uY2TcRI2CCxaCdfM4w
> =9OeU
> -----END PGP SIGNATURE-----
> <couchdb.te>
> <couchdb.if>
> <couchdb.fc>
> <couchdb.sh>
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-13-2012, 01:07 PM
Daniel J Walsh
 
Default CouchDB with SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/13/2012 10:04 AM, Michael Milverton wrote:
> Thanks Dan,
>
> I don't have access to Fedora 17 at the moment so I can't test it
> but I will write a small python script this weekend so you can test
> it if you like. My feeling is that it won't work properly like it
> is because the fc file doesn't include couchjs, the JavaScript
> compiler. I think that was the main issue I had if I remember
> correctly.
>
> Could you test the policy I attached as that seemed to work on
> Fedora 15 or is it too outdated? It was for couchdb 1.0.2.
>
> P.S If you can wait a couple of weeks I should be able to get
> Fedora 17 running. It takes time because I have limited bandwidth
> (wireless) at the moment.
>
> Thanks Michael
>
> On 12/03/2012, at 21:54, Daniel J Walsh <dwalsh@redhat.com> wrote:
>
> I wrote my own policy for couchdb using sepolgen for Fedora 17.
>
> Totally untested, since I have no idea how to use couchdb.
>
> Fixed avc's created by starting and stopping the service.
>
> ps -eZ | grep couch system_u:system_r:couchdb_t:s0 4103 ?
> 00:00:00 couchdb system_u:system_r:couchdb_t:s0 4113 ?
> 00:00:00 couchdb system_u:system_r:couchdb_t:s0 4114 ?
> 00:00:00 beam.smp system_u:system_r:couchdb_t:s0 4130 ?
> 00:00:00 heart
>
> Might want to write separate polciy for heart? beam.smp?
>
> I added port definitions for tcp port couchdb_port_t 5984 and
> 6984.
>> <couchdb.te> <couchdb.if> <couchdb.fc> <couchdb.sh>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

The policy you attached did not include any allow rules. Could you
mail me the original source, te file.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9fVKEACgkQrlYvE4MpobOUEgCg296xb2E45l vFOO4kS1vYDq44
hJsAn0A5YF19vItKoLibqKUG7mZm6FZi
=LrXW
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-13-2012, 01:10 PM
Michael Milverton
 
Default CouchDB with SELinux

Oops, sorry,
Is this what you want?
#policy_module(couchdb, 1.0.0)
########################################## Declarations
#
permissive couchdb_t;
type couchdb_t;type couchdb_exec_t;init_daemon_domain(couchdb_t, couchdb_exec_t)
type couchdb_initrc_exec_t;
init_script_file(couchdb_initrc_exec_t)
type couchdb_etc_t;files_config_file(couchdb_etc_t)
type couchdb_tmp_t;files_tmp_file(couchdb_tmp_t)

type couchdb_var_lib_t;files_type(couchdb_var_lib_t)
type couchdb_var_log_t;logging_log_file(couchdb_var_log _t)
type couchdb_var_run_t;
files_pid_file(couchdb_var_run_t)
########################################## Local policy#
allow couchdb_t selfrocess { setsched signal signull sigkill };
allow couchdb_t self:fifo_file rw_fifo_file_perms;allow couchdb_t self:tcp_socket create_stream_socket_perms;allow couchdb_t self:udp_socket create_socket_perms;
allow couchdb_t couchdb_etc_t:dir list_dir_perms;
read_files_pattern(couchdb_t, couchdb_etc_t, couchdb_etc_t)
manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)files_tmp_filetrans(couchdb_t, couchdb_tmp_t, file)

manage_dirs_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t)manage_files_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t)
create_files_pattern(couchdb_t, couchdb_var_log_t, couchdb_var_log_t)
append_files_pattern(couchdb_t, couchdb_var_log_t, couchdb_var_log_t)
manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
can_exec(couchdb_t, couchdb_exec_t)

kernel_read_system_state(couchdb_t)
# 5984corenet_sendrecv_vnc_server_packets(couchdb_t) corenet_tcp_bind_generic_node(couchdb_t)corenet_tc p_bind_vnc_port(couchdb_t)
corenet_tcp_sendrecv_vnc_port(couchdb_t)corenet_ud p_bind_generic_node(couchdb_t)
# basename, /usr/lib/erlang/erts-5.8.3/bin/erlcorecmd_exec_bin(couchdb_t)corecmd_exec_shell(c ouchdb_t)

dev_read_sysfs(couchdb_t)dev_read_urand(couchdb_t)
# /usr/share/couchdb/www/index.htmlfiles_read_usr_files(couchdb_t)
# /
fs_getattr_xattr_fs(couchdb_t)
miscfiles_read_localization(couchdb_t)
optional_policy(` # /usr/lib/erlang/erts-5.8.3/bin/beam.smp
execmem_exec(couchdb_t)')
On Tue, Mar 13, 2012 at 10:07 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



On 03/13/2012 10:04 AM, Michael Milverton wrote:

> Thanks Dan,

>

> I don't have access to Fedora 17 at the moment so I can't test it

> but I will write a small python script this weekend so you can test

> it if you like. My feeling is that it *won't work properly like it

> is because the fc file doesn't include couchjs, the _javascript_

> compiler. I think that was the main issue I had if I remember

> correctly.

>

> Could you test the policy I attached as that seemed to work on

> Fedora 15 or is it too outdated? It was for couchdb 1.0.2.

>

> P.S If you can wait a couple of weeks I should be able to get

> Fedora 17 running. It takes time because I have limited bandwidth

> (wireless) at the moment.

>

> Thanks Michael

>

> On 12/03/2012, at 21:54, Daniel J Walsh <dwalsh@redhat.com> wrote:

>

> I wrote my own policy for couchdb using sepolgen for Fedora 17.

>

> Totally untested, since I have no idea how to use couchdb.

>

> Fixed avc's created by starting and stopping the service.

>

> ps -eZ | grep couch system_u:system_r:couchdb_t:s0 * 4103 ?

> 00:00:00 couchdb system_u:system_r:couchdb_t:s0 * 4113 ?

> 00:00:00 couchdb system_u:system_r:couchdb_t:s0 * 4114 ?

> 00:00:00 beam.smp system_u:system_r:couchdb_t:s0 * 4130 ?

> 00:00:00 heart

>

> Might want to write separate polciy for heart? *beam.smp?

>

> I added port definitions for tcp port couchdb_port_t 5984 and

> 6984.

>> <couchdb.te> <couchdb.if> <couchdb.fc> <couchdb.sh>

> -- selinux mailing list selinux@lists.fedoraproject.org

> https://admin.fedoraproject.org/mailman/listinfo/selinux



The policy you attached did not include any allow rules. *Could you

mail me the original source, te file.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.12 (GNU/Linux)

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/



iEYEARECAAYFAk9fVKEACgkQrlYvE4MpobOUEgCg296xb2E45l vFOO4kS1vYDq44

hJsAn0A5YF19vItKoLibqKUG7mZm6FZi

=LrXW

-----END PGP SIGNATURE-----



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-13-2012, 01:20 PM
Daniel J Walsh
 
Default CouchDB with SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok I was close. I am attaching the patch to show what I added based
on your policy.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9fV5MACgkQrlYvE4MpobPSwwCgr+YU1VPetG I51OehHt4A4VIT
8YkAn3Fh1GtxwIiNPqY4yI4qTFlkKgx0
=BB2R
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-13-2012, 01:39 PM
Michael Milverton
 
Default CouchDB with SELinux

Thanks,
Do you want a small python test script? I used couchdbkit (http://couchdbkit.org/)?
Maybe someone else has some simple test code lying around?? *


On Tue, Mar 13, 2012 at 10:20 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



Ok I was close. *I am attaching the patch to show what I added based

on your policy.



-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.12 (GNU/Linux)

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/



iEYEARECAAYFAk9fV5MACgkQrlYvE4MpobPSwwCgr+YU1VPetG I51OehHt4A4VIT

8YkAn3Fh1GtxwIiNPqY4yI4qTFlkKgx0

=BB2R

-----END PGP SIGNATURE-----



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-14-2012, 10:08 AM
Miroslav Grepl
 
Default CouchDB with SELinux

On 03/13/2012 02:39 PM, Michael Milverton wrote:
Thanks,



Do you want a small python test script? I used couchdbkit (http://couchdbkit.org/)?

It would be great.





Maybe someone else has some simple test code lying around?? *



On Tue, Mar 13, 2012 at 10:20 PM,
Daniel J Walsh <dwalsh@redhat.com>
wrote:


-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1




Ok I was close. *I am attaching the patch to show what I
added based

on your policy.



-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.12 (GNU/Linux)

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/




iEYEARECAAYFAk9fV5MACgkQrlYvE4MpobPSwwCgr+YU1VPetG I51OehHt4A4VIT

8YkAn3Fh1GtxwIiNPqY4yI4qTFlkKgx0

=BB2R

-----END PGP SIGNATURE-----








--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux





--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 09:06 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org