From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Sat, 8 Feb 2014 09:43:49 -0500
Subject: [refpolicy] [PATCH 1/5] Minor updates to couchdb policy
In-Reply-To: <1391254720-25899-1-git-send-email-aranea@aixah.de>
References: <1391254609-25712-1-git-send-email-aranea@aixah.de>
	<1391254720-25899-1-git-send-email-aranea@aixah.de>
Message-ID: <52F642A5.2090009@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 2/1/2014 6:38 AM, Luis Ressel wrote:
> ---
>  couchdb.fc | 2 ++
>  couchdb.te | 4 +++-
>  2 files changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/couchdb.fc b/couchdb.fc
> index c086302..7b63699 100644
> --- a/couchdb.fc
> +++ b/couchdb.fc
> @@ -2,6 +2,8 @@
>  
>  /etc/rc\.d/init\.d/couchdb	--	gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
>  
> +/usr/lib/couchdb/erlang/lib/couch-[0-9.]+/priv/couchspawnkillable	--	gen_context(system_u:object_r:bin_t,s0)

I moved this to corecommands.  Otherwise merged.

>  /usr/bin/couchdb	--	gen_context(system_u:object_r:couchdb_exec_t,s0)
>  
>  /var/lib/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_var_lib_t,s0)
> diff --git a/couchdb.te b/couchdb.te
> index ae1c1b1..171ea6d 100644
> --- a/couchdb.te
> +++ b/couchdb.te
> @@ -26,13 +26,14 @@ files_type(couchdb_var_lib_t)
>  
>  type couchdb_var_run_t;
>  files_pid_file(couchdb_var_run_t)
> +init_daemon_run_dir(couchdb_var_run_t, "couchdb")
>  
>  ########################################
>  #
>  # Local policy
>  #
>  
> -allow couchdb_t self:process { setsched signal signull sigkill };
> +allow couchdb_t self:process { getsched setsched signal signull sigkill };
>  allow couchdb_t self:fifo_file rw_fifo_file_perms;
>  allow couchdb_t self:unix_stream_socket create_stream_socket_perms;
>  allow couchdb_t self:tcp_socket { accept listen };
> @@ -70,6 +71,7 @@ corenet_all_recvfrom_netlabel(couchdb_t)
>  corenet_tcp_sendrecv_generic_if(couchdb_t)
>  corenet_tcp_sendrecv_generic_node(couchdb_t)
>  corenet_tcp_bind_generic_node(couchdb_t)
> +corenet_udp_bind_generic_node(couchdb_t)
>  
>  corenet_sendrecv_couchdb_server_packets(couchdb_t)
>  corenet_tcp_bind_couchdb_port(couchdb_t)
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com