Greetings,
I added a cgit package to Fedora yesterday. It's only in rawhide at
the moment. cgit is a cgi used to provide a web interface for viewing
git repositories (similar to gitweb¹).
Is the preferred method to add policy to the selinux-policy package or
are package policy modules the way to go? I thought the former was
preferred, but I can't find anything on the wiki other than
http://fedoraproject.org/wiki/PackagingDrafts/SELinux, which seems
like it might have been a stalled attempt.
The cgit requirements are fairly minimal, AFAICT. It needs:
* write access to its cache dir, /var/cache/cgit
* read access to git repositories, which default to /var/lib/git,
but are likely to be changed by admins (/srv/git is one popular
choice). For the moment, I created a README.SELinux file in the
package that details how to set generic contexts to allow the
package to work².
That README suggests httpd_sys_content_rw_t for the cache and
httpd_sys_content_t (or public_content_t) for the git repos. It's
quite likely that we'd want a more specific type for the cache dir
especially.
Additionally, the cgi itself needs to be httpd_sys_script_exec_t,
which happens automagically by virtue of installing it in
/var/www/cgi-bin/cgit.
Any help or suggestions would be most welcome. I'd like to get these
things worked out before I build the package for F-9, F-10, and EL-5.
If crafting a policy requires moving anything around, I'd like to do
that before many users install the package and modify their configs.
¹ gitweb has some SELinux issues on F-10 itself, I filed this as
https://bugzilla.redhat.com/479613 the other day.
²
http://cvs.fedoraproject.org/viewvc/rpms/cgit/devel/README.SELinux?view=co
------------------------------------------------------------------------
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org
iEYEARECAAYFAklviAgACgkQrlYvE4MpobPlygCgitezimX9aRbvp5pe4rmGCWTS
0EIAoN65uLSE7iwUPXf3AKDdGt50t10A
=vxF5
-----END PGP SIGNATURE-----