Re: CouchDB with SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok I was close.  I am attaching the patch to show what I added based
on your policy.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9fV5MACgkQrlYvE4MpobPSwwCgr+YU1VPetGI51OehHt4A4VIT
8YkAn3Fh1GtxwIiNPqY4yI4qTFlkKgx0
=BB2R
-----END PGP SIGNATURE-----

diff --git a/policy/modules/services/couchdb.fc b/policy/modules/services/couchdb.fc
index 3f0d629..a0c0865 100644
--- a/policy/modules/services/couchdb.fc
+++ b/policy/modules/services/couchdb.fc
@@ -1,4 +1,6 @@
-/usr/bin/couchdb		--	gen_context(system_u:object_r:couchdb_exec_t,s0)
+/etc/couchdb(/.*)?		gen_context(system_u:object_r:couchdb_etc_t,s0)
+
+/usr/bin/couchdb	--	gen_context(system_u:object_r:couchdb_exec_t,s0)
 
 /usr/lib/systemd/system/couchdb.service		--	gen_context(system_u:object_r:couchdb_unit_file_t,s0)
 
diff --git a/policy/modules/services/couchdb.if b/policy/modules/services/couchdb.if
index 9efb8c6..b556467 100644
--- a/policy/modules/services/couchdb.if
+++ b/policy/modules/services/couchdb.if
@@ -219,6 +219,7 @@ interface(`couchdb_systemctl',`
 interface(`couchdb_admin',`
 	gen_require(`
 		type couchdb_t;
+		type couchdb_etc_t;
 		type couchdb_log_t;
 		type couchdb_var_lib_t;
 		type couchdb_var_run_t;
@@ -231,6 +232,9 @@ interface(`couchdb_admin',`
 	logging_search_logs($1)
 	admin_pattern($1, couchdb_log_t)
 
+	files_search_etc($1)
+	admin_pattern($1, couchdb_etc_t)
+
 	files_search_var_lib($1)
 	admin_pattern($1, couchdb_var_lib_t)
 
diff --git a/policy/modules/services/couchdb.te b/policy/modules/services/couchdb.te
index 153c2ad..4a80b5c 100644
--- a/policy/modules/services/couchdb.te
+++ b/policy/modules/services/couchdb.te
@@ -9,6 +9,9 @@ type couchdb_t;
 type couchdb_exec_t;
 init_daemon_domain(couchdb_t, couchdb_exec_t)
 
+type couchdb_etc_t;
+files_config_file(couchdb_etc_t)
+
 type couchdb_tmp_t;
 files_tmp_file(couchdb_tmp_t)
 
@@ -28,11 +31,15 @@ systemd_unit_file(couchdb_unit_file_t)
 #
 # couchdb local policy
 #
+allow couchdb_t self:process { setsched signal signull sigkill };
 allow couchdb_t self:fifo_file rw_fifo_file_perms;
 allow couchdb_t self:unix_stream_socket create_stream_socket_perms;
 allow couchdb_t self:tcp_socket create_stream_socket_perms;
 allow couchdb_t self:udp_socket create_socket_perms;
 
+allow couchdb_t couchdb_etc_t:dir list_dir_perms;
+read_files_pattern(couchdb_t, couchdb_etc_t, couchdb_etc_t)
+
 manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
 manage_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
 logging_log_filetrans(couchdb_t, couchdb_log_t, { dir file })
@@ -67,12 +74,12 @@ dev_read_urand(couchdb_t)
 domain_use_interactive_fds(couchdb_t)
 
 files_read_etc_files(couchdb_t)
+files_read_usr_files(couchdb_t)
 
-fs_getattr_tmpfs(couchdb_t)
+fs_getattr_xattr_fs(couchdb_t)
 
 auth_use_nsswitch(couchdb_t)
 
 libs_exec_lib_files(couchdb_t)
 
 miscfiles_read_localization(couchdb_t)
-

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux