The following patch series supersedes my previous patch proposal for the couchdb
policy. The first patch is for refpolicy.git, the others are for
refpolicy-contrib.git
--
Luis Ressel <[email protected]>
GPG fpr: F08D 2AF6 655E 25DE 52BC E53D 08F5 7F90 3029 B5BD
This is required for an update of the couchdb policy.
---
policy/modules/kernel/files.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 566314f..692db45 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -5181,6 +5181,25 @@ interface(`files_list_var',`
########################################
## <summary>
+## Do not audit attempts to list
+## the contents of /var.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_list_var',`
+ gen_require(`
+ type var_t;
+ ')
+
+ dontaudit $1 var_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
--
1.8.5.3
couchjs requires 'execmem', which isn't neccessary for the rest of
couchdb.
---
couchdb.fc | 1 +
couchdb.te | 18 +++++++++++++++++-
2 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/couchdb.fc b/couchdb.fc
index 7b63699..3fd740b 100644
--- a/couchdb.fc
+++ b/couchdb.fc
@@ -2,6 +2,7 @@
/etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
+/usr/lib/couchdb/bin/couchjs -- gen_context(system_u:object_r:couchdb_js_exec_t,s0)
/usr/lib/couchdb/erlang/lib/couch-[0-9.]+/priv/couchspawnkillable -- gen_context(system_u:object_r:bin_t,s0)
/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
diff --git a/couchdb.te b/couchdb.te
index 171ea6d..9481c02 100644
--- a/couchdb.te
+++ b/couchdb.te
@@ -9,6 +9,10 @@ type couchdb_t;
type couchdb_exec_t;
init_daemon_domain(couchdb_t, couchdb_exec_t)
+type couchdb_js_t;
+type couchdb_js_exec_t;
+init_daemon_domain(couchdb_js_t, couchdb_js_exec_t)
+
type couchdb_initrc_exec_t;
init_script_file(couchdb_initrc_exec_t)
@@ -30,7 +34,7 @@ init_daemon_run_dir(couchdb_var_run_t, "couchdb")
########################################
#
-# Local policy
+# couchdb policy
#
allow couchdb_t self:process { getsched setsched signal signull sigkill };
@@ -88,3 +92,15 @@ fs_getattr_xattr_fs(couchdb_t)
auth_use_nsswitch(couchdb_t)
miscfiles_read_localization(couchdb_t)
+
+domtrans_pattern(couchdb_t, couchdb_js_exec_t, couchdb_js_t)
+
+########################################
+#
+# couchdb_js policy
+#
+
+allow couchdb_js_t self:process { execmem getsched setsched };
+
+files_read_usr_files(couchdb_js_t)
+miscfiles_read_localization(couchdb_js_t)
--
1.8.5.3
---
couchdb.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/couchdb.te b/couchdb.te
index 62f5db1..f854c93 100644
--- a/couchdb.te
+++ b/couchdb.te
@@ -1,4 +1,4 @@
-policy_module(couchdb, 1.1.1)
+policy_module(couchdb, 1.1.2)
########################################
#
--
1.8.5.3
---
couchdb.fc | 2 ++
couchdb.te | 4 +++-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/couchdb.fc b/couchdb.fc
index c086302..7b63699 100644
--- a/couchdb.fc
+++ b/couchdb.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
+/usr/lib/couchdb/erlang/lib/couch-[0-9.]+/priv/couchspawnkillable -- gen_context(system_u:object_r:bin_t,s0)
+
/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
/var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0)
diff --git a/couchdb.te b/couchdb.te
index ae1c1b1..171ea6d 100644
--- a/couchdb.te
+++ b/couchdb.te
@@ -26,13 +26,14 @@ files_type(couchdb_var_lib_t)
type couchdb_var_run_t;
files_pid_file(couchdb_var_run_t)
+init_daemon_run_dir(couchdb_var_run_t, "couchdb")
########################################
#
# Local policy
#
-allow couchdb_t self:process { setsched signal signull sigkill };
+allow couchdb_t self:process { getsched setsched signal signull sigkill };
allow couchdb_t self:fifo_file rw_fifo_file_perms;
allow couchdb_t self:unix_stream_socket create_stream_socket_perms;
allow couchdb_t self:tcp_socket { accept listen };
@@ -70,6 +71,7 @@ corenet_all_recvfrom_netlabel(couchdb_t)
corenet_tcp_sendrecv_generic_if(couchdb_t)
corenet_tcp_sendrecv_generic_node(couchdb_t)
corenet_tcp_bind_generic_node(couchdb_t)
+corenet_udp_bind_generic_node(couchdb_t)
corenet_sendrecv_couchdb_server_packets(couchdb_t)
corenet_tcp_bind_couchdb_port(couchdb_t)
--
1.8.5.3
---
couchdb.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/couchdb.te b/couchdb.te
index 9481c02..62f5db1 100644
--- a/couchdb.te
+++ b/couchdb.te
@@ -87,7 +87,12 @@ dev_read_urand(couchdb_t)
files_read_usr_files(couchdb_t)
+# disksup tries to monitor the local disks
fs_getattr_xattr_fs(couchdb_t)
+fs_dontaudit_getattr_all_fs(couchdb_t)
+files_dontaudit_getattr_lost_found_dirs(couchdb_t)
+files_dontaudit_list_var(couchdb_t)
+files_dontaudit_search_all_mountpoints(couchdb_t)
auth_use_nsswitch(couchdb_t)
--
1.8.5.3
---
couchdb.fc | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)
diff --git a/couchdb.fc b/couchdb.fc
index 3fd740b..933d686 100644
--- a/couchdb.fc
+++ b/couchdb.fc
@@ -1,14 +1,10 @@
-/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0)
-
+/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0)
/etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
+/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
/usr/lib/couchdb/bin/couchjs -- gen_context(system_u:object_r:couchdb_js_exec_t,s0)
/usr/lib/couchdb/erlang/lib/couch-[0-9.]+/priv/couchspawnkillable -- gen_context(system_u:object_r:bin_t,s0)
-/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
-
-/var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0)
-
-/var/log/couchdb(/.*)? gen_context(system_u:object_r:couchdb_log_t,s0)
-
-/var/run/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_run_t,s0)
+/var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0)
+/var/log/couchdb(/.*)? gen_context(system_u:object_r:couchdb_log_t,s0)
+/var/run/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_run_t,s0)
--
1.8.5.3
On 2/1/2014 6:36 AM, Luis Ressel wrote:
> This is required for an update of the couchdb policy.
> ---
> policy/modules/kernel/files.if | 19 +++++++++++++++++++
> 1 file changed, 19 insertions(+)
>
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index 566314f..692db45 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -5181,6 +5181,25 @@ interface(`files_list_var',`
>
> ########################################
> ## <summary>
> +## Do not audit attempts to list
> +## the contents of /var.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`files_dontaudit_list_var',`
> + gen_require(`
> + type var_t;
> + ')
> +
> + dontaudit $1 var_t:dir list_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Create, read, write, and delete directories
> ## in the /var directory.
> ## </summary>
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 2/1/2014 6:38 AM, Luis Ressel wrote:
> ---
> couchdb.fc | 2 ++
> couchdb.te | 4 +++-
> 2 files changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/couchdb.fc b/couchdb.fc
> index c086302..7b63699 100644
> --- a/couchdb.fc
> +++ b/couchdb.fc
> @@ -2,6 +2,8 @@
>
> /etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
>
> +/usr/lib/couchdb/erlang/lib/couch-[0-9.]+/priv/couchspawnkillable -- gen_context(system_u:object_r:bin_t,s0)
I moved this to corecommands. Otherwise merged.
> /usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
>
> /var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0)
> diff --git a/couchdb.te b/couchdb.te
> index ae1c1b1..171ea6d 100644
> --- a/couchdb.te
> +++ b/couchdb.te
> @@ -26,13 +26,14 @@ files_type(couchdb_var_lib_t)
>
> type couchdb_var_run_t;
> files_pid_file(couchdb_var_run_t)
> +init_daemon_run_dir(couchdb_var_run_t, "couchdb")
>
> ########################################
> #
> # Local policy
> #
>
> -allow couchdb_t self:process { setsched signal signull sigkill };
> +allow couchdb_t self:process { getsched setsched signal signull sigkill };
> allow couchdb_t self:fifo_file rw_fifo_file_perms;
> allow couchdb_t self:unix_stream_socket create_stream_socket_perms;
> allow couchdb_t self:tcp_socket { accept listen };
> @@ -70,6 +71,7 @@ corenet_all_recvfrom_netlabel(couchdb_t)
> corenet_tcp_sendrecv_generic_if(couchdb_t)
> corenet_tcp_sendrecv_generic_node(couchdb_t)
> corenet_tcp_bind_generic_node(couchdb_t)
> +corenet_udp_bind_generic_node(couchdb_t)
>
> corenet_sendrecv_couchdb_server_packets(couchdb_t)
> corenet_tcp_bind_couchdb_port(couchdb_t)
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 2/1/2014 6:38 AM, Luis Ressel wrote:
> couchjs requires 'execmem', which isn't neccessary for the rest of
> couchdb.
> ---
> couchdb.fc | 1 +
> couchdb.te | 18 +++++++++++++++++-
> 2 files changed, 18 insertions(+), 1 deletion(-)
>
> diff --git a/couchdb.fc b/couchdb.fc
> index 7b63699..3fd740b 100644
> --- a/couchdb.fc
> +++ b/couchdb.fc
> @@ -2,6 +2,7 @@
>
> /etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
>
> +/usr/lib/couchdb/bin/couchjs -- gen_context(system_u:object_r:couchdb_js_exec_t,s0)
> /usr/lib/couchdb/erlang/lib/couch-[0-9.]+/priv/couchspawnkillable -- gen_context(system_u:object_r:bin_t,s0)
>
> /usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
> diff --git a/couchdb.te b/couchdb.te
> index 171ea6d..9481c02 100644
> --- a/couchdb.te
> +++ b/couchdb.te
> @@ -9,6 +9,10 @@ type couchdb_t;
> type couchdb_exec_t;
> init_daemon_domain(couchdb_t, couchdb_exec_t)
>
> +type couchdb_js_t;
> +type couchdb_js_exec_t;
> +init_daemon_domain(couchdb_js_t, couchdb_js_exec_t)
> +
> type couchdb_initrc_exec_t;
> init_script_file(couchdb_initrc_exec_t)
>
> @@ -30,7 +34,7 @@ init_daemon_run_dir(couchdb_var_run_t, "couchdb")
>
> ########################################
> #
> -# Local policy
> +# couchdb policy
> #
>
> allow couchdb_t self:process { getsched setsched signal signull sigkill };
> @@ -88,3 +92,15 @@ fs_getattr_xattr_fs(couchdb_t)
> auth_use_nsswitch(couchdb_t)
>
> miscfiles_read_localization(couchdb_t)
> +
> +domtrans_pattern(couchdb_t, couchdb_js_exec_t, couchdb_js_t)
Moved this line up. Otherwise merged.
> +########################################
> +#
> +# couchdb_js policy
> +#
> +
> +allow couchdb_js_t self:process { execmem getsched setsched };
> +
> +files_read_usr_files(couchdb_js_t)
> +miscfiles_read_localization(couchdb_js_t)
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 2/1/2014 6:38 AM, Luis Ressel wrote:
> ---
> couchdb.te | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/couchdb.te b/couchdb.te
> index 9481c02..62f5db1 100644
> --- a/couchdb.te
> +++ b/couchdb.te
> @@ -87,7 +87,12 @@ dev_read_urand(couchdb_t)
>
> files_read_usr_files(couchdb_t)
>
> +# disksup tries to monitor the local disks
> fs_getattr_xattr_fs(couchdb_t)
> +fs_dontaudit_getattr_all_fs(couchdb_t)
> +files_dontaudit_getattr_lost_found_dirs(couchdb_t)
> +files_dontaudit_list_var(couchdb_t)
> +files_dontaudit_search_all_mountpoints(couchdb_t)
>
> auth_use_nsswitch(couchdb_t)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 2/1/2014 6:38 AM, Luis Ressel wrote:
> ---
> couchdb.fc | 14 +++++---------
> 1 file changed, 5 insertions(+), 9 deletions(-)
>
> diff --git a/couchdb.fc b/couchdb.fc
> index 3fd740b..933d686 100644
> --- a/couchdb.fc
> +++ b/couchdb.fc
> @@ -1,14 +1,10 @@
> -/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0)
> -
> +/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0)
> /etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
>
> +/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
> /usr/lib/couchdb/bin/couchjs -- gen_context(system_u:object_r:couchdb_js_exec_t,s0)
> /usr/lib/couchdb/erlang/lib/couch-[0-9.]+/priv/couchspawnkillable -- gen_context(system_u:object_r:bin_t,s0)
>
> -/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
> -
> -/var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0)
> -
> -/var/log/couchdb(/.*)? gen_context(system_u:object_r:couchdb_log_t,s0)
> -
> -/var/run/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_run_t,s0)
> +/var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0)
> +/var/log/couchdb(/.*)? gen_context(system_u:object_r:couchdb_log_t,s0)
> +/var/run/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_run_t,s0)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com