Re: Policy for CouchDB

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dang, I think I spoke too soon. I looked on bugzilla and found this bug 712681, long story short is that it now starts so skip this question for the moment, I've got to sleep and can't test it anymore but it did start and I'm getting waves of denials in my logs again. Excellent.

On Thu, Jun 30, 2011 at 12:20 AM, Michael Milverton <m.milverton@xxxxxxxxx> wrote:
Hi,

I'm in the process of writing a policy for couchdb (nosql database). I'm using the selinux-polgengui and eclipse slide tools to help. I've hit a road block because it won't start but I'm not getting any more AVC's. I'm wondering if anybody might be able to offer some clue about getting more AVC's from it because if it won't talk to me I can't get much further.

The only entries in audit.log are:

type=CRED_ACQ msg=audit(1309362790.614:1343): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1309362790.619:1344): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1309362790.640:1345): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1309362790.641:1346): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1309362790.676:1347): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="couchdb" exe=2F62696E2F73797374656D64202864656C6574656429 hostname=? addr=? terminal=? res=failed'


Now, it will start fine (and run) when it is unlabeled (not what I want of course). Couchdb runs under the username/group couchdb but I haven't added any transition rules for this yet (any help on this would be appreciated).

FC FILE:
/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
/usr/bin/couchjs    --  gen_context(system_u:object_r:couchdb_exec_t,s0) 

TE FILE:
policy_module(couchdb,1.0.0) 
require {
    type bin_t;
    type fs_t;
    type proc_t;
}


type couchdb_t;

domain_type(couchdb_t)
permissive couchdb_t;

# Access to shared libraries
libs_use_ld_so(couchdb_t)
libs_use_shared_libs(couchdb_t)
miscfiles_read_localization(couchdb_t)
dev_read_urand(couchdb_t)

# Type for the daemon
type couchdb_exec_t;
files_type(couchdb_exec_t)
domain_entry_file(couchdb_t, couchdb_exec_t)
init_daemon_domain(couchdb_t, couchdb_exec_t)

# Logging
logging_send_syslog_msg(couchdb_t)
logging_log_file(couchdb_t)

# Temp files
type couchdb_tmp_t;
files_tmp_file(couchdb_tmp_t)
manage_dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file })


#type couchdb_config_t;
files_read_etc_files(couchdb_t) 

# /bin/basename and some others
allow couchdb_t bin_t:file { read getattr open execute execute_no_trans };
allow couchdb_t fs_t:filesystem getattr;
allow couchdb_t proc_t:file { read getattr open };
allow couchdb_t self:fifo_file { read write getattr };

# Not sure about this
auth_domtrans_chk_passwd(couchdb_t)

# Not sure about this either.
domain_use_interactive_fds(couchdb_t)


Any clues, tips, advice would be most appreciated

Thanks


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux