On Thu, 2011-06-30 at 00:20 +0800, Michael Milverton wrote:
> Hi,
>
> I'm in the process of writing a policy for couchdb (nosql database). I'm
> using the selinux-polgengui and eclipse slide tools to help. I've hit a road
> block because it won't start but I'm not getting any more AVC's. I'm
> wondering if anybody might be able to offer some clue about getting more
> AVC's from it because if it won't talk to me I can't get much further.
Hi,
Could you try the policy template enclosed and provide any avc denials
that you will be seeing when it is tested?
steps to test:
1. put the couchdb.{te,fc} files in a project directory for example
~/couchdb
2. change to this project directory for example cd ~/couchdb
3. try to build the policy: make -f /usr/share/selinux/devel/Makefile
couchdb.pp
4. if it builds, try to install the binary representation of the policy
module: sudo semodule -i couchdb.pp
5. restore the context of each patch specified in the file context
specification file. for example:
restorecon -R -v /etc/couchdb
restorecon -R -v /etc/rc.d/init.d/couchdb
restorecon -R -v /var/lib/couchdb
restorecon -R -v /var/log/couchdb
restorecon -R -v /var/run/couchdb
restorecon -R -v /etc/sysconfig/couchdb
restorecon -R -v /usr/bin/couchdb
5. for testing purposes set selinux to permissive mode if possible:
setenforce 0
6. unload any rules that silently deny access (note this will cause much
logging and may upset setroubelshoot if you have it running):
semodule -DB
7. make a note of the current system time: date
8. start the couchdb service (service couchdb start)
9. collect all the avc denials that occured since you have noted the
current system time: example: ausearch -m avc -ts 18:52
enclose the full list of avc denials.
Attachements:
couchdb.fc
http://pastebin.com/3QP4ecFP
couchdb.te
http://pastebin.com/VtxP7YnN
Attachment:
signature.asc
Description: This is a digitally signed message part
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
