Hi,
I'm in the process of writing a policy for couchdb (nosql database). I'm using the selinux-polgengui and eclipse slide tools to help. I've hit a road block because it won't start but I'm not getting any more AVC's. I'm wondering if anybody might be able to offer some clue about getting more AVC's from it because if it won't talk to me I can't get much further.
The only entries in audit.log are:
type=CRED_ACQ msg=audit(1309362790.614:1343): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success' type=USER_START msg=audit(1309362790.619:1344): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success' type=USER_END msg=audit(1309362790.640:1345): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success' type=CRED_DISP msg=audit(1309362790.641:1346): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1309362790.676:1347): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="couchdb" exe=2F62696E2F73797374656D64202864656C6574656429 hostname=? addr=? terminal=? res=failed'
Now, it will start fine (and run) when it is unlabeled (not what I want of course). Couchdb runs under the username/group couchdb but I haven't added any transition rules for this yet (any help on this would be appreciated).
FC FILE: /usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0) /usr/bin/couchjs -- gen_context(system_u:object_r:couchdb_exec_t,s0)
TE FILE: policy_module(couchdb,1.0.0) require { type bin_t; type fs_t; type proc_t; }
type couchdb_t;
domain_type(couchdb_t) permissive couchdb_t;
# Access to shared libraries libs_use_ld_so(couchdb_t) libs_use_shared_libs(couchdb_t) miscfiles_read_localization(couchdb_t) dev_read_urand(couchdb_t)
# Type for the daemon type couchdb_exec_t; files_type(couchdb_exec_t) domain_entry_file(couchdb_t, couchdb_exec_t) init_daemon_domain(couchdb_t, couchdb_exec_t)
# Logging logging_send_syslog_msg(couchdb_t) logging_log_file(couchdb_t)
# Temp files type couchdb_tmp_t; files_tmp_file(couchdb_tmp_t) manage_dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t) manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t) files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file })
#type couchdb_config_t; files_read_etc_files(couchdb_t)
# /bin/basename and some others allow couchdb_t bin_t:file { read getattr open execute execute_no_trans }; allow couchdb_t fs_t:filesystem getattr; allow couchdb_t proc_t:file { read getattr open }; allow couchdb_t self:fifo_file { read write getattr };
# Not sure about this auth_domtrans_chk_passwd(couchdb_t)
# Not sure about this either. domain_use_interactive_fds(couchdb_t)
Any clues, tips, advice would be most appreciated
Thanks
Dang, I think I spoke too soon. I looked on bugzilla and found this bug 712681, long story short is that it now starts so skip this question for the moment, I've got to sleep and can't test it anymore but it did start and I'm getting waves of denials in my logs again. Excellent.
On Thu, Jun 30, 2011 at 12:20 AM, Michael Milverton m.milverton@gmail.comwrote:
Hi,
I'm in the process of writing a policy for couchdb (nosql database). I'm using the selinux-polgengui and eclipse slide tools to help. I've hit a road block because it won't start but I'm not getting any more AVC's. I'm wondering if anybody might be able to offer some clue about getting more AVC's from it because if it won't talk to me I can't get much further.
The only entries in audit.log are:
type=CRED_ACQ msg=audit(1309362790.614:1343): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success' type=USER_START msg=audit(1309362790.619:1344): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success' type=USER_END msg=audit(1309362790.640:1345): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success' type=CRED_DISP msg=audit(1309362790.641:1346): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1309362790.676:1347): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="couchdb" exe=2F62696E2F73797374656D64202864656C6574656429 hostname=? addr=? terminal=? res=failed'
Now, it will start fine (and run) when it is unlabeled (not what I want of course). Couchdb runs under the username/group couchdb but I haven't added any transition rules for this yet (any help on this would be appreciated).
FC FILE: /usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0) /usr/bin/couchjs -- gen_context(system_u:object_r:couchdb_exec_t,s0)
TE FILE: policy_module(couchdb,1.0.0) require { type bin_t; type fs_t; type proc_t; }
type couchdb_t;
domain_type(couchdb_t) permissive couchdb_t;
# Access to shared libraries libs_use_ld_so(couchdb_t) libs_use_shared_libs(couchdb_t) miscfiles_read_localization(couchdb_t) dev_read_urand(couchdb_t)
# Type for the daemon type couchdb_exec_t; files_type(couchdb_exec_t) domain_entry_file(couchdb_t, couchdb_exec_t) init_daemon_domain(couchdb_t, couchdb_exec_t)
# Logging logging_send_syslog_msg(couchdb_t) logging_log_file(couchdb_t)
# Temp files type couchdb_tmp_t; files_tmp_file(couchdb_tmp_t) manage_dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t) manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t) files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file })
#type couchdb_config_t; files_read_etc_files(couchdb_t)
# /bin/basename and some others allow couchdb_t bin_t:file { read getattr open execute execute_no_trans }; allow couchdb_t fs_t:filesystem getattr; allow couchdb_t proc_t:file { read getattr open }; allow couchdb_t self:fifo_file { read write getattr };
# Not sure about this auth_domtrans_chk_passwd(couchdb_t)
# Not sure about this either. domain_use_interactive_fds(couchdb_t)
Any clues, tips, advice would be most appreciated
Thanks
On Thu, 2011-06-30 at 00:20 +0800, Michael Milverton wrote:
Hi,
I'm in the process of writing a policy for couchdb (nosql database). I'm using the selinux-polgengui and eclipse slide tools to help. I've hit a road block because it won't start but I'm not getting any more AVC's. I'm wondering if anybody might be able to offer some clue about getting more AVC's from it because if it won't talk to me I can't get much further.
Hi,
Could you try the policy template enclosed and provide any avc denials that you will be seeing when it is tested?
steps to test:
1. put the couchdb.{te,fc} files in a project directory for example ~/couchdb
2. change to this project directory for example cd ~/couchdb
3. try to build the policy: make -f /usr/share/selinux/devel/Makefile couchdb.pp
4. if it builds, try to install the binary representation of the policy module: sudo semodule -i couchdb.pp
5. restore the context of each patch specified in the file context specification file. for example:
restorecon -R -v /etc/couchdb restorecon -R -v /etc/rc.d/init.d/couchdb restorecon -R -v /var/lib/couchdb restorecon -R -v /var/log/couchdb restorecon -R -v /var/run/couchdb restorecon -R -v /etc/sysconfig/couchdb restorecon -R -v /usr/bin/couchdb
5. for testing purposes set selinux to permissive mode if possible: setenforce 0
6. unload any rules that silently deny access (note this will cause much logging and may upset setroubelshoot if you have it running):
semodule -DB
7. make a note of the current system time: date
8. start the couchdb service (service couchdb start)
9. collect all the avc denials that occured since you have noted the current system time: example: ausearch -m avc -ts 18:52
enclose the full list of avc denials.
Attachements:
couchdb.fc http://pastebin.com/3QP4ecFP
couchdb.te http://pastebin.com/VtxP7YnN
Regards, Lauren, you can see here to Dominick Grift explaining how to make all this work. Best wishes
On 06/29/2011 12:58 PM, Dominick Grift wrote:
On Thu, 2011-06-30 at 00:20 +0800, Michael Milverton wrote:
Hi,
I'm in the process of writing a policy for couchdb (nosql database). I'm using the selinux-polgengui and eclipse slide tools to help. I've hit a road block because it won't start but I'm not getting any more AVC's. I'm wondering if anybody might be able to offer some clue about getting more AVC's from it because if it won't talk to me I can't get much further.
Hi,
Could you try the policy template enclosed and provide any avc denials that you will be seeing when it is tested?
steps to test:
- put the couchdb.{te,fc} files in a project directory for example
~/couchdb
change to this project directory for example cd ~/couchdb
try to build the policy: make -f /usr/share/selinux/devel/Makefile
couchdb.pp
- if it builds, try to install the binary representation of the policy
module: sudo semodule -i couchdb.pp
- restore the context of each patch specified in the file context
specification file. for example:
restorecon -R -v /etc/couchdb restorecon -R -v /etc/rc.d/init.d/couchdb restorecon -R -v /var/lib/couchdb restorecon -R -v /var/log/couchdb restorecon -R -v /var/run/couchdb restorecon -R -v /etc/sysconfig/couchdb restorecon -R -v /usr/bin/couchdb
- for testing purposes set selinux to permissive mode if possible:
setenforce 0
- unload any rules that silently deny access (note this will cause much
logging and may upset setroubelshoot if you have it running):
semodule -DB
make a note of the current system time: date
start the couchdb service (service couchdb start)
collect all the avc denials that occured since you have noted the
current system time: example: ausearch -m avc -ts 18:52
enclose the full list of avc denials.
Attachements:
couchdb.fc http://pastebin.com/3QP4ecFP
couchdb.te http://pastebin.com/VtxP7YnN
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/08/2012 09:23 PM, Marcos Ortiz wrote:
Regards, Lauren, you can see here to Dominick Grift explaining how to make all this work. Best wishes
On 06/29/2011 12:58 PM, Dominick Grift wrote:
On Thu, 2011-06-30 at 00:20 +0800, Michael Milverton wrote:
Hi,
I'm in the process of writing a policy for couchdb (nosql database). I'm using the selinux-polgengui and eclipse slide tools to help. I've hit a road block because it won't start but I'm not getting any more AVC's. I'm wondering if anybody might be able to offer some clue about getting more AVC's from it because if it won't talk to me I can't get much further.
Hi,
Could you try the policy template enclosed and provide any avc denials that you will be seeing when it is tested?
steps to test:
- put the couchdb.{te,fc} files in a project directory for
example ~/couchdb
change to this project directory for example cd ~/couchdb
try to build the policy: make -f
/usr/share/selinux/devel/Makefile couchdb.pp
- if it builds, try to install the binary representation of the
policy module: sudo semodule -i couchdb.pp
- restore the context of each patch specified in the file
context specification file. for example:
restorecon -R -v /etc/couchdb restorecon -R -v /etc/rc.d/init.d/couchdb restorecon -R -v /var/lib/couchdb restorecon -R -v /var/log/couchdb restorecon -R -v /var/run/couchdb restorecon -R -v /etc/sysconfig/couchdb restorecon -R -v /usr/bin/couchdb
- for testing purposes set selinux to permissive mode if
possible: setenforce 0
- unload any rules that silently deny access (note this will
cause much logging and may upset setroubelshoot if you have it running):
semodule -DB
make a note of the current system time: date
start the couchdb service (service couchdb start)
collect all the avc denials that occured since you have noted
the current system time: example: ausearch -m avc -ts 18:52
enclose the full list of avc denials.
Attachements:
couchdb.fc http://pastebin.com/3QP4ecFP
couchdb.te http://pastebin.com/VtxP7YnN
-- Marcos Luis Ortíz Valmaseda Sr. Software Engineer (UCI) http://marcosluis2186.posterous.com http://postgresql.uci.cu/blog/38
http://www.antiterroristas.cu/
http://www.antiterroristas.cu/
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux http://www.antiterroristas.cu/
Does a complete policy exists for couchdb? I would like to put one in for Fedora 17. Although I currently can not install it.
Hi all, This is where the policy was last time I was working with couchdb. I wasn't able to continue using it for various reasons so I haven't had a chance to do more testing with it.
Thanks Michael
On Fri, Mar 9, 2012 at 10:08 PM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/08/2012 09:23 PM, Marcos Ortiz wrote:
Regards, Lauren, you can see here to Dominick Grift explaining how to make all this work. Best wishes
On 06/29/2011 12:58 PM, Dominick Grift wrote:
On Thu, 2011-06-30 at 00:20 +0800, Michael Milverton wrote:
Hi,
I'm in the process of writing a policy for couchdb (nosql database). I'm using the selinux-polgengui and eclipse slide tools to help. I've hit a road block because it won't start but I'm not getting any more AVC's. I'm wondering if anybody might be able to offer some clue about getting more AVC's from it because if it won't talk to me I can't get much further.
Hi,
Could you try the policy template enclosed and provide any avc denials that you will be seeing when it is tested?
steps to test:
- put the couchdb.{te,fc} files in a project directory for
example ~/couchdb
change to this project directory for example cd ~/couchdb
try to build the policy: make -f
/usr/share/selinux/devel/Makefile couchdb.pp
- if it builds, try to install the binary representation of the
policy module: sudo semodule -i couchdb.pp
- restore the context of each patch specified in the file
context specification file. for example:
restorecon -R -v /etc/couchdb restorecon -R -v /etc/rc.d/init.d/couchdb restorecon -R -v /var/lib/couchdb restorecon -R -v /var/log/couchdb restorecon -R -v /var/run/couchdb restorecon -R -v /etc/sysconfig/couchdb restorecon -R -v /usr/bin/couchdb
- for testing purposes set selinux to permissive mode if
possible: setenforce 0
- unload any rules that silently deny access (note this will
cause much logging and may upset setroubelshoot if you have it running):
semodule -DB
make a note of the current system time: date
start the couchdb service (service couchdb start)
collect all the avc denials that occured since you have noted
the current system time: example: ausearch -m avc -ts 18:52
enclose the full list of avc denials.
Attachements:
couchdb.fc http://pastebin.com/3QP4ecFP
couchdb.te http://pastebin.com/VtxP7YnN
-- Marcos Luis Ortíz Valmaseda Sr. Software Engineer (UCI) http://marcosluis2186.posterous.com http://postgresql.uci.cu/blog/38
http://www.antiterroristas.cu/
http://www.antiterroristas.cu/
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux http://www.antiterroristas.cu/
Does a complete policy exists for couchdb? I would like to put one in for Fedora 17. Although I currently can not install it.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk9aDs0ACgkQrlYvE4MpobOpjgCfXDoGqr4qGGJLGTK7EeyA5+I5 ctYAoIqOltfnrhkCegZ63yKnz95OyT+B =cu+3
-----END PGP SIGNATURE-----
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I wrote my own policy for couchdb using sepolgen for Fedora 17.
Totally untested, since I have no idea how to use couchdb.
Fixed avc's created by starting and stopping the service.
ps -eZ | grep couch system_u:system_r:couchdb_t:s0 4103 ? 00:00:00 couchdb system_u:system_r:couchdb_t:s0 4113 ? 00:00:00 couchdb system_u:system_r:couchdb_t:s0 4114 ? 00:00:00 beam.smp system_u:system_r:couchdb_t:s0 4130 ? 00:00:00 heart
Might want to write separate polciy for heart? beam.smp?
I added port definitions for tcp port couchdb_port_t 5984 and 6984.
Thanks Dan,
I don't have access to Fedora 17 at the moment so I can't test it but I will write a small python script this weekend so you can test it if you like. My feeling is that it won't work properly like it is because the fc file doesn't include couchjs, the JavaScript compiler. I think that was the main issue I had if I remember correctly.
Could you test the policy I attached as that seemed to work on Fedora 15 or is it too outdated? It was for couchdb 1.0.2.
P.S If you can wait a couple of weeks I should be able to get Fedora 17 running. It takes time because I have limited bandwidth (wireless) at the moment.
Thanks Michael
On 12/03/2012, at 21:54, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I wrote my own policy for couchdb using sepolgen for Fedora 17.
Totally untested, since I have no idea how to use couchdb.
Fixed avc's created by starting and stopping the service.
ps -eZ | grep couch system_u:system_r:couchdb_t:s0 4103 ? 00:00:00 couchdb system_u:system_r:couchdb_t:s0 4113 ? 00:00:00 couchdb system_u:system_r:couchdb_t:s0 4114 ? 00:00:00 beam.smp system_u:system_r:couchdb_t:s0 4130 ? 00:00:00 heart
Might want to write separate polciy for heart? beam.smp?
I added port definitions for tcp port couchdb_port_t 5984 and 6984. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk9eAAYACgkQrlYvE4MpobNfGgCgqOwQe9Gp4kWTHf48yZJu/j2N urEAnRBRMadaL2uY2TcRI2CCxaCdfM4w =9OeU -----END PGP SIGNATURE----- <couchdb.te> <couchdb.if> <couchdb.fc> <couchdb.sh>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/13/2012 10:04 AM, Michael Milverton wrote:
Thanks Dan,
I don't have access to Fedora 17 at the moment so I can't test it but I will write a small python script this weekend so you can test it if you like. My feeling is that it won't work properly like it is because the fc file doesn't include couchjs, the JavaScript compiler. I think that was the main issue I had if I remember correctly.
Could you test the policy I attached as that seemed to work on Fedora 15 or is it too outdated? It was for couchdb 1.0.2.
P.S If you can wait a couple of weeks I should be able to get Fedora 17 running. It takes time because I have limited bandwidth (wireless) at the moment.
Thanks Michael
On 12/03/2012, at 21:54, Daniel J Walsh dwalsh@redhat.com wrote:
I wrote my own policy for couchdb using sepolgen for Fedora 17.
Totally untested, since I have no idea how to use couchdb.
Fixed avc's created by starting and stopping the service.
ps -eZ | grep couch system_u:system_r:couchdb_t:s0 4103 ? 00:00:00 couchdb system_u:system_r:couchdb_t:s0 4113 ? 00:00:00 couchdb system_u:system_r:couchdb_t:s0 4114 ? 00:00:00 beam.smp system_u:system_r:couchdb_t:s0 4130 ? 00:00:00 heart
Might want to write separate polciy for heart? beam.smp?
I added port definitions for tcp port couchdb_port_t 5984 and 6984.
<couchdb.te> <couchdb.if> <couchdb.fc> <couchdb.sh>
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
The policy you attached did not include any allow rules. Could you mail me the original source, te file.
Oops, sorry,
Is this what you want?
# policy_module(couchdb, 1.0.0)
######################################## # # Declarations #
permissive couchdb_t;
type couchdb_t; type couchdb_exec_t; init_daemon_domain(couchdb_t, couchdb_exec_t)
type couchdb_initrc_exec_t; init_script_file(couchdb_initrc_exec_t)
type couchdb_etc_t; files_config_file(couchdb_etc_t)
type couchdb_tmp_t; files_tmp_file(couchdb_tmp_t)
type couchdb_var_lib_t; files_type(couchdb_var_lib_t)
type couchdb_var_log_t; logging_log_file(couchdb_var_log_t)
type couchdb_var_run_t; files_pid_file(couchdb_var_run_t)
######################################## # # Local policy #
allow couchdb_t self:process { setsched signal signull sigkill }; allow couchdb_t self:fifo_file rw_fifo_file_perms; allow couchdb_t self:tcp_socket create_stream_socket_perms; allow couchdb_t self:udp_socket create_socket_perms;
allow couchdb_t couchdb_etc_t:dir list_dir_perms; read_files_pattern(couchdb_t, couchdb_etc_t, couchdb_etc_t)
manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t) files_tmp_filetrans(couchdb_t, couchdb_tmp_t, file)
manage_dirs_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t) manage_files_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t)
create_files_pattern(couchdb_t, couchdb_var_log_t, couchdb_var_log_t) append_files_pattern(couchdb_t, couchdb_var_log_t, couchdb_var_log_t)
manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
can_exec(couchdb_t, couchdb_exec_t)
kernel_read_system_state(couchdb_t)
# 5984 corenet_sendrecv_vnc_server_packets(couchdb_t) corenet_tcp_bind_generic_node(couchdb_t) corenet_tcp_bind_vnc_port(couchdb_t) corenet_tcp_sendrecv_vnc_port(couchdb_t) corenet_udp_bind_generic_node(couchdb_t)
# basename, /usr/lib/erlang/erts-5.8.3/bin/erl corecmd_exec_bin(couchdb_t) corecmd_exec_shell(couchdb_t)
dev_read_sysfs(couchdb_t) dev_read_urand(couchdb_t)
# /usr/share/couchdb/www/index.html files_read_usr_files(couchdb_t)
# / fs_getattr_xattr_fs(couchdb_t)
miscfiles_read_localization(couchdb_t)
optional_policy(` # /usr/lib/erlang/erts-5.8.3/bin/beam.smp execmem_exec(couchdb_t) ')
On Tue, Mar 13, 2012 at 10:07 PM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/13/2012 10:04 AM, Michael Milverton wrote:
Thanks Dan,
I don't have access to Fedora 17 at the moment so I can't test it but I will write a small python script this weekend so you can test it if you like. My feeling is that it won't work properly like it is because the fc file doesn't include couchjs, the JavaScript compiler. I think that was the main issue I had if I remember correctly.
Could you test the policy I attached as that seemed to work on Fedora 15 or is it too outdated? It was for couchdb 1.0.2.
P.S If you can wait a couple of weeks I should be able to get Fedora 17 running. It takes time because I have limited bandwidth (wireless) at the moment.
Thanks Michael
On 12/03/2012, at 21:54, Daniel J Walsh dwalsh@redhat.com wrote:
I wrote my own policy for couchdb using sepolgen for Fedora 17.
Totally untested, since I have no idea how to use couchdb.
Fixed avc's created by starting and stopping the service.
ps -eZ | grep couch system_u:system_r:couchdb_t:s0 4103 ? 00:00:00 couchdb system_u:system_r:couchdb_t:s0 4113 ? 00:00:00 couchdb system_u:system_r:couchdb_t:s0 4114 ? 00:00:00 beam.smp system_u:system_r:couchdb_t:s0 4130 ? 00:00:00 heart
Might want to write separate polciy for heart? beam.smp?
I added port definitions for tcp port couchdb_port_t 5984 and 6984.
<couchdb.te> <couchdb.if> <couchdb.fc> <couchdb.sh>
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
The policy you attached did not include any allow rules. Could you mail me the original source, te file. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk9fVKEACgkQrlYvE4MpobOUEgCg296xb2E45lvFOO4kS1vYDq44 hJsAn0A5YF19vItKoLibqKUG7mZm6FZi =LrXW -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ok I was close. I am attaching the patch to show what I added based on your policy.
Thanks,
Do you want a small python test script? I used couchdbkit ( http://couchdbkit.org/)?
Maybe someone else has some simple test code lying around??
On Tue, Mar 13, 2012 at 10:20 PM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ok I was close. I am attaching the patch to show what I added based on your policy.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk9fV5MACgkQrlYvE4MpobPSwwCgr+YU1VPetGI51OehHt4A4VIT 8YkAn3Fh1GtxwIiNPqY4yI4qTFlkKgx0 =BB2R -----END PGP SIGNATURE-----
On 03/13/2012 02:39 PM, Michael Milverton wrote:
Thanks,
Do you want a small python test script? I used couchdbkit (http://couchdbkit.org/)?
It would be great.
Maybe someone else has some simple test code lying around??
On Tue, Mar 13, 2012 at 10:20 PM, Daniel J Walsh <dwalsh@redhat.com mailto:dwalsh@redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok I was close. I am attaching the patch to show what I added based on your policy. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9fV5MACgkQrlYvE4MpobPSwwCgr+YU1VPetGI51OehHt4A4VIT 8YkAn3Fh1GtxwIiNPqY4yI4qTFlkKgx0 =BB2R -----END PGP SIGNATURE------- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Okay, will do it this weekend.
On 14/03/2012, at 17:08, Miroslav Grepl mgrepl@redhat.com wrote:
On 03/13/2012 02:39 PM, Michael Milverton wrote:
Thanks,
Do you want a small python test script? I used couchdbkit ( http://couchdbkit.org/)?
It would be great.
Maybe someone else has some simple test code lying around??
On Tue, Mar 13, 2012 at 10:20 PM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ok I was close. I am attaching the patch to show what I added based on your policy.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk9fV5MACgkQrlYvE4MpobPSwwCgr+YU1VPetGI51OehHt4A4VIT 8YkAn3Fh1GtxwIiNPqY4yI4qTFlkKgx0 =BB2R -----END PGP SIGNATURE-----
-- selinux mailing listselinux@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/selinux
Okay, here is a simple python test script using the couchdbkit library
#!/usr/bin/env python
import couchdbkit from couchdbkit.designer import push import os
# Get the server server = couchdbkit.Server("http://127.0.0.1:5984")
# Get or create a database db = server.get_or_create_db('test')
# Prepare a simple view that will return whatever we have stored view = """ function(doc) { emit(doc._id, doc); } """
# Setup filesystem directory to store a "view all" javascript file, map.js cdb_design = "cdb/_design/test" cdb_view = os.path.join(cdb_design, "views/all") cdb_map = os.path.join(cdb_view, "map.js")
if not os.path.exists(cdb_view): os.makedirs(cdb_view) outfile = open(cdb_map, "w") outfile.write(view) outfile.close() # upload our map.js view to the database push(cdb_design, db)
# create a test document to store in the database doc = { 'Test' : 'Boo' }
# save it db.save_doc(doc)
# retrieve everything in our database results = db.view('test/all') for _doc in results: print _doc # delete the doc from the database print db.delete_doc(_doc.get('value'))
# create 1 more doc so it can be viewed via a web browser new_doc = {"works" : "Go to http://127.0.0.1:5984/_utils to view db"}
# save db.save_doc(new_doc)
# if all has gone well, fire up your browser and have a look around # here: http://127.0.0.1:5984/_utils
On Wed, Mar 14, 2012 at 7:27 PM, Michael Milverton m.milverton@gmail.comwrote:
Okay, will do it this weekend.
On 14/03/2012, at 17:08, Miroslav Grepl mgrepl@redhat.com wrote:
On 03/13/2012 02:39 PM, Michael Milverton wrote:
Thanks,
Do you want a small python test script? I used couchdbkit ( http://couchdbkit.org/)?
It would be great.
Maybe someone else has some simple test code lying around??
On Tue, Mar 13, 2012 at 10:20 PM, Daniel J Walsh dwalsh@redhat.comwrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ok I was close. I am attaching the patch to show what I added based on your policy.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk9fV5MACgkQrlYvE4MpobPSwwCgr+YU1VPetGI51OehHt4A4VIT 8YkAn3Fh1GtxwIiNPqY4yI4qTFlkKgx0 =BB2R -----END PGP SIGNATURE-----
-- selinux mailing listselinux@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/selinux
Regards to all the list Where I can find the new features introduced in Fedora 15 and 16 on the SElinux base policy? - Bugs fixes - Support of new applications - New applications to make the System Administrator's work more easy
I need this information because I'm preparing a talk about "Advanced PostgreSQL Data Protection with SELinux", so I want in that moment to comment these new features.
Any advices is welcome. Thanks a lot for your time
On Wed, 2011-06-29 at 15:07 -0400, Marcos Ortiz wrote:
Regards to all the list Where I can find the new features introduced in Fedora 15 and 16 on the SElinux base policy?
- Bugs fixes
- Support of new applications
- New applications to make the System Administrator's work more easy
I need this information because I'm preparing a talk about "Advanced PostgreSQL Data Protection with SELinux", so I want in that moment to comment these new features.
Any advices is welcome. Thanks a lot for your time
I usually find out whats new in various ways:
1. See the policy git repository for new commits ( bugfixes and support for new applications)
http://git.fedorahosted.org/git/?p=selinux-policy.git;a=summary
2. See the policycoreutils. libsepol, libmanage, checkpolicy changelogs for the "user land" related changed.
3. See the nsa.gov selinux maillist archives for SELinux changes in the kernel.
4. Keep an eye on dwalsh' livejournal blog. He will often touch on new interesting features.
5. Keep an eye on the tresys.com refpolicy maillist archives for changes to policy upstream
Some of the things that recently added that i can come up with is:
moving /selinux to /sys/fs/selinux read policy from /sys/fs/selinux/policy named file transitions audit_access capability permission various new policy module semanage --equiv option
and everything else i forgot...
On 06/29/2011 07:48 PM, Dominick Grift wrote:
On Wed, 2011-06-29 at 15:07 -0400, Marcos Ortiz wrote:
Regards to all the list Where I can find the new features introduced in Fedora 15 and 16 on the SElinux base policy?
- Bugs fixes
- Support of new applications
- New applications to make the System Administrator's work more easy
I need this information because I'm preparing a talk about "Advanced PostgreSQL Data Protection with SELinux", so I want in that moment to comment these new features.
Any advices is welcome. Thanks a lot for your time
I usually find out whats new in various ways:
- See the policy git repository for new commits ( bugfixes and support
for new applications)
http://git.fedorahosted.org/git/?p=selinux-policy.git;a=summary
- See the policycoreutils. libsepol, libmanage, checkpolicy changelogs
for the "user land" related changed.
- See the nsa.gov selinux maillist archives for SELinux changes in the
kernel.
- Keep an eye on dwalsh' livejournal blog. He will often touch on new
interesting features.
- Keep an eye on the tresys.com refpolicy maillist archives for changes
to policy upstream
Some of the things that recently added that i can come up with is:
moving /selinux to /sys/fs/selinux read policy from /sys/fs/selinux/policy named file transitions
https://fedoraproject.org/wiki/Features/SELinuxFileNameTransition
audit_access capability permission various new policy module semanage --equiv option
and everything else i forgot...
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/30/2011 02:10 PM, Miroslav Grepl wrote:
On 06/29/2011 07:48 PM, Dominick Grift wrote:
On Wed, 2011-06-29 at 15:07 -0400, Marcos Ortiz wrote:
Regards to all the list Where I can find the new features introduced in Fedora 15 and 16 on the SElinux base policy?
- Bugs fixes
- Support of new applications
- New applications to make the System Administrator's work more easy
I need this information because I'm preparing a talk about "Advanced PostgreSQL Data Protection with SELinux", so I want in that moment to comment these new features.
Any advices is welcome. Thanks a lot for your time
I usually find out whats new in various ways:
- See the policy git repository for new commits ( bugfixes and support
for new applications)
http://git.fedorahosted.org/git/?p=selinux-policy.git;a=summary
- See the policycoreutils. libsepol, libmanage, checkpolicy changelogs
for the "user land" related changed.
- See the nsa.gov selinux maillist archives for SELinux changes in the
kernel.
- Keep an eye on dwalsh' livejournal blog. He will often touch on new
interesting features.
- Keep an eye on the tresys.com refpolicy maillist archives for changes
to policy upstream
Some of the things that recently added that i can come up with is:
moving /selinux to /sys/fs/selinux read policy from /sys/fs/selinux/policy named file transitions
https://fedoraproject.org/wiki/Features/SELinuxFileNameTransition
audit_access capability permission various new policy module semanage --equiv option
and everything else i forgot...
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
You can also get a list of permissive domains for each release which gives you a good idea of the new confined domains being developed for that release.
F16 shows
abrt_retrace_coredump_t abrt_retrace_worker_exec_t callweaver_t dspam_t fail2ban_client_t gnomeclock_systemctl_t lldpad_t mscan_t puppetca_t pyicqt_t rhev_agentd_t sanlock_t telepathy_logger_t traffic_cop_t traffic_manager_t traffic_server_t wdmd_t zarafa_indexer_t
F15 Shows
gnomeclock_systemctl_t telepathy_gabble_t telepathy_sofiasip_t mock_t keyboardd_t telepathy_idle_t telepathy_mission_control_t matahari_serviced_t telepathy_salut_t zarafa_indexer_t firewalld_t telepathy_sunshine_t colord_t telepathy_stream_engine_t systemd_notify_t systemd_passwd_agent_t mozilla_plugin_t matahari_hostd_t matahari_netd_t passenger_t systemd_tmpfiles_t foghorn_t telepathy_msn_t namespace_init_t
Thanks to all for the quick responses.
On 06/30/2011 01:40 PM, Miroslav Grepl wrote:
On 06/29/2011 07:48 PM, Dominick Grift wrote:
On Wed, 2011-06-29 at 15:07 -0400, Marcos Ortiz wrote:
Regards to all the list Where I can find the new features introduced in Fedora 15 and 16 on the SElinux base policy?
- Bugs fixes
- Support of new applications
- New applications to make the System Administrator's work more easy
I need this information because I'm preparing a talk about "Advanced PostgreSQL Data Protection with SELinux", so I want in that moment to comment these new features.
Any advices is welcome. Thanks a lot for your time
I usually find out whats new in various ways:
- See the policy git repository for new commits ( bugfixes and support
for new applications)
http://git.fedorahosted.org/git/?p=selinux-policy.git;a=summary
- See the policycoreutils. libsepol, libmanage, checkpolicy changelogs
for the "user land" related changed.
- See the nsa.gov selinux maillist archives for SELinux changes in the
kernel.
- Keep an eye on dwalsh' livejournal blog. He will often touch on new
interesting features.
- Keep an eye on the tresys.com refpolicy maillist archives for changes
to policy upstream
Dominick, I'm trying to follow your steps to develop the SELinux's policy for PgPool-II. When I finish, I'll send to all you the files (pgpool2.{fc,te}) Regards
Some of the things that recently added that i can come up with is:
moving /selinux to /sys/fs/selinux read policy from /sys/fs/selinux/policy named file transitions
https://fedoraproject.org/wiki/Features/SELinuxFileNameTransition
audit_access capability permission various new policy module semanage --equiv option
and everything else i forgot...
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Thu, 2011-06-30 at 14:25 -0430, Marcos Ortiz wrote:
Dominick, I'm trying to follow your steps to develop the SELinux's policy for PgPool-II. When I finish, I'll send to all you the files (pgpool2.{fc,te}) Regards
Ok if you need some interactive guidance feel free to come see me on irc.freenode.org in #fedora-selinux
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Dominick Grift -
Marcos Ortiz Valmaseda -
Michael Milverton -
Miroslav Grepl