Bug 1163533 - [PATCH] Fixes for couchdb selinux-policy
Summary: [PATCH] Fixes for couchdb selinux-policy
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1096274
TreeView+ depends on / blocked
 
Reported: 2014-11-13 00:36 UTC by Warren Togami
Modified: 2014-12-30 03:51 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.12.1-196.fc20
Clone Of:
Environment:
Last Closed: 2014-12-07 04:31:55 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Warren Togami 2014-11-13 00:36:15 UTC 
https://github.com/selinux-policy/selinux-policy/pull/6
Please add this to both Fedora and RHEL7 selinux-policy.

# systemctl start couchdb.service

type=AVC msg=audit(1415836773.817:579): avc:  denied  { search } for  pid=16934 comm="df" name="nfs" dev="dm-1" ino=4458965 scontext=system_u:system_r:couchdb_t:s0 tcontext=system_u:object_r:var_lib_nfs_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1415836773.817:580): avc:  denied  { getattr } for  pid=16934 comm="df" path="/home/warren" dev="dm-3" ino=2 scontext=system_u:system_r:couchdb_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1415836773.817:581): avc:  denied  { getattr } for  pid=16934 comm="df" path="/home/warren" dev="dm-3" ino=2 scontext=system_u:system_r:couchdb_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0

### Reproduce Procedure
# yum install couchdb nodejs npm jq wget -y
# useradd test
# su - test
### install bitcoind
# mkdir bin
# cd bin
# wget https://bitcoin.org/bin/0.9.2.1/bitcoin-0.9.2.1-linux.tar.gz
# tar xfv bitcoin-0.9.2.1-linux.tar.gz
# ln -sf bitcoin-0.9.2.1-linux/bin/64/bitcoind
# cd ~
### install baron
# git clone https://github.com/slickage/baron.git
# cd baron
# npm install
# echo "BARONDIR=$(pwd)" > tests/barontester/barontester.conf
# cd tests/barontester/
# ./barontester.sh

type=AVC msg=audit(1415836839.090:584): avc:  denied  { execmem } for  pid=18668 comm="couchjs" scontext=system_u:system_r:couchdb_t:s0 tcontext=system_u:system_r:couchdb_t:s0 tclass=process permissive=0
Comment 1 Lukas Vrabec 2014-11-13 11:52:46 UTC 
Thank you for pull request. 

I ask some questions in pull request on git hub which must be answered to be add to fedora selinux-policy package.
Comment 2 Lukas Vrabec 2014-12-01 12:05:26 UTC 
Patch added.
Comment 3 Fedora Update System 2014-12-03 12:50:15 UTC 
selinux-policy-3.12.1-196.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-196.fc20
Comment 4 Fedora Update System 2014-12-04 06:21:32 UTC 
Package selinux-policy-3.12.1-196.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-196.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-16229/selinux-policy-3.12.1-196.fc20
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2014-12-07 04:31:55 UTC 
selinux-policy-3.12.1-196.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Warren Togami 2014-12-30 03:51:47 UTC 
See Bug #1177716 for a remaining issue that prevents couchdb from starting on Fedora 21.
Note You need to log in before you can comment on or make changes to this bug.