Daniel J Walsh wrote:
Sorry about this, I seem to have lost this email.
No worries. :)
Indeed it will. Thank you.
I would combine gitweb and cgit into the same policy since there is
really very little different between the two, it really does not matter
what you call them, unless one is readonly?
Well, only cgit needs write access to /var/cache/cgit. I don't know
where, or if, gitweb writes any temp files. If it does, I don't see
the policy you attached denying them.
I have added git policy to the base package for rawhide.
selinux-policy-3.6.5-2.fc11
If you could install this policy out with gitweb and cgit, that would be
helpful.
I made the httpd_git_script_t permissive and have added file context for
gitweb as well as cgit.
Is there a corresponding strict mode? For this:
permissive httpd_git_script_t;
If so, I could test it that way and maybe tighten up the policy
further.
Extract the tgz file.
execute
make -f /usr/share/selinux/devel/Makefile
semodule -i git.pp
restorecon -R -v /var/cache/cgit /var/www/cgi-bin/cgit
/var/www/git/gitweb.cgi /var/lib/git
Run git and cgit.
Use
audit2allow -R>> git.te
to add
make -f /usr/share/selinux/devel/Makefile
semodule -i git.ppnew rules
Test again, to make sure there are no avc's.
Then if you send me the new policy and the audit.log, I can update
fedora policy.
Done. There weren't many additional AVCs in my testing (which I'm
sure could miss some odd use case that someone else will find).
Attached is an updated git.te and the raw audit messages (broken down
by which tool caused the AVC).
Is the search on var_lib_t something that we would want to limit? I
don't think cgit, git-daemon, or gitweb should need more than
/var/lib/git (and /var/cache/cgit in cgit's case). It _seemed_ that
they ran fine even when this was denied, but perhaps I just didn't
notice some subtle breakage.
Thanks for all the help.
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL:
www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
He may look like an idiot and talk like an idiot but don't let that
fool you. He really is an idiot.
-- Groucho Marx