CouchDB with SELinux

On Thu, 2011-06-30 at 00:20 +0800, Michael Milverton wrote: > Hi, > > I'm in the process of writing a policy for couchdb (nosql database). I'm > using the selinux-polgengui and eclipse slide tools to help. I've hit a road > block because it won't start but I'm not getting any more AVC's. I'm > wondering if anybody might be able to offer some clue about getting more > AVC's from it because if it won't talk to me I can't get much further. Hi, Could you try the policy template enclosed and provide any avc denials that you will be seeing when it is tested? steps to test: 1. put the couchdb.{te,fc} files in a project directory for example ~/couchdb 2. change to this project directory for example cd ~/couchdb 3. try to build the policy: make -f /usr/share/selinux/devel/Makefile couchdb.pp 4. if it builds, try to install the binary representation of the policy module: sudo semodule -i couchdb.pp 5. restore the context of each patch specified in the file context specification file. for example: restorecon -R -v /etc/couchdb restorecon -R -v /etc/rc.d/init.d/couchdb restorecon -R -v /var/lib/couchdb restorecon -R -v /var/log/couchdb restorecon -R -v /var/run/couchdb restorecon -R -v /etc/sysconfig/couchdb restorecon -R -v /usr/bin/couchdb 5. for testing purposes set selinux to permissive mode if possible: setenforce 0 6. unload any rules that silently deny access (note this will cause much logging and may upset setroubelshoot if you have it running): semodule -DB 7. make a note of the current system time: date 8. start the couchdb service (service couchdb start) 9. collect all the avc denials that occured since you have noted the current system time: example: ausearch -m avc -ts 18:52 enclose the full list of avc denials. Attachements: couchdb.fc http://pastebin.com/3QP4ecFP couchdb.te http://pastebin.com/VtxP7YnN