9:47 p.m.
Hi all,
I was recently setting up a webserver with cgit and apache on a fresh
Fedora 34 installation and ran into one issue that I still don't quite
understand. After installing both apache and cgit, I created the
default location expected for git repositories in /var/lib/git via:
# mkdir /var/lib/git
and then added a few bare repositories and pushed to them.
I wasn't able to view the cgit page though and was getting the
following errors in audit.log:
type=AVC msg=audit(1622927247.335:77187): avc: denied { getattr }
for pid=281294 comm="cgit" path="/var/lib/git/chroma.git/HEAD"
dev="sda" ino=134922 scontext=system_u:system_r:git_script_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
I eventually found out that I needed to run:
# restorecon -vR /var/lib/git/
which fixed the issue, but I thought it was supposed to happen
automatically since there was already a rule which was supposed to set
these as type git_content_t (I think that's it).
I emailed the cgit package maintainer and he was suprised too, and has
since updated the README to include instructions to run restorecon,
but I was curious as to whether this should be necessary. Why doesn't
the /var/lib/git directory get the correct context?
Thanks,
Tony
11:29 p.m.
On Mon, Jun 7, 2021 at 10:47 PM Anthony LaTorre <tlatorre9(a)gmail.com> wrote:
I eventually found out that I needed to run:
# restorecon -vR /var/lib/git/
which fixed the issue, but I thought it was supposed to happen
automatically since there was already a rule which was supposed to
set these as type git_content_t (I think that's it).
I emailed the cgit package maintainer and he was suprised too, and
has since updated the README to include instructions to run
restorecon, but I was curious as to whether this should be
necessary. Why doesn't the /var/lib/git directory get the correct
context?
Performance.
Calculating the correct SELinux file context for an arbitrary path in
the filesystem can be nontrivial (e.g., requiring parsing regular
expressions). If the kernel did this by default for every object
created in the filesystem, performance would be terrible.
Since the vast majority of the time the correct context for a new
file/directory is the same as the parent directory, in order to
prevent SELinux from tanking performance, new files/directories
inherit the file context of the parent directory unless either 1) the
application is SELinux-aware and requests a specific context, or 2)
there is a type transition that specifies a specific context.
Modern versions of mkdir are SELinux-aware and support the -Z option
to atomically create a directory with the correct SELinux file
context:
$ mkdir -Z /var/lib/git
But running restorecon after the fact also works.
11:42 p.m.
Ah ok, that makes sense. Thanks!
Tony
On Mon, Jun 7, 2021 at 9:30 PM James Ralston <ralston(a)pobox.com> wrote:
>
> On Mon, Jun 7, 2021 at 10:47 PM Anthony LaTorre <tlatorre9(a)gmail.com> wrote:
>
> > I eventually found out that I needed to run:
> >
> > # restorecon -vR /var/lib/git/
> >
> > which fixed the issue, but I thought it was supposed to happen
> > automatically since there was already a rule which was supposed to
> > set these as type git_content_t (I think that's it).
> >
> > I emailed the cgit package maintainer and he was suprised too, and
> > has since updated the README to include instructions to run
> > restorecon, but I was curious as to whether this should be
> > necessary. Why doesn't the /var/lib/git directory get the correct
> > context?
>
> Performance.
>
> Calculating the correct SELinux file context for an arbitrary path in
> the filesystem can be nontrivial (e.g., requiring parsing regular
> expressions). If the kernel did this by default for every object
> created in the filesystem, performance would be terrible.
>
> Since the vast majority of the time the correct context for a new
> file/directory is the same as the parent directory, in order to
> prevent SELinux from tanking performance, new files/directories
> inherit the file context of the parent directory unless either 1) the
> application is SELinux-aware and requests a specific context, or 2)
> there is a type transition that specifies a specific context.
>
> Modern versions of mkdir are SELinux-aware and support the -Z option
> to atomically create a directory with the correct SELinux file
> context:
>
> $ mkdir -Z /var/lib/git
>
> But running restorecon after the fact also works.
> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
1050
days inactive
1050
days old
selinux@lists.fedoraproject.org
2 comments
2 participants
participants (2)
-
Anthony LaTorre -
James Ralston