Gitweb and SELinux

Daniel J Walsh dwalsh at redhat.com
Fri Feb 5 21:02:27 UTC 2010 

On 02/05/2010 12:30 PM, Dominick Grift wrote:
> On 02/05/2010 06:16 PM, Michael Cronenworth wrote:
>> Dominick Grift wrote:
>>> Alright well by default personal git repositories are expected in
>>> ~/public_git.
>>>
>>> That directory and its content is labelled git_personal_t in F12 (if i
>>> am correct).
>>>
>>> I would probably use that for personal git repositories and give your
>>> gitweb app access to git_personal_t instead of git_data_t (which is a
>>> type for system wide shared git repositories in /var/lib/git)
>>
>> Done. The default context seems to be 
>> unconfined_u:object_r:httpd_user_content_t:s0, which makes more sense, 
> 
> No this does not make sense at all httpd has zero relation to git
> content in user home. It looks like your policy has not be modified yet
> to relect something sane for public_git (although in your case it
> happens to work out well since your gitweb script has access to it)
> 
>> but SELinux still complains about allowing access to my root home 
>> directory (/home/michael) when I reset that back to default. I have the 
> 
> This is a bug in my view.
> 
> httpd_enable_homedirs boolean should probably be modified to reflect this.
> 
> i.e. if httpd enable homedirs boolean is set to true , then all httpd
> domains should be able to access it.
> 
You want to allow apache cgi scripts to search home_root_t, user_home_dir_t, and user_home_t only.
No list no read.
> 
>> boolean enabled to allow httpd access to home and user directories.
>>
>>>
>>> Can gitweb not be configured to point to the different personal
>>> repositories? Instead of using symlinks in /srv/git?
>>>
>>
>> Not that I know of, but I may be missing something. The 
>> gitweb_config.perl file only allows one $projectroot.
>>
>> Any more good ideas? :D
> 
> I have plenty ideas but i dont know if they are any good. if it works,
> it works
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
> 
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

More information about the selinux mailing list