Gitweb and SELinux
Michael Cronenworth
mike at cchtml.com
Wed Feb 10 17:04:49 UTC 2010
Dominick Grift wrote:
> No this does not make sense at all httpd has zero relation to git
> content in user home. It looks like your policy has not be modified yet
> to relect something sane for public_git (although in your case it
> happens to work out well since your gitweb script has access to it)
I believe you mean that you want all git repos to have a context of
git_data_t (or similar) to finely tune git access, correct? I'm happy
enough allowing httpd access to my git repo only and using SSH access
for git repos, so for right now allowing httpd/perl with httpd contexts
are OK with me. I can see the need to strictly allow only git-daemon a
context of git_data_t, but there needs to be more fine tuning of the
policy to allow git_script_exec_t type contexts to access ~/public_git
directories.
> This is a bug in my view.
>
> httpd_enable_homedirs boolean should probably be modified to reflect this.
>
> i.e. if httpd enable homedirs boolean is set to true , then all httpd
> domains should be able to access it.
>
>
Yes, it appears to be a bug. I had to use httpd_sys_content_t on my
/srv/git links and assign httpd_sys_script_exec_t to gitweb.cgi. Now I
have a working git web, working SSH git access, and SELinux is still
enabled.
I don't know what to write up in a bug report though. Are ~/public_git
and /var/lib/git the only two known and respectable places that should
contain git repos?
More information about the selinux
mailing list