On Thu, Jun 30, 2011 at 12:20 AM, Michael Milverton <m.milverton@gmail.com> wrote:

Hi,

I'm in the process of writing a policy for couchdb (nosql database). I'm using the selinux-polgengui and eclipse slide tools to help. I've hit a road block because it won't start but I'm not getting any more AVC's. I'm wondering if anybody might be able to offer some clue about getting more AVC's from it because if it won't talk to me I can't get much further.

The only entries in audit.log are:

type=CRED_ACQ msg=audit(1309362790.614:1343): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'

type=USER_START msg=audit(1309362790.619:1344): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'

type=USER_END msg=audit(1309362790.640:1345): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'

type=CRED_DISP msg=audit(1309362790.641:1346): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'

type=SERVICE_START msg=audit(1309362790.676:1347): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="couchdb" exe=2F62696E2F73797374656D64202864656C6574656429 hostname=? addr=? terminal=? res=failed'

Now, it will start fine (and run) when it is unlabeled (not what I want of course). Couchdb runs under the username/group couchdb but I haven't added any transition rules for this yet (any help on this would be appreciated).

FC FILE:
/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)

/usr/bin/couchjs -- gen_context(system_u:object_r:couchdb_exec_t,s0)

TE FILE:
policy_module(couchdb,1.0.0)
require {
type bin_t;
type fs_t;

type proc_t;
}

type couchdb_t;

domain_type(couchdb_t)
permissive couchdb_t;

# Access to shared libraries

libs_use_ld_so(couchdb_t)
libs_use_shared_libs(couchdb_t)
miscfiles_read_localization(couchdb_t)
dev_read_urand(couchdb_t)

# Type for the daemon
type couchdb_exec_t;
files_type(couchdb_exec_t)
domain_entry_file(couchdb_t, couchdb_exec_t)
init_daemon_domain(couchdb_t, couchdb_exec_t)

# Logging
logging_send_syslog_msg(couchdb_t)
logging_log_file(couchdb_t)

# Temp files
type couchdb_tmp_t;
files_tmp_file(couchdb_tmp_t)
manage_dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file })

#type couchdb_config_t;
files_read_etc_files(couchdb_t)

# /bin/basename and some others
allow couchdb_t bin_t:file { read getattr open execute execute_no_trans };

allow couchdb_t fs_t:filesystem getattr;
allow couchdb_t proc_t:file { read getattr open };
allow couchdb_t self:fifo_file { read write getattr };

# Not sure about this

auth_domtrans_chk_passwd(couchdb_t)

# Not sure about this either.
domain_use_interactive_fds(couchdb_t)

Any clues, tips, advice would be most appreciated

Thanks