CouchDB with SELinux

Marcos Ortiz mlortiz at uci.cu
Fri Mar 9 02:23:23 UTC 2012 

Regards, Lauren, you can see here to Dominick Grift explaining how to 
make all this work.
Best wishes

On 06/29/2011 12:58 PM, Dominick Grift wrote:
> On Thu, 2011-06-30 at 00:20 +0800, Michael Milverton wrote:
>> Hi,
>>
>> I'm in the process of writing a policy for couchdb (nosql database). I'm
>> using the selinux-polgengui and eclipse slide tools to help. I've hit a road
>> block because it won't start but I'm not getting any more AVC's. I'm
>> wondering if anybody might be able to offer some clue about getting more
>> AVC's from it because if it won't talk to me I can't get much further.
> Hi,
>
> Could you try the policy template enclosed and provide any avc denials
> that you will be seeing when it is tested?
>
> steps to test:
>
> 1. put the couchdb.{te,fc} files in a project directory for example
> ~/couchdb
>
> 2. change to this project directory for example cd ~/couchdb
>
> 3. try to build the policy: make -f /usr/share/selinux/devel/Makefile
> couchdb.pp
>
> 4. if it builds, try to install the binary representation of the policy
> module: sudo semodule -i couchdb.pp
>
> 5. restore the context of each patch specified in the file context
> specification file. for example:
>
> restorecon -R -v /etc/couchdb
> restorecon -R -v /etc/rc.d/init.d/couchdb
> restorecon -R -v /var/lib/couchdb
> restorecon -R -v /var/log/couchdb
> restorecon -R -v /var/run/couchdb
> restorecon -R -v /etc/sysconfig/couchdb
> restorecon -R -v /usr/bin/couchdb
>
> 5. for testing purposes set selinux to permissive mode if possible:
> setenforce 0
>
> 6. unload any rules that silently deny access (note this will cause much
> logging and may upset setroubelshoot if you have it running):
>
> semodule -DB
>
> 7. make a note of the current system time: date
>
> 8. start the couchdb service (service couchdb start)
>
> 9. collect all the avc denials that occured since you have noted the
> current system time: example: ausearch -m avc -ts 18:52
>
> enclose the full list of avc denials.
>
> Attachements:
>
> couchdb.fc
> http://pastebin.com/3QP4ecFP
>
> couchdb.te
> http://pastebin.com/VtxP7YnN
>
>
>

-- 
Marcos Luis Ortíz Valmaseda
  Sr. Software Engineer (UCI)
  http://marcosluis2186.posterous.com
  http://postgresql.uci.cu/blog/38




Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU!
http://www.antiterroristas.cu
http://justiciaparaloscinco.wordpress.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20120308/c527fd90/attachment.html>

More information about the selinux mailing list