From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 31 Jan 2014 23:05:46 -0500
Subject: [refpolicy] [PATCH] Update couchdb policy
In-Reply-To: <1390691888-4173-1-git-send-email-aranea@aixah.de>
References: <1390691888-4173-1-git-send-email-aranea@aixah.de>
Message-ID: <52EC729A.7080001@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 1/25/2014 6:18 PM, Luis Ressel wrote:
> * Add separate db for couchjs, as it needs execmem
> * Add several dontaudits to hide noise caused by Erlang's disksup
> ---
>  couchdb.fc | 16 +++++++---------
>  couchdb.te | 26 ++++++++++++++++++++++++--
>  2 files changed, 31 insertions(+), 11 deletions(-)
> 
> diff --git a/couchdb.fc b/couchdb.fc
> index c086302..5c1388a 100644
> --- a/couchdb.fc
> +++ b/couchdb.fc
> @@ -1,11 +1,9 @@
> -/etc/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_conf_t,s0)
> +/etc/couchdb(/.*)?			gen_context(system_u:object_r:couchdb_conf_t,s0)
>  
> -/etc/rc\.d/init\.d/couchdb	--	gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
> +/usr/bin/couchdb		--	gen_context(system_u:object_r:couchdb_exec_t,s0)
> +/usr/lib/couchdb/bin/couchjs	--	gen_context(system_u:object_r:couchdb_js_exec_t,s0)
> +/usr/lib/couchdb/erlang/lib/couch-[0-9.]+/priv/couchspawnkillable	--	gen_context(system_u:object_r:bin_t,s0)
>  
> -/usr/bin/couchdb	--	gen_context(system_u:object_r:couchdb_exec_t,s0)
> -
> -/var/lib/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_var_lib_t,s0)
> -
> -/var/log/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_log_t,s0)
> -
> -/var/run/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_var_run_t,s0)
> +/var/lib/couchdb(/.*)?			gen_context(system_u:object_r:couchdb_var_lib_t,s0)
> +/var/log/couchdb(/.*)?			gen_context(system_u:object_r:couchdb_log_t,s0)
> +/var/run/couchdb(/.*)?			gen_context(system_u:object_r:couchdb_var_run_t,s0)

Typically, its preferred that whitespace fixes be sent in separate patches.

> diff --git a/couchdb.te b/couchdb.te
> index ae1c1b1..1bf163e 100644
> --- a/couchdb.te
> +++ b/couchdb.te

> @@ -81,8 +86,25 @@ dev_read_urand(couchdb_t)
>  
>  files_read_usr_files(couchdb_t)
>  
> +# disksup tries to monitor the local disks
>  fs_getattr_xattr_fs(couchdb_t)
> +fs_dontaudit_getattr_all_fs(couchdb_t)
> +files_dontaudit_search_all_mountpoints(couchdb_t)
> +files_dontaudit_getattr_lost_found_dirs(couchdb_t)
> +dontaudit couchdb_t var_t:dir list_dir_perms;

This last rule needs to use an interface instead.
  
>  auth_use_nsswitch(couchdb_t)
>  
>  miscfiles_read_localization(couchdb_t)
> +
> +domtrans_pattern(couchdb_t, couchdb_js_exec_t, couchdb_js_t)
> +
> +########################################
> +#
> +# couchdb_js policy
> +#
> +
> +allow couchdb_js_t self:process { execmem getsched setsched };
> +
> +files_read_usr_files(couchdb_js_t)
> +miscfiles_read_localization(couchdb_js_t)
 
Is this a complete set of rules for this domain?  This doesn't look like it can really do anything, since it doesn't have any output.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com