-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I wrote my own policy for couchdb using sepolgen for Fedora 17. Totally untested, since I have no idea how to use couchdb. Fixed avc's created by starting and stopping the service. ps -eZ | grep couch system_u:system_r:couchdb_t:s0 4103 ? 00:00:00 couchdb system_u:system_r:couchdb_t:s0 4113 ? 00:00:00 couchdb system_u:system_r:couchdb_t:s0 4114 ? 00:00:00 beam.smp system_u:system_r:couchdb_t:s0 4130 ? 00:00:00 heart Might want to write separate polciy for heart? beam.smp? I added port definitions for tcp port couchdb_port_t 5984 and 6984. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9eAAYACgkQrlYvE4MpobNfGgCgqOwQe9Gp4kWTHf48yZJu/j2N urEAnRBRMadaL2uY2TcRI2CCxaCdfM4w =9OeU -----END PGP SIGNATURE-----
policy_module(couchdb, 1.0.0)
########################################
#
# Declarations
#
type couchdb_t;
type couchdb_exec_t;
init_daemon_domain(couchdb_t, couchdb_exec_t)
permissive couchdb_t;
type couchdb_tmp_t;
files_tmp_file(couchdb_tmp_t)
type couchdb_log_t;
logging_log_file(couchdb_log_t)
type couchdb_var_lib_t;
files_type(couchdb_var_lib_t)
type couchdb_var_run_t;
files_pid_file(couchdb_var_run_t)
type couchdb_unit_file_t;
systemd_unit_file(couchdb_unit_file_t)
########################################
#
# couchdb local policy
#
allow couchdb_t self:fifo_file rw_fifo_file_perms;
allow couchdb_t self:unix_stream_socket create_stream_socket_perms;
allow couchdb_t self:tcp_socket create_stream_socket_perms;
allow couchdb_t self:udp_socket create_socket_perms;
manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
manage_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
logging_log_filetrans(couchdb_t, couchdb_log_t, { dir file })
manage_dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file })
manage_dirs_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t)
manage_files_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t)
files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, { dir file })
manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
files_pid_filetrans(couchdb_t, couchdb_var_run_t, { dir file })
can_exec(couchdb_t, couchdb_exec_t)
kernel_read_system_state(couchdb_t)
corecmd_exec_bin(couchdb_t)
corecmd_exec_shell(couchdb_t)
corenet_tcp_bind_generic_node(couchdb_t)
corenet_udp_bind_generic_node(couchdb_t)
corenet_tcp_bind_couchdb_port(couchdb_t)
dev_list_sysfs(couchdb_t)
dev_read_sysfs(couchdb_t)
dev_read_urand(couchdb_t)
domain_use_interactive_fds(couchdb_t)
files_read_etc_files(couchdb_t)
fs_getattr_tmpfs(couchdb_t)
auth_use_nsswitch(couchdb_t)
libs_exec_lib_files(couchdb_t)
miscfiles_read_localization(couchdb_t)
## <summary>policy for couchdb</summary>
########################################
## <summary>
## Transition to couchdb.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`couchdb_domtrans',`
gen_require(`
type couchdb_t, couchdb_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, couchdb_exec_t, couchdb_t)
')
########################################
## <summary>
## Read couchdb's log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`couchdb_read_log',`
gen_require(`
type couchdb_log_t;
')
logging_search_logs($1)
read_files_pattern($1, couchdb_log_t, couchdb_log_t)
')
########################################
## <summary>
## Append to couchdb log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`couchdb_append_log',`
gen_require(`
type couchdb_log_t;
')
logging_search_logs($1)
append_files_pattern($1, couchdb_log_t, couchdb_log_t)
')
########################################
## <summary>
## Manage couchdb log files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`couchdb_manage_log',`
gen_require(`
type couchdb_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, couchdb_log_t, couchdb_log_t)
manage_files_pattern($1, couchdb_log_t, couchdb_log_t)
manage_lnk_files_pattern($1, couchdb_log_t, couchdb_log_t)
')
########################################
## <summary>
## Search couchdb lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`couchdb_search_lib',`
gen_require(`
type couchdb_var_lib_t;
')
allow $1 couchdb_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
')
########################################
## <summary>
## Read couchdb lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`couchdb_read_lib_files',`
gen_require(`
type couchdb_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
')
########################################
## <summary>
## Manage couchdb lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`couchdb_manage_lib_files',`
gen_require(`
type couchdb_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
')
########################################
## <summary>
## Manage couchdb lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`couchdb_manage_lib_dirs',`
gen_require(`
type couchdb_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
')
########################################
## <summary>
## Read couchdb PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`couchdb_read_pid_files',`
gen_require(`
type couchdb_var_run_t;
')
files_search_pids($1)
allow $1 couchdb_var_run_t:file read_file_perms;
')
########################################
## <summary>
## Execute couchdb server in the couchdb domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`couchdb_systemctl',`
gen_require(`
type couchdb_t;
type couchdb_unit_file_t;
')
systemd_exec_systemctl($1)
systemd_read_fifo_file_password_run($1)
allow $1 couchdb_unit_file_t:file read_file_perms;
allow $1 couchdb_unit_file_t:service all_service_perms;
ps_process_pattern($1, couchdb_t)
')
########################################
## <summary>
## All of the rules required to administrate
## an couchdb environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`couchdb_admin',`
gen_require(`
type couchdb_t;
type couchdb_log_t;
type couchdb_var_lib_t;
type couchdb_var_run_t;
type couchdb_unit_file_t;
')
allow $1 couchdb_t:process { ptrace signal_perms };
ps_process_pattern($1, couchdb_t)
logging_search_logs($1)
admin_pattern($1, couchdb_log_t)
files_search_var_lib($1)
admin_pattern($1, couchdb_var_lib_t)
files_search_pids($1)
admin_pattern($1, couchdb_var_run_t)
couchdb_systemctl($1)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
')
/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0) /usr/lib/systemd/system/couchdb.service -- gen_context(system_u:object_r:couchdb_unit_file_t,s0) /var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0) /var/log/couchdb(/.*)? gen_context(system_u:object_r:couchdb_log_t,s0) /var/run/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_run_t,s0)
Attachment:
couchdb.sh
Description: application/shellscript
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
