[refpolicy] Couchdb policy updates

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] Couchdb policy updates
@ 2014-02-01 11:36 Luis Ressel
  2014-02-01 11:36 ` [refpolicy] [PATCH] kernel/files.if: Add files_dontaudit_list_var interface Luis Ressel
  2014-02-01 11:38 ` [refpolicy] [PATCH 1/5] Minor updates to couchdb policy Luis Ressel
  0 siblings, 2 replies; 12+ messages in thread
From: Luis Ressel @ 2014-02-01 11:36 UTC (permalink / raw)
  To: refpolicy

The following patch series supersedes my previous patch proposal for the couchdb
policy. The first patch is for refpolicy.git, the others are for
refpolicy-contrib.git


--
Luis Ressel <aranea@aixah.de>
GPG fpr: F08D 2AF6 655E 25DE 52BC  E53D 08F5 7F90 3029 B5BD

^ permalink raw reply	[flat|nested] 12+ messages in thread

* [refpolicy] [PATCH] kernel/files.if: Add files_dontaudit_list_var interface
  2014-02-01 11:36 [refpolicy] Couchdb policy updates Luis Ressel
@ 2014-02-01 11:36 ` Luis Ressel
  2014-02-08 14:43   ` Christopher J. PeBenito
  2014-02-01 11:38 ` [refpolicy] [PATCH 1/5] Minor updates to couchdb policy Luis Ressel
  1 sibling, 1 reply; 12+ messages in thread
From: Luis Ressel @ 2014-02-01 11:36 UTC (permalink / raw)
  To: refpolicy

This is required for an update of the couchdb policy.
---
 policy/modules/kernel/files.if | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 566314f..692db45 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -5181,6 +5181,25 @@ interface(`files_list_var',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to list
+##	the contents of /var.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_list_var',`
+	gen_require(`
+		type var_t;
+	')
+
+	dontaudit $1 var_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete directories
 ##	in the /var directory.
 ## </summary>
-- 
1.8.5.3

^ permalink raw reply related	[flat|nested] 12+ messages in thread

* [refpolicy] [PATCH] kernel/files.if: Add files_dontaudit_list_var interface
  2014-02-01 11:36 ` [refpolicy] [PATCH] kernel/files.if: Add files_dontaudit_list_var interface Luis Ressel
@ 2014-02-08 14:43   ` Christopher J. PeBenito
  0 siblings, 0 replies; 12+ messages in thread
From: Christopher J. PeBenito @ 2014-02-08 14:43 UTC (permalink / raw)
  To: refpolicy

On 2/1/2014 6:36 AM, Luis Ressel wrote:
> This is required for an update of the couchdb policy.
> ---
>  policy/modules/kernel/files.if | 19 +++++++++++++++++++
>  1 file changed, 19 insertions(+)
> 
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index 566314f..692db45 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -5181,6 +5181,25 @@ interface(`files_list_var',`
>  
>  ########################################
>  ## <summary>
> +##	Do not audit attempts to list
> +##	the contents of /var.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to not audit.
> +##	</summary>
> +## </param>
> +#
> +interface(`files_dontaudit_list_var',`
> +	gen_require(`
> +		type var_t;
> +	')
> +
> +	dontaudit $1 var_t:dir list_dir_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Create, read, write, and delete directories
>  ##	in the /var directory.
>  ## </summary>
 
Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 12+ messages in thread

* [refpolicy] [PATCH 1/5] Minor updates to couchdb policy
  2014-02-01 11:36 [refpolicy] Couchdb policy updates Luis Ressel
  2014-02-01 11:36 ` [refpolicy] [PATCH] kernel/files.if: Add files_dontaudit_list_var interface Luis Ressel
@ 2014-02-01 11:38 ` Luis Ressel
  2014-02-01 11:38   ` [refpolicy] [PATCH 2/5] couchdb: Add separate domain for couchjs Luis Ressel
                     ` (4 more replies)
  1 sibling, 5 replies; 12+ messages in thread
From: Luis Ressel @ 2014-02-01 11:38 UTC (permalink / raw)
  To: refpolicy

---
 couchdb.fc | 2 ++
 couchdb.te | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/couchdb.fc b/couchdb.fc
index c086302..7b63699 100644
--- a/couchdb.fc
+++ b/couchdb.fc
@@ -2,6 +2,8 @@
 
 /etc/rc\.d/init\.d/couchdb	--	gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
 
+/usr/lib/couchdb/erlang/lib/couch-[0-9.]+/priv/couchspawnkillable	--	gen_context(system_u:object_r:bin_t,s0)
+
 /usr/bin/couchdb	--	gen_context(system_u:object_r:couchdb_exec_t,s0)
 
 /var/lib/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_var_lib_t,s0)
diff --git a/couchdb.te b/couchdb.te
index ae1c1b1..171ea6d 100644
--- a/couchdb.te
+++ b/couchdb.te
@@ -26,13 +26,14 @@ files_type(couchdb_var_lib_t)
 
 type couchdb_var_run_t;
 files_pid_file(couchdb_var_run_t)
+init_daemon_run_dir(couchdb_var_run_t, "couchdb")
 
 ########################################
 #
 # Local policy
 #
 
-allow couchdb_t self:process { setsched signal signull sigkill };
+allow couchdb_t self:process { getsched setsched signal signull sigkill };
 allow couchdb_t self:fifo_file rw_fifo_file_perms;
 allow couchdb_t self:unix_stream_socket create_stream_socket_perms;
 allow couchdb_t self:tcp_socket { accept listen };
@@ -70,6 +71,7 @@ corenet_all_recvfrom_netlabel(couchdb_t)
 corenet_tcp_sendrecv_generic_if(couchdb_t)
 corenet_tcp_sendrecv_generic_node(couchdb_t)
 corenet_tcp_bind_generic_node(couchdb_t)
+corenet_udp_bind_generic_node(couchdb_t)
 
 corenet_sendrecv_couchdb_server_packets(couchdb_t)
 corenet_tcp_bind_couchdb_port(couchdb_t)
-- 
1.8.5.3

^ permalink raw reply related	[flat|nested] 12+ messages in thread

* [refpolicy] [PATCH 2/5] couchdb: Add separate domain for couchjs
  2014-02-01 11:38 ` [refpolicy] [PATCH 1/5] Minor updates to couchdb policy Luis Ressel
@ 2014-02-01 11:38   ` Luis Ressel
  2014-02-08 14:44     ` Christopher J. PeBenito
  2014-02-01 11:38   ` [refpolicy] [PATCH 3/5] couchdb: Dontaudit denials caused by Erlang's disksup Luis Ressel
                     ` (3 subsequent siblings)
  4 siblings, 1 reply; 12+ messages in thread
From: Luis Ressel @ 2014-02-01 11:38 UTC (permalink / raw)
  To: refpolicy

couchjs requires 'execmem', which isn't neccessary for the rest of
couchdb.
---
 couchdb.fc |  1 +
 couchdb.te | 18 +++++++++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/couchdb.fc b/couchdb.fc
index 7b63699..3fd740b 100644
--- a/couchdb.fc
+++ b/couchdb.fc
@@ -2,6 +2,7 @@
 
 /etc/rc\.d/init\.d/couchdb	--	gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
 
+/usr/lib/couchdb/bin/couchjs	--	gen_context(system_u:object_r:couchdb_js_exec_t,s0)
 /usr/lib/couchdb/erlang/lib/couch-[0-9.]+/priv/couchspawnkillable	--	gen_context(system_u:object_r:bin_t,s0)
 
 /usr/bin/couchdb	--	gen_context(system_u:object_r:couchdb_exec_t,s0)
diff --git a/couchdb.te b/couchdb.te
index 171ea6d..9481c02 100644
--- a/couchdb.te
+++ b/couchdb.te
@@ -9,6 +9,10 @@ type couchdb_t;
 type couchdb_exec_t;
 init_daemon_domain(couchdb_t, couchdb_exec_t)
 
+type couchdb_js_t;
+type couchdb_js_exec_t;
+init_daemon_domain(couchdb_js_t, couchdb_js_exec_t)
+
 type couchdb_initrc_exec_t;
 init_script_file(couchdb_initrc_exec_t)
 
@@ -30,7 +34,7 @@ init_daemon_run_dir(couchdb_var_run_t, "couchdb")
 
 ########################################
 #
-# Local policy
+# couchdb policy
 #
 
 allow couchdb_t self:process { getsched setsched signal signull sigkill };
@@ -88,3 +92,15 @@ fs_getattr_xattr_fs(couchdb_t)
 auth_use_nsswitch(couchdb_t)
 
 miscfiles_read_localization(couchdb_t)
+
+domtrans_pattern(couchdb_t, couchdb_js_exec_t, couchdb_js_t)
+
+########################################
+#
+# couchdb_js policy
+#
+
+allow couchdb_js_t self:process { execmem getsched setsched };
+
+files_read_usr_files(couchdb_js_t)
+miscfiles_read_localization(couchdb_js_t)
-- 
1.8.5.3

^ permalink raw reply related	[flat|nested] 12+ messages in thread

* [refpolicy] [PATCH 2/5] couchdb: Add separate domain for couchjs
  2014-02-01 11:38   ` [refpolicy] [PATCH 2/5] couchdb: Add separate domain for couchjs Luis Ressel
@ 2014-02-08 14:44     ` Christopher J. PeBenito
  0 siblings, 0 replies; 12+ messages in thread
From: Christopher J. PeBenito @ 2014-02-08 14:44 UTC (permalink / raw)
  To: refpolicy

On 2/1/2014 6:38 AM, Luis Ressel wrote:
> couchjs requires 'execmem', which isn't neccessary for the rest of
> couchdb.
> ---
>  couchdb.fc |  1 +
>  couchdb.te | 18 +++++++++++++++++-
>  2 files changed, 18 insertions(+), 1 deletion(-)
> 
> diff --git a/couchdb.fc b/couchdb.fc
> index 7b63699..3fd740b 100644
> --- a/couchdb.fc
> +++ b/couchdb.fc
> @@ -2,6 +2,7 @@
>  
>  /etc/rc\.d/init\.d/couchdb	--	gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
>  
> +/usr/lib/couchdb/bin/couchjs	--	gen_context(system_u:object_r:couchdb_js_exec_t,s0)
>  /usr/lib/couchdb/erlang/lib/couch-[0-9.]+/priv/couchspawnkillable	--	gen_context(system_u:object_r:bin_t,s0)
>  
>  /usr/bin/couchdb	--	gen_context(system_u:object_r:couchdb_exec_t,s0)
> diff --git a/couchdb.te b/couchdb.te
> index 171ea6d..9481c02 100644
> --- a/couchdb.te
> +++ b/couchdb.te
> @@ -9,6 +9,10 @@ type couchdb_t;
>  type couchdb_exec_t;
>  init_daemon_domain(couchdb_t, couchdb_exec_t)
>  
> +type couchdb_js_t;
> +type couchdb_js_exec_t;
> +init_daemon_domain(couchdb_js_t, couchdb_js_exec_t)
> +
>  type couchdb_initrc_exec_t;
>  init_script_file(couchdb_initrc_exec_t)
>  
> @@ -30,7 +34,7 @@ init_daemon_run_dir(couchdb_var_run_t, "couchdb")
>  
>  ########################################
>  #
> -# Local policy
> +# couchdb policy
>  #
>  
>  allow couchdb_t self:process { getsched setsched signal signull sigkill };
> @@ -88,3 +92,15 @@ fs_getattr_xattr_fs(couchdb_t)
>  auth_use_nsswitch(couchdb_t)
>  
>  miscfiles_read_localization(couchdb_t)
> +
> +domtrans_pattern(couchdb_t, couchdb_js_exec_t, couchdb_js_t)

Moved this line up.  Otherwise merged.

> +########################################
> +#
> +# couchdb_js policy
> +#
> +
> +allow couchdb_js_t self:process { execmem getsched setsched };
> +
> +files_read_usr_files(couchdb_js_t)
> +miscfiles_read_localization(couchdb_js_t)
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 12+ messages in thread

* [refpolicy] [PATCH 3/5] couchdb: Dontaudit denials caused by Erlang's disksup
  2014-02-01 11:38 ` [refpolicy] [PATCH 1/5] Minor updates to couchdb policy Luis Ressel
  2014-02-01 11:38   ` [refpolicy] [PATCH 2/5] couchdb: Add separate domain for couchjs Luis Ressel
@ 2014-02-01 11:38   ` Luis Ressel
  2014-02-08 14:44     ` Christopher J. PeBenito
  2014-02-01 11:38   ` [refpolicy] [PATCH 4/5] Reformat couchdb.fc Luis Ressel
                     ` (2 subsequent siblings)
  4 siblings, 1 reply; 12+ messages in thread
From: Luis Ressel @ 2014-02-01 11:38 UTC (permalink / raw)
  To: refpolicy

---
 couchdb.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/couchdb.te b/couchdb.te
index 9481c02..62f5db1 100644
--- a/couchdb.te
+++ b/couchdb.te
@@ -87,7 +87,12 @@ dev_read_urand(couchdb_t)
 
 files_read_usr_files(couchdb_t)
 
+# disksup tries to monitor the local disks
 fs_getattr_xattr_fs(couchdb_t)
+fs_dontaudit_getattr_all_fs(couchdb_t)
+files_dontaudit_getattr_lost_found_dirs(couchdb_t)
+files_dontaudit_list_var(couchdb_t)
+files_dontaudit_search_all_mountpoints(couchdb_t)
 
 auth_use_nsswitch(couchdb_t)
 
-- 
1.8.5.3

^ permalink raw reply related	[flat|nested] 12+ messages in thread

* [refpolicy] [PATCH 3/5] couchdb: Dontaudit denials caused by Erlang's disksup
  2014-02-01 11:38   ` [refpolicy] [PATCH 3/5] couchdb: Dontaudit denials caused by Erlang's disksup Luis Ressel
@ 2014-02-08 14:44     ` Christopher J. PeBenito
  0 siblings, 0 replies; 12+ messages in thread
From: Christopher J. PeBenito @ 2014-02-08 14:44 UTC (permalink / raw)
  To: refpolicy

On 2/1/2014 6:38 AM, Luis Ressel wrote:
> ---
>  couchdb.te | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/couchdb.te b/couchdb.te
> index 9481c02..62f5db1 100644
> --- a/couchdb.te
> +++ b/couchdb.te
> @@ -87,7 +87,12 @@ dev_read_urand(couchdb_t)
>  
>  files_read_usr_files(couchdb_t)
>  
> +# disksup tries to monitor the local disks
>  fs_getattr_xattr_fs(couchdb_t)
> +fs_dontaudit_getattr_all_fs(couchdb_t)
> +files_dontaudit_getattr_lost_found_dirs(couchdb_t)
> +files_dontaudit_list_var(couchdb_t)
> +files_dontaudit_search_all_mountpoints(couchdb_t)
>  
>  auth_use_nsswitch(couchdb_t)

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 12+ messages in thread

* [refpolicy] [PATCH 4/5] Reformat couchdb.fc
  2014-02-01 11:38 ` [refpolicy] [PATCH 1/5] Minor updates to couchdb policy Luis Ressel
  2014-02-01 11:38   ` [refpolicy] [PATCH 2/5] couchdb: Add separate domain for couchjs Luis Ressel
  2014-02-01 11:38   ` [refpolicy] [PATCH 3/5] couchdb: Dontaudit denials caused by Erlang's disksup Luis Ressel
@ 2014-02-01 11:38   ` Luis Ressel
  2014-02-08 14:44     ` Christopher J. PeBenito
  2014-02-01 11:38   ` [refpolicy] [PATCH 5/5] couchdb: Module version bump Luis Ressel
  2014-02-08 14:43   ` [refpolicy] [PATCH 1/5] Minor updates to couchdb policy Christopher J. PeBenito
  4 siblings, 1 reply; 12+ messages in thread
From: Luis Ressel @ 2014-02-01 11:38 UTC (permalink / raw)
  To: refpolicy

---
 couchdb.fc | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/couchdb.fc b/couchdb.fc
index 3fd740b..933d686 100644
--- a/couchdb.fc
+++ b/couchdb.fc
@@ -1,14 +1,10 @@
-/etc/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_conf_t,s0)
-
+/etc/couchdb(/.*)?			gen_context(system_u:object_r:couchdb_conf_t,s0)
 /etc/rc\.d/init\.d/couchdb	--	gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
 
+/usr/bin/couchdb		--	gen_context(system_u:object_r:couchdb_exec_t,s0)
 /usr/lib/couchdb/bin/couchjs	--	gen_context(system_u:object_r:couchdb_js_exec_t,s0)
 /usr/lib/couchdb/erlang/lib/couch-[0-9.]+/priv/couchspawnkillable	--	gen_context(system_u:object_r:bin_t,s0)
 
-/usr/bin/couchdb	--	gen_context(system_u:object_r:couchdb_exec_t,s0)
-
-/var/lib/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_var_lib_t,s0)
-
-/var/log/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_log_t,s0)
-
-/var/run/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_var_run_t,s0)
+/var/lib/couchdb(/.*)?			gen_context(system_u:object_r:couchdb_var_lib_t,s0)
+/var/log/couchdb(/.*)?			gen_context(system_u:object_r:couchdb_log_t,s0)
+/var/run/couchdb(/.*)?			gen_context(system_u:object_r:couchdb_var_run_t,s0)
-- 
1.8.5.3

^ permalink raw reply related	[flat|nested] 12+ messages in thread

* [refpolicy] [PATCH 4/5] Reformat couchdb.fc
  2014-02-01 11:38   ` [refpolicy] [PATCH 4/5] Reformat couchdb.fc Luis Ressel
@ 2014-02-08 14:44     ` Christopher J. PeBenito
  0 siblings, 0 replies; 12+ messages in thread
From: Christopher J. PeBenito @ 2014-02-08 14:44 UTC (permalink / raw)
  To: refpolicy

On 2/1/2014 6:38 AM, Luis Ressel wrote:
> ---
>  couchdb.fc | 14 +++++---------
>  1 file changed, 5 insertions(+), 9 deletions(-)
> 
> diff --git a/couchdb.fc b/couchdb.fc
> index 3fd740b..933d686 100644
> --- a/couchdb.fc
> +++ b/couchdb.fc
> @@ -1,14 +1,10 @@
> -/etc/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_conf_t,s0)
> -
> +/etc/couchdb(/.*)?			gen_context(system_u:object_r:couchdb_conf_t,s0)
>  /etc/rc\.d/init\.d/couchdb	--	gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
>  
> +/usr/bin/couchdb		--	gen_context(system_u:object_r:couchdb_exec_t,s0)
>  /usr/lib/couchdb/bin/couchjs	--	gen_context(system_u:object_r:couchdb_js_exec_t,s0)
>  /usr/lib/couchdb/erlang/lib/couch-[0-9.]+/priv/couchspawnkillable	--	gen_context(system_u:object_r:bin_t,s0)
>  
> -/usr/bin/couchdb	--	gen_context(system_u:object_r:couchdb_exec_t,s0)
> -
> -/var/lib/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_var_lib_t,s0)
> -
> -/var/log/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_log_t,s0)
> -
> -/var/run/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_var_run_t,s0)
> +/var/lib/couchdb(/.*)?			gen_context(system_u:object_r:couchdb_var_lib_t,s0)
> +/var/log/couchdb(/.*)?			gen_context(system_u:object_r:couchdb_log_t,s0)
> +/var/run/couchdb(/.*)?			gen_context(system_u:object_r:couchdb_var_run_t,s0)
 
Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 12+ messages in thread

* [refpolicy] [PATCH 5/5] couchdb: Module version bump
  2014-02-01 11:38 ` [refpolicy] [PATCH 1/5] Minor updates to couchdb policy Luis Ressel
                     ` (2 preceding siblings ...)
  2014-02-01 11:38   ` [refpolicy] [PATCH 4/5] Reformat couchdb.fc Luis Ressel
@ 2014-02-01 11:38   ` Luis Ressel
  2014-02-08 14:43   ` [refpolicy] [PATCH 1/5] Minor updates to couchdb policy Christopher J. PeBenito
  4 siblings, 0 replies; 12+ messages in thread
From: Luis Ressel @ 2014-02-01 11:38 UTC (permalink / raw)
  To: refpolicy

---
 couchdb.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/couchdb.te b/couchdb.te
index 62f5db1..f854c93 100644
--- a/couchdb.te
+++ b/couchdb.te
@@ -1,4 +1,4 @@
-policy_module(couchdb, 1.1.1)
+policy_module(couchdb, 1.1.2)
 
 ########################################
 #
-- 
1.8.5.3

^ permalink raw reply related	[flat|nested] 12+ messages in thread

* [refpolicy] [PATCH 1/5] Minor updates to couchdb policy
  2014-02-01 11:38 ` [refpolicy] [PATCH 1/5] Minor updates to couchdb policy Luis Ressel
                     ` (3 preceding siblings ...)
  2014-02-01 11:38   ` [refpolicy] [PATCH 5/5] couchdb: Module version bump Luis Ressel
@ 2014-02-08 14:43   ` Christopher J. PeBenito
  4 siblings, 0 replies; 12+ messages in thread
From: Christopher J. PeBenito @ 2014-02-08 14:43 UTC (permalink / raw)
  To: refpolicy

On 2/1/2014 6:38 AM, Luis Ressel wrote:
> ---
>  couchdb.fc | 2 ++
>  couchdb.te | 4 +++-
>  2 files changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/couchdb.fc b/couchdb.fc
> index c086302..7b63699 100644
> --- a/couchdb.fc
> +++ b/couchdb.fc
> @@ -2,6 +2,8 @@
>  
>  /etc/rc\.d/init\.d/couchdb	--	gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
>  
> +/usr/lib/couchdb/erlang/lib/couch-[0-9.]+/priv/couchspawnkillable	--	gen_context(system_u:object_r:bin_t,s0)

I moved this to corecommands.  Otherwise merged.

>  /usr/bin/couchdb	--	gen_context(system_u:object_r:couchdb_exec_t,s0)
>  
>  /var/lib/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_var_lib_t,s0)
> diff --git a/couchdb.te b/couchdb.te
> index ae1c1b1..171ea6d 100644
> --- a/couchdb.te
> +++ b/couchdb.te
> @@ -26,13 +26,14 @@ files_type(couchdb_var_lib_t)
>  
>  type couchdb_var_run_t;
>  files_pid_file(couchdb_var_run_t)
> +init_daemon_run_dir(couchdb_var_run_t, "couchdb")
>  
>  ########################################
>  #
>  # Local policy
>  #
>  
> -allow couchdb_t self:process { setsched signal signull sigkill };
> +allow couchdb_t self:process { getsched setsched signal signull sigkill };
>  allow couchdb_t self:fifo_file rw_fifo_file_perms;
>  allow couchdb_t self:unix_stream_socket create_stream_socket_perms;
>  allow couchdb_t self:tcp_socket { accept listen };
> @@ -70,6 +71,7 @@ corenet_all_recvfrom_netlabel(couchdb_t)
>  corenet_tcp_sendrecv_generic_if(couchdb_t)
>  corenet_tcp_sendrecv_generic_node(couchdb_t)
>  corenet_tcp_bind_generic_node(couchdb_t)
> +corenet_udp_bind_generic_node(couchdb_t)
>  
>  corenet_sendrecv_couchdb_server_packets(couchdb_t)
>  corenet_tcp_bind_couchdb_port(couchdb_t)
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, other threads:[~2014-02-08 14:44 UTC | newest]

Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-02-01 11:36 [refpolicy] Couchdb policy updates Luis Ressel
2014-02-01 11:36 ` [refpolicy] [PATCH] kernel/files.if: Add files_dontaudit_list_var interface Luis Ressel
2014-02-08 14:43   ` Christopher J. PeBenito
2014-02-01 11:38 ` [refpolicy] [PATCH 1/5] Minor updates to couchdb policy Luis Ressel
2014-02-01 11:38   ` [refpolicy] [PATCH 2/5] couchdb: Add separate domain for couchjs Luis Ressel
2014-02-08 14:44     ` Christopher J. PeBenito
2014-02-01 11:38   ` [refpolicy] [PATCH 3/5] couchdb: Dontaudit denials caused by Erlang's disksup Luis Ressel
2014-02-08 14:44     ` Christopher J. PeBenito
2014-02-01 11:38   ` [refpolicy] [PATCH 4/5] Reformat couchdb.fc Luis Ressel
2014-02-08 14:44     ` Christopher J. PeBenito
2014-02-01 11:38   ` [refpolicy] [PATCH 5/5] couchdb: Module version bump Luis Ressel
2014-02-08 14:43   ` [refpolicy] [PATCH 1/5] Minor updates to couchdb policy Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.