-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Todd Zullinger wrote:
Daniel J Walsh wrote:
> Sorry about this, I seem to have lost this email.
No worries. :)
> THe following might help you with writing policy.
>
>
http://magazine.redhat.com/2007/08/21/a-step-by-step-guide-to-building-a-...
Indeed it will. Thank you.
> I would combine gitweb and cgit into the same policy since there is
> really very little different between the two, it really does not matter
> what you call them, unless one is readonly?
Well, only cgit needs write access to /var/cache/cgit. I don't know
where, or if, gitweb writes any temp files. If it does, I don't see
the policy you attached denying them.
> I have added git policy to the base package for rawhide.
>
> selinux-policy-3.6.5-2.fc11
>
> If you could install this policy out with gitweb and cgit, that would be
> helpful.
>
> I made the httpd_git_script_t permissive and have added file context for
> gitweb as well as cgit.
Is there a corresponding strict mode? For this:
permissive httpd_git_script_t;
Removing the line makes it strict.
If so, I could test it that way and maybe tighten up the policy
further.
> Extract the tgz file.
> execute
>
> make -f /usr/share/selinux/devel/Makefile
> semodule -i git.pp
> restorecon -R -v /var/cache/cgit /var/www/cgi-bin/cgit
> /var/www/git/gitweb.cgi /var/lib/git
>
> Run git and cgit.
>
> Use
>
> audit2allow -R>> git.te
>
> to add
> make -f /usr/share/selinux/devel/Makefile
> semodule -i git.ppnew rules
>
> Test again, to make sure there are no avc's.
>
> Then if you send me the new policy and the audit.log, I can update
> fedora policy.
Done. There weren't many additional AVCs in my testing (which I'm
sure could miss some odd use case that someone else will find).
Attached is an updated git.te and the raw audit messages (broken down
by which tool caused the AVC).
Is the search on var_lib_t something that we would want to limit?
no
I
don't think cgit, git-daemon, or gitweb should need more than
/var/lib/git (and /var/cache/cgit in cgit's case). It _seemed_ that
they ran fine even when this was denied, but perhaps I just didn't
notice some subtle breakage.
Thanks for all the help.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org
iEYEARECAAYFAkma+C4ACgkQrlYvE4MpobM+xQCePczBb4m5srneZ7EIUsxP0pGI
v3QAoLWFUgz5JuuUgHJFOXdXlXHhQ9n0
=D4SA
-----END PGP SIGNATURE-----