From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Sat, 8 Feb 2014 09:44:01 -0500
Subject: [refpolicy] [PATCH 2/5] couchdb: Add separate domain for couchjs
In-Reply-To: <1391254720-25899-2-git-send-email-aranea@aixah.de>
References: <1391254609-25712-1-git-send-email-aranea@aixah.de>	<1391254720-25899-1-git-send-email-aranea@aixah.de>
	<1391254720-25899-2-git-send-email-aranea@aixah.de>
Message-ID: <52F642B1.7040001@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 2/1/2014 6:38 AM, Luis Ressel wrote:
> couchjs requires 'execmem', which isn't neccessary for the rest of
> couchdb.
> ---
>  couchdb.fc |  1 +
>  couchdb.te | 18 +++++++++++++++++-
>  2 files changed, 18 insertions(+), 1 deletion(-)
> 
> diff --git a/couchdb.fc b/couchdb.fc
> index 7b63699..3fd740b 100644
> --- a/couchdb.fc
> +++ b/couchdb.fc
> @@ -2,6 +2,7 @@
>  
>  /etc/rc\.d/init\.d/couchdb	--	gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
>  
> +/usr/lib/couchdb/bin/couchjs	--	gen_context(system_u:object_r:couchdb_js_exec_t,s0)
>  /usr/lib/couchdb/erlang/lib/couch-[0-9.]+/priv/couchspawnkillable	--	gen_context(system_u:object_r:bin_t,s0)
>  
>  /usr/bin/couchdb	--	gen_context(system_u:object_r:couchdb_exec_t,s0)
> diff --git a/couchdb.te b/couchdb.te
> index 171ea6d..9481c02 100644
> --- a/couchdb.te
> +++ b/couchdb.te
> @@ -9,6 +9,10 @@ type couchdb_t;
>  type couchdb_exec_t;
>  init_daemon_domain(couchdb_t, couchdb_exec_t)
>  
> +type couchdb_js_t;
> +type couchdb_js_exec_t;
> +init_daemon_domain(couchdb_js_t, couchdb_js_exec_t)
> +
>  type couchdb_initrc_exec_t;
>  init_script_file(couchdb_initrc_exec_t)
>  
> @@ -30,7 +34,7 @@ init_daemon_run_dir(couchdb_var_run_t, "couchdb")
>  
>  ########################################
>  #
> -# Local policy
> +# couchdb policy
>  #
>  
>  allow couchdb_t self:process { getsched setsched signal signull sigkill };
> @@ -88,3 +92,15 @@ fs_getattr_xattr_fs(couchdb_t)
>  auth_use_nsswitch(couchdb_t)
>  
>  miscfiles_read_localization(couchdb_t)
> +
> +domtrans_pattern(couchdb_t, couchdb_js_exec_t, couchdb_js_t)

Moved this line up.  Otherwise merged.

> +########################################
> +#
> +# couchdb_js policy
> +#
> +
> +allow couchdb_js_t self:process { execmem getsched setsched };
> +
> +files_read_usr_files(couchdb_js_t)
> +miscfiles_read_localization(couchdb_js_t)
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com