Oops, sorry,<div><br></div><div>Is this what you want?</div><div><br></div><div>#</div><div><div>policy_module(couchdb, 1.0.0)</div><div><br></div><div>########################################</div><div>#</div><div># Declarations</div>
<div>#</div><div><br></div><div>permissive couchdb_t;</div><div><br></div><div>type couchdb_t;</div><div>type couchdb_exec_t;</div><div>init_daemon_domain(couchdb_t, couchdb_exec_t)</div><div><br></div><div>type couchdb_initrc_exec_t;</div>
<div>init_script_file(couchdb_initrc_exec_t)</div><div><br></div><div>type couchdb_etc_t;</div><div>files_config_file(couchdb_etc_t)</div><div><br></div><div>type couchdb_tmp_t;</div><div>files_tmp_file(couchdb_tmp_t)</div>
<div><br></div><div>type couchdb_var_lib_t;</div><div>files_type(couchdb_var_lib_t)</div><div><br></div><div>type couchdb_var_log_t;</div><div>logging_log_file(couchdb_var_log_t)</div><div><br></div><div>type couchdb_var_run_t;</div>
<div>files_pid_file(couchdb_var_run_t)</div><div><br></div><div>########################################</div><div>#</div><div># Local policy</div><div>#</div><div><br></div><div>allow couchdb_t self:process { setsched signal signull sigkill };</div>
<div>allow couchdb_t self:fifo_file rw_fifo_file_perms;</div><div>allow couchdb_t self:tcp_socket create_stream_socket_perms;</div><div>allow couchdb_t self:udp_socket create_socket_perms;</div><div><br></div><div>allow couchdb_t couchdb_etc_t:dir list_dir_perms;</div>
<div>read_files_pattern(couchdb_t, couchdb_etc_t, couchdb_etc_t)</div><div><br></div><div>manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)</div><div>files_tmp_filetrans(couchdb_t, couchdb_tmp_t, file)</div><div>
<br></div><div>manage_dirs_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t)</div><div>manage_files_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t)</div><div><br></div><div>create_files_pattern(couchdb_t, couchdb_var_log_t, couchdb_var_log_t)</div>
<div>append_files_pattern(couchdb_t, couchdb_var_log_t, couchdb_var_log_t)</div><div><br></div><div>manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)</div><div><br></div><div>can_exec(couchdb_t, couchdb_exec_t)</div>
<div><br></div><div>kernel_read_system_state(couchdb_t)</div><div><br></div><div># 5984</div><div>corenet_sendrecv_vnc_server_packets(couchdb_t)</div><div>corenet_tcp_bind_generic_node(couchdb_t)</div><div>corenet_tcp_bind_vnc_port(couchdb_t)</div>
<div>corenet_tcp_sendrecv_vnc_port(couchdb_t)</div><div>corenet_udp_bind_generic_node(couchdb_t)</div><div><br></div><div># basename, /usr/lib/erlang/erts-5.8.3/bin/erl</div><div>corecmd_exec_bin(couchdb_t)</div><div>corecmd_exec_shell(couchdb_t)</div>
<div><br></div><div>dev_read_sysfs(couchdb_t)</div><div>dev_read_urand(couchdb_t)</div><div><br></div><div># /usr/share/couchdb/www/index.html</div><div>files_read_usr_files(couchdb_t)</div><div><br></div><div># /</div><div>
fs_getattr_xattr_fs(couchdb_t)</div><div><br></div><div>miscfiles_read_localization(couchdb_t)</div><div><br></div><div>optional_policy(`</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># /usr/lib/erlang/erts-5.8.3/bin/beam.smp</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>execmem_exec(couchdb_t)</div><div>')</div><br><div class="gmail_quote">On Tue, Mar 13, 2012 at 10:07 PM, Daniel J Walsh <span dir="ltr"><<a href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
</div><div class="im">On 03/13/2012 10:04 AM, Michael Milverton wrote:<br>
> Thanks Dan,<br>
><br>
> I don't have access to Fedora 17 at the moment so I can't test it<br>
> but I will write a small python script this weekend so you can test<br>
> it if you like. My feeling is that it won't work properly like it<br>
> is because the fc file doesn't include couchjs, the JavaScript<br>
> compiler. I think that was the main issue I had if I remember<br>
> correctly.<br>
><br>
> Could you test the policy I attached as that seemed to work on<br>
> Fedora 15 or is it too outdated? It was for couchdb 1.0.2.<br>
><br>
> P.S If you can wait a couple of weeks I should be able to get<br>
> Fedora 17 running. It takes time because I have limited bandwidth<br>
> (wireless) at the moment.<br>
><br>
> Thanks Michael<br>
><br>
> On 12/03/2012, at 21:54, Daniel J Walsh <<a href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a>> wrote:<br>
><br>
</div><div class="im">> I wrote my own policy for couchdb using sepolgen for Fedora 17.<br>
><br>
> Totally untested, since I have no idea how to use couchdb.<br>
><br>
> Fixed avc's created by starting and stopping the service.<br>
><br>
> ps -eZ | grep couch system_u:system_r:couchdb_t:s0 4103 ?<br>
> 00:00:00 couchdb system_u:system_r:couchdb_t:s0 4113 ?<br>
> 00:00:00 couchdb system_u:system_r:couchdb_t:s0 4114 ?<br>
> 00:00:00 beam.smp system_u:system_r:couchdb_t:s0 4130 ?<br>
> 00:00:00 heart<br>
><br>
> Might want to write separate polciy for heart? beam.smp?<br>
><br>
> I added port definitions for tcp port couchdb_port_t 5984 and<br>
> 6984.<br>
</div>>> <couchdb.te> <couchdb.if> <couchdb.fc> <couchdb.sh><br>
<div class="im">> -- selinux mailing list <a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
> <a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
<br>
</div>The policy you attached did not include any allow rules. Could you<br>
mail me the original source, te file.<br>
<div class="im">-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.12 (GNU/Linux)<br>
Comment: Using GnuPG with Mozilla - <a href="http://enigmail.mozdev.org/" target="_blank">http://enigmail.mozdev.org/</a><br>
<br>
</div>iEYEARECAAYFAk9fVKEACgkQrlYvE4MpobOUEgCg296xb2E45lvFOO4kS1vYDq44<br>
hJsAn0A5YF19vItKoLibqKUG7mZm6FZi<br>
=LrXW<br>
-----END PGP SIGNATURE-----<br>
</blockquote></div><br></div>