Re: CouchDB with SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/08/2012 09:23 PM, Marcos Ortiz wrote:
> Regards, Lauren, you can see here to Dominick Grift explaining how
> to make all this work. Best wishes
> 
> On 06/29/2011 12:58 PM, Dominick Grift wrote:
>> On Thu, 2011-06-30 at 00:20 +0800, Michael Milverton wrote:
>>> Hi,
>>> 
>>> I'm in the process of writing a policy for couchdb (nosql
>>> database). I'm using the selinux-polgengui and eclipse slide
>>> tools to help. I've hit a road block because it won't start but
>>> I'm not getting any more AVC's. I'm wondering if anybody might
>>> be able to offer some clue about getting more AVC's from it
>>> because if it won't talk to me I can't get much further.
>> Hi,
>> 
>> Could you try the policy template enclosed and provide any avc
>> denials that you will be seeing when it is tested?
>> 
>> steps to test:
>> 
>> 1. put the couchdb.{te,fc} files in a project directory for
>> example ~/couchdb
>> 
>> 2. change to this project directory for example cd ~/couchdb
>> 
>> 3. try to build the policy: make -f
>> /usr/share/selinux/devel/Makefile couchdb.pp
>> 
>> 4. if it builds, try to install the binary representation of the
>> policy module: sudo semodule -i couchdb.pp
>> 
>> 5. restore the context of each patch specified in the file
>> context specification file. for example:
>> 
>> restorecon -R -v /etc/couchdb restorecon -R -v
>> /etc/rc.d/init.d/couchdb restorecon -R -v /var/lib/couchdb 
>> restorecon -R -v /var/log/couchdb restorecon -R -v
>> /var/run/couchdb restorecon -R -v /etc/sysconfig/couchdb 
>> restorecon -R -v /usr/bin/couchdb
>> 
>> 5. for testing purposes set selinux to permissive mode if
>> possible: setenforce 0
>> 
>> 6. unload any rules that silently deny access (note this will
>> cause much logging and may upset setroubelshoot if you have it
>> running):
>> 
>> semodule -DB
>> 
>> 7. make a note of the current system time: date
>> 
>> 8. start the couchdb service (service couchdb start)
>> 
>> 9. collect all the avc denials that occured since you have noted
>> the current system time: example: ausearch -m avc -ts 18:52
>> 
>> enclose the full list of avc denials.
>> 
>> Attachements:
>> 
>> couchdb.fc http://pastebin.com/3QP4ecFP
>> 
>> couchdb.te http://pastebin.com/VtxP7YnN
>> 
>> 
>> 
> 
> -- Marcos Luis Ortíz Valmaseda Sr. Software Engineer (UCI) 
> http://marcosluis2186.posterous.com 
> http://postgresql.uci.cu/blog/38
> 
> 
> 
> 
> <http://www.antiterroristas.cu/>
> 
> 
> <http://www.antiterroristas.cu/>
> 
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> <http://www.antiterroristas.cu/>


Does a complete policy exists for couchdb?  I would like to put one in
for Fedora 17. Although I currently can not install it.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9aDs0ACgkQrlYvE4MpobOpjgCfXDoGqr4qGGJLGTK7EeyA5+I5
ctYAoIqOltfnrhkCegZ63yKnz95OyT+B
=cu+3
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux