From user-return-20014-apmail-couchdb-user-archive=couchdb.apache.org@couchdb.apache.org Fri Mar 9 02:23:59 2012 Return-Path: X-Original-To: apmail-couchdb-user-archive@www.apache.org Delivered-To: apmail-couchdb-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C7B179B6A for ; Fri, 9 Mar 2012 02:23:59 +0000 (UTC) Received: (qmail 57549 invoked by uid 500); 9 Mar 2012 02:23:58 -0000 Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org Received: (qmail 57398 invoked by uid 500); 9 Mar 2012 02:23:58 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 57383 invoked by uid 99); 9 Mar 2012 02:23:57 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 09 Mar 2012 02:23:57 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,SPF_PASS,T_REMOTE_IMAGE X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of mlortiz@uci.cu designates 200.55.140.180 as permitted sender) Received: from [200.55.140.180] (HELO mx3.uci.cu) (200.55.140.180) by apache.org (qpsmtpd/0.29) with SMTP; Fri, 09 Mar 2012 02:23:53 +0000 Received: (qmail 12799 invoked by uid 507); 9 Mar 2012 02:23:28 -0000 Received: from 10.0.0.188 by ns3.uci.cu (envelope-from , uid 501) with qmail-scanner-2.01st (avp: 5.0.2.0. spamassassin: 3.0.6. perlscan: 2.01st. Clear:RC:1(10.0.0.188):. Processed in 0.991616 secs); 09 Mar 2012 02:23:28 -0000 Received: from unknown (HELO ucimail5.uci.cu) (10.0.0.188) by 0 with SMTP; 9 Mar 2012 02:23:27 -0000 Received: from localhost (localhost.localdomain [127.0.0.1]) by ucimail5.uci.cu (Postfix) with ESMTP id DF4661103FA for ; Thu, 8 Mar 2012 21:23:26 -0500 (CST) X-Virus-Scanned: amavisd-new at uci.cu Received: from ucimail5.uci.cu ([127.0.0.1]) by localhost (ucimail5.uci.cu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pfOdUS7nZFM2 for ; Thu, 8 Mar 2012 21:23:25 -0500 (CST) Received: by ucimail5.uci.cu (Postfix, from userid 101) id A93951103F6; Thu, 8 Mar 2012 21:23:25 -0500 (CST) Received: from [10.8.27.239] (unknown [10.8.27.239]) (Authenticated sender: mlortiz@uci.cu) by ucimail5.uci.cu (Postfix) with ESMTPSA id 852981103E1; Thu, 8 Mar 2012 21:23:25 -0500 (CST) Message-ID: <4F59699B.2010003@uci.cu> Date: Thu, 08 Mar 2012 21:23:23 -0500 From: Marcos Ortiz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: Lauren Dahlin CC: selinux@lists.fedoraproject.org, user@couchdb.apache.org, domg472@gmail.com Subject: CouchDB with SELinux References: <1309366730.3643.2.camel@localhost.localdomain> In-Reply-To: <1309366730.3643.2.camel@localhost.localdomain> Content-Type: multipart/alternative; boundary="------------020507050005070007050503" X-Virus-Checked: Checked by ClamAV on apache.org --------------020507050005070007050503 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Regards, Lauren, you can see here to Dominick Grift explaining how to make all this work. Best wishes On 06/29/2011 12:58 PM, Dominick Grift wrote: > On Thu, 2011-06-30 at 00:20 +0800, Michael Milverton wrote: >> Hi, >> >> I'm in the process of writing a policy for couchdb (nosql database). I'm >> using the selinux-polgengui and eclipse slide tools to help. I've hit a road >> block because it won't start but I'm not getting any more AVC's. I'm >> wondering if anybody might be able to offer some clue about getting more >> AVC's from it because if it won't talk to me I can't get much further. > Hi, > > Could you try the policy template enclosed and provide any avc denials > that you will be seeing when it is tested? > > steps to test: > > 1. put the couchdb.{te,fc} files in a project directory for example > ~/couchdb > > 2. change to this project directory for example cd ~/couchdb > > 3. try to build the policy: make -f /usr/share/selinux/devel/Makefile > couchdb.pp > > 4. if it builds, try to install the binary representation of the policy > module: sudo semodule -i couchdb.pp > > 5. restore the context of each patch specified in the file context > specification file. for example: > > restorecon -R -v /etc/couchdb > restorecon -R -v /etc/rc.d/init.d/couchdb > restorecon -R -v /var/lib/couchdb > restorecon -R -v /var/log/couchdb > restorecon -R -v /var/run/couchdb > restorecon -R -v /etc/sysconfig/couchdb > restorecon -R -v /usr/bin/couchdb > > 5. for testing purposes set selinux to permissive mode if possible: > setenforce 0 > > 6. unload any rules that silently deny access (note this will cause much > logging and may upset setroubelshoot if you have it running): > > semodule -DB > > 7. make a note of the current system time: date > > 8. start the couchdb service (service couchdb start) > > 9. collect all the avc denials that occured since you have noted the > current system time: example: ausearch -m avc -ts 18:52 > > enclose the full list of avc denials. > > Attachements: > > couchdb.fc > http://pastebin.com/3QP4ecFP > > couchdb.te > http://pastebin.com/VtxP7YnN > > > -- Marcos Luis Ortíz Valmaseda Sr. Software Engineer (UCI) http://marcosluis2186.posterous.com http://postgresql.uci.cu/blog/38 Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU! http://www.antiterroristas.cu http://justiciaparaloscinco.wordpress.com --------------020507050005070007050503--