3:14 p.m.
I am trying to audit2allow on F10 to allow a cgi-bin perl script to run on
Apache. Runs fine in permissive mode not in enforcing.
I bought the O'Reilly SE Linux book and learned the basics but it does not
really seem to help me on Fedora.
there was no /var/log/kernel so I tried /var/log/secure with the following
command sequence
setenforce 0
# access the cgi from the web
setenforce 1
audit2allow -l -i /var/log/secure
What is strange also is the system is not flagging things up as a
notification icon anymore in enforcing mode.
If someone could guide me or push me in the right direction I would be most
thankful.
Aaron
3:42 p.m.
Aaron Gray wrote:
I am trying to audit2allow on F10 to allow a cgi-bin perl script to
run on Apache. Runs fine in permissive mode not in enforcing.
I bought the O'Reilly SE Linux book and learned the basics but it does
not really seem to help me on Fedora.
there was no /var/log/kernel so I tried /var/log/secure with the
following command sequence
setenforce 0
# access the cgi from the web
setenforce 1
audit2allow -l -i /var/log/secure
The audit log file is
/var/log/audit/audit.log. Note, you must have root
privileges to read it.
What is strange also is the system is not flagging things up as a
notification icon anymore in enforcing mode.
Do you mean the "Star" Icon
which opens the SETroubleshoot browser is
not appearing on your desktop?
If so are there any errors in /var/log/setroubleshoot/setroubleshootd.log?
Are there actually AVC messages in the /var/log/audit/audit.log file?
What version of setroubleshoot is installed?
If someone could guide me or push me in the right direction I would be
most thankful.
Aaron
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
John Dennis <jdennis(a)redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
6:22 p.m.
Aaron Gray wrote:
> I am trying to audit2allow on F10 to allow a cgi-bin perl script to run
> on Apache. Runs fine in permissive mode not in enforcing.
>
> I bought the O'Reilly SE Linux book and learned the basics but it does
> not really seem to help me on Fedora.
>
> there was no /var/log/kernel so I tried /var/log/secure with the
> following command sequence
>
> setenforce 0
>
> # access the cgi from the web
>
> setenforce 1
>
> audit2allow -l -i /var/log/secure
The audit log file is /var/log/audit/audit.log. Note, you must have root
privileges to read it.
>
>
> What is strange also is the system is not flagging things up as a
> notification icon anymore in enforcing mode.
Thanks for the reply.
Do you mean the "Star" Icon which opens the SETroubleshoot
browser is not
appearing on your desktop?
Yep.
If so are there any errors in
/var/log/setroubleshoot/setroubleshootd.log?
Yep.
Are there actually AVC messages in the /var/log/audit/audit.log file?
Yep.
What version of setroubleshoot is installed?
F10's ? Version 2.0.12
It runs when I select it from the command line but not automatically on
violations.
~~~~~~~~~~~~setroubleshooth.log~~~~~~~~~~~~
2009-03-20 16:58:15,020 [program.ERROR] setroubleshoot generated AVC,
exiting to avoid recursion, context=system_u:system_r:setroubleshootd_t:s0,
AVC scontext=system_u:system_r:setroubleshootd_t:s0
2009-03-20 16:58:15,020 [program.ERROR] audit event
node=localhost.localdomain type=AVC msg=audit(1237568294.768:209): avc:
denied { signull } for pid=2480 comm="setroubleshootd"
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process
node=localhost.localdomain type=SYSCALL msg=audit(1237568294.768:209):
arch=40000003 syscall=37 success=yes exit=0 a0=7d11 a1=0 a2=5cf70c a3=7d11
items=0 ppid=1 pid=2480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd"
exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Does this give any clues ?
Aaron
4:13 p.m.
On Fri, 2009-03-20 at 20:14 +0000, Aaron Gray wrote:
I am trying to audit2allow on F10 to allow a cgi-bin perl script to
run on
Apache. Runs fine in permissive mode not in enforcing.
I bought the O'Reilly SE Linux book and learned the basics but it does not
really seem to help me on Fedora.
there was no /var/log/kernel so I tried /var/log/secure with the following
command sequence
setenforce 0
# access the cgi from the web
setenforce 1
audit2allow -l -i /var/log/secure
What is strange also is the system is not flagging things up as a
notification icon anymore in enforcing mode.
If someone could guide me or push me in the right direction I would be most
thankful.
auditd logs to /var/log/audit/audit.log
To use cgi you must set the boolean httpd_enable_cgi.
Then either label the cgi type httpd_sys_script_exec_t or create a
custom domain for your script:
mkdir myscript; cd myscript;
echo "policy_module(myscript, 0.0.1)" > myscript.te
echo "apache_content_template(myscript)" >> myscript.te
echo "/var/www/cgi-bin/myscript.pl --
gen_context(system_u:object_r:httpd_myscript_script_exec_t, s0)" >
myscript.fc
make -f /usr/share/selinux/devel/Makefile
semodule -i myscript.pp
restorecon -R -v /var/www/cgi-bin/myscript.pl
This is just a base module you will likely need to extend it. you can do
so why making the httpd_myscript_script_t permissive and then extend
your source policy with any rules required frpm audit.log/audit2why
semanage permissive -a httpd_myscript_script_t
ausearch -m avc -ts today | grep httpd_myscript_script_t | audit2allow
-R >> myscript.te; make -f /usr/share/selinux/devel/Makefile; semodule
-i myscript.pp
semanage permissive -d httpd_myscript_script_t
(to remove the permissive domain)
hth , Dominick
Aaron
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
6:12 p.m.
On Fri, 2009-03-20 at 20:14 +0000, Aaron Gray wrote:
> I am trying to audit2allow on F10 to allow a cgi-bin perl script to run
> on
> Apache. Runs fine in permissive mode not in enforcing.
>
> I bought the O'Reilly SE Linux book and learned the basics but it does
> not
> really seem to help me on Fedora.
>
> there was no /var/log/kernel so I tried /var/log/secure with the
> following
> command sequence
>
> setenforce 0
>
> # access the cgi from the web
>
> setenforce 1
>
> audit2allow -l -i /var/log/secure
>
> What is strange also is the system is not flagging things up as a
> notification icon anymore in enforcing mode.
>
> If someone could guide me or push me in the right direction I would be
> most
> thankful.
auditd logs to /var/log/audit/audit.log
To use cgi you must set the boolean httpd_enable_cgi.
Great GIT on Apache running now !:) Thanks
But not accessing the repositories, looks like a script is needed.
Then either label the cgi type httpd_sys_script_exec_t or create a
custom domain for your script:
mkdir myscript; cd myscript;
echo "policy_module(myscript, 0.0.1)" > myscript.te
echo "apache_content_template(myscript)" >> myscript.te
echo "/var/www/cgi-bin/myscript.pl --
gen_context(system_u:object_r:httpd_myscript_script_exec_t, s0)" >
myscript.fc
make -f /usr/share/selinux/devel/Makefile
semodule -i myscript.pp
restorecon -R -v /var/www/cgi-bin/myscript.pl
This is interesting. command line, thanks, interesting I will have to learn
this stuff on the command line to understand it properly.
This is just a base module you will likely need to extend it. you can
do
so why making the httpd_myscript_script_t permissive and then extend
your source policy with any rules required frpm audit.log/audit2why
semanage permissive -a httpd_myscript_script_t
Nice :)
ausearch -m avc -ts today | grep httpd_myscript_script_t |
audit2allow
-R >> myscript.te; make -f /usr/share/selinux/devel/Makefile; semodule
-i myscript.pp
This might just do the job !
semanage permissive -d httpd_myscript_script_t
(to remove the permissive domain)
Is there any reason not to be using setenforce 0/1, on a machine behind
firewall.
I will try this. Looks like theres a need of a good howto that shows how
simple these things can be.
Many thanks Dominick
Aaron
6:15 a.m.
On Fri, 2009-03-20 at 23:12 +0000, Aaron Gray wrote:
> On Fri, 2009-03-20 at 20:14 +0000, Aaron Gray wrote:
>> I am trying to audit2allow on F10 to allow a cgi-bin perl script to run
>> on
>> Apache. Runs fine in permissive mode not in enforcing.
>>
>> I bought the O'Reilly SE Linux book and learned the basics but it does
>> not
>> really seem to help me on Fedora.
>>
>> there was no /var/log/kernel so I tried /var/log/secure with the
>> following
>> command sequence
>>
>> setenforce 0
>>
>> # access the cgi from the web
>>
>> setenforce 1
>>
>> audit2allow -l -i /var/log/secure
>>
>> What is strange also is the system is not flagging things up as a
>> notification icon anymore in enforcing mode.
>>
>> If someone could guide me or push me in the right direction I would be
>> most
>> thankful.
> auditd logs to /var/log/audit/audit.log
>
> To use cgi you must set the boolean httpd_enable_cgi.
Great GIT on Apache running now !:) Thanks
But not accessing the repositories, looks like a script is needed.
> Then either label the cgi type httpd_sys_script_exec_t or create a
> custom domain for your script:
>
> mkdir myscript; cd myscript;
> echo "policy_module(myscript, 0.0.1)" > myscript.te
> echo "apache_content_template(myscript)" >> myscript.te
> echo "/var/www/cgi-bin/myscript.pl --
> gen_context(system_u:object_r:httpd_myscript_script_exec_t, s0)" >
> myscript.fc
>
> make -f /usr/share/selinux/devel/Makefile
> semodule -i myscript.pp
> restorecon -R -v /var/www/cgi-bin/myscript.pl
This is interesting. command line, thanks, interesting I will have to learn
this stuff on the command line to understand it properly.
> This is just a base module you will likely need to extend it. you can do
> so why making the httpd_myscript_script_t permissive and then extend
> your source policy with any rules required frpm audit.log/audit2why
>
> semanage permissive -a httpd_myscript_script_t
Nice :)
> ausearch -m avc -ts today | grep httpd_myscript_script_t | audit2allow
> -R >> myscript.te; make -f /usr/share/selinux/devel/Makefile; semodule
> -i myscript.pp
This might just do the job !
> semanage permissive -d httpd_myscript_script_t
>
> (to remove the permissive domain)
Is there any reason not to be using setenforce 0/1, on a machine behind
firewall.
What makes you think that the security threat only comes from the
network? There might be a rogue program local to the system, and if you
setenforce 0 , you allow everything. not what i would want.
by using semanage permissive -a <domain> you only allow a specific
domain to run in permissive mode. This minimizes the risks and it
conforms to SELinux least privilege philosophy.
I will try this. Looks like theres a need of a good howto that shows
how
simple these things can be.
Many thanks Dominick
Aaron
9:26 p.m.
New subject: Newbie Q - gitweb policy
On Fri, 2009-03-20 at 20:14 +0000, Aaron Gray wrote:
> I am trying to audit2allow on F10 to allow a cgi-bin perl script to run
> on
> Apache. Runs fine in permissive mode not in enforcing.
>
I had to use 'setenforce 0', remove the grep, and then whittle down the code
a bit.
mkdir gitweb-policy;
cd gitweb-policy;
echo "policy_module(gitweb, 0.0.1)" > gitweb.te
echo "apache_content_template(gitweb)" >> gitweb.te
echo "/var/www/git/gitweb.cgi --
gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0)" >gitweb.fc
make -f /usr/share/selinux/devel/Makefile
semodule -i gitweb.pp
restorecon -R -v /var/www/git/gitweb.cgi
setenforce 0;
Do the http access !
setenforce 1;
ausearch -m avc -ts today | audit2allow -R >> gitweb.te;
make -f /usr/share/selinux/devel/Makefile;
semodule -i gitweb.pp
Whittle the code down a bit to :-
gitweb.te
policy_module(gitweb, 0.0.1)
apache_content_template(gitweb)
require {
type httpd_sys_script_t;
}
#============= httpd_sys_script_t ==============
files_list_default(httpd_sys_script_t)
files_read_default_files(httpd_sys_script_t)
gitweb.fc
/var/www/git/gitweb.cgi --
gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0)
4:55 a.m.
New subject: Newbie Q - gitweb policy
On Sat, 2009-03-21 at 02:26 +0000, Aaron Gray wrote:
> On Fri, 2009-03-20 at 20:14 +0000, Aaron Gray wrote:
>> I am trying to audit2allow on F10 to allow a cgi-bin perl script to run
>> on
>> Apache. Runs fine in permissive mode not in enforcing.
>>
I had to use 'setenforce 0', remove the grep, and then whittle down the code
a bit.
mkdir gitweb-policy;
cd gitweb-policy;
echo "policy_module(gitweb, 0.0.1)" > gitweb.te
echo "apache_content_template(gitweb)" >> gitweb.te
echo "/var/www/git/gitweb.cgi --
gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0)" >gitweb.fc
make -f /usr/share/selinux/devel/Makefile
semodule -i gitweb.pp
restorecon -R -v /var/www/git/gitweb.cgi
setenforce 0;
Do the http access !
setenforce 1;
ausearch -m avc -ts today | audit2allow -R >> gitweb.te;
make -f /usr/share/selinux/devel/Makefile;
semodule -i gitweb.pp
Whittle the code down a bit to :-
gitweb.te
policy_module(gitweb, 0.0.1)
apache_content_template(gitweb)
require {
type httpd_sys_script_t;
}
#============= httpd_sys_script_t ==============
files_list_default(httpd_sys_script_t)
files_read_default_files(httpd_sys_script_t)
Looks like something went wrong here.
for starters something is running in the httpd_sys_script_t domain and
not httpd_gitweb_script_t.
Second youre giving httpd_sys_script_t access to read files with type
default_t (not recommended)
http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/
Heres my git policy:
policy_module(git_daemon, 0.0.1)
########################################
#
# Git daemon declarations
#
attribute git_daemon_user_content_type;
attribute git_daemon_system_content_type;
type git_daemon_t;
type git_daemon_exec_t;
inetd_service_domain(git_daemon_t, git_daemon_exec_t)
role system_r types git_daemon_t;
application_executable_file(git_daemon_exec_t)
type git_daemon_system_content_t, git_daemon_system_content_type;
typeattribute git_daemon_system_content_t
git_daemon_system_content_type;
files_type(git_daemon_system_content_t)
## <desc>
## <p>
## Allow Git daemon to read home directories.
## </p>
## </desc>
gen_tunable(git_daemon_enable_homedirs, false)
## <desc>
## <p>
## Allow Git daemon to access nfs file systems.
## </p>
## </desc>
gen_tunable(git_daemon_use_nfs, false)
## <desc>
## <p>
## Allow Git daemon to access cifs file systems.
## </p>
## </desc>
gen_tunable(git_daemon_use_cifs, false)
########################################
#
# Git daemon policy
#
allow git_daemon_t self:fifo_file rw_fifo_file_perms;
allow git_daemon_t self:netlink_route_socket { write getattr read bind
create nlmsg_read };
allow git_daemon_t self:udp_socket { write read create connect
getattr };
allow git_daemon_t self:unix_dgram_socket { write create connect };
list_dirs_pattern(git_daemon_t, git_daemon_system_content_type,
git_daemon_system_content_type)
read_files_pattern(git_daemon_t, git_daemon_system_content_type,
git_daemon_system_content_type)
corecmd_exec_bin(git_daemon_t)
corenet_all_recvfrom_unlabeled(git_daemon_t)
corenet_all_recvfrom_netlabel(git_daemon_t)
files_read_etc_files(git_daemon_t)
files_search_usr(git_daemon_t)
fs_search_auto_mountpoints(git_daemon_t)
kernel_read_system_state(git_daemon_t)
libs_use_ld_so(git_daemon_t)
libs_use_shared_libs(git_daemon_t)
logging_send_syslog_msg(git_daemon_t)
miscfiles_read_localization(git_daemon_t)
miscfiles_read_public_files(git_daemon_t)
sysnet_read_config(git_daemon_t)
optional_policy(`
apache_content_template(gitweb)
apache_search_sys_content(httpd_gitweb_script_t)
files_getattr_tmp_dirs(httpd_gitweb_script_t)
git_daemon_read_system_content(httpd_gitweb_script_t)
')
optional_policy(`
nscd_read_pid(git_daemon_t)
')
tunable_policy(`git_daemon_enable_homedirs && use_nfs_home_dirs', `
fs_list_nfs(git_daemon_t)
fs_read_nfs_files(git_daemon_t)
')
tunable_policy(`git_daemon_use_nfs', `
fs_list_nfs(git_daemon_t)
fs_read_nfs_files(git_daemon_t)
')
tunable_policy(`git_daemon_enable_homedirs && use_samba_home_dirs', `
fs_list_cifs(git_daemon_t)
fs_read_cifs_files(git_daemon_t)
')
tunable_policy(`git_daemon_use_cifs', `
fs_list_cifs(git_daemon_t)
fs_read_cifs_files(git_daemon_t)
')
tunable_policy(`git_daemon_enable_homedirs', `
list_dirs_pattern(git_daemon_t, git_daemon_user_content_type,
git_daemon_user_content_type)
read_files_pattern(git_daemon_t, git_daemon_user_content_type,
git_daemon_user_content_type)
userdom_search_all_users_home_dirs(git_daemon_t)
')
#EOF
## <summary>SELinux policy for Git daemon.</summary>
## <desc>
## <p>
## Git daemon is a really simple server for Git
## repositories.
## </p>
## </desc>
#######################################
## <summary>
## The per role template for the Git daemon module.
## </summary>
## <desc>
## <p>
## This template creates derived domains which are used
## for Git daemon.
## </p>
## <p>
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
#
template(`git_daemon_per_role_template', `
gen_require(`
type git_daemon_exec_t;
attribute git_daemon_user_content_type;
')
########################################
#
# Git daemon public declarations.
#
type $1_git_daemon_t;
application_domain($1_git_daemon_t, git_daemon_exec_t)
role $3 types $1_git_daemon_t;
type $1_git_daemon_home_t, git_daemon_user_content_type;
userdom_user_home_content($1, $1_git_daemon_home_t)
typeattribute $1_git_daemon_home_t git_daemon_user_content_type;
########################################
#
# Git daemon public policy.
#
allow $1_git_daemon_t self:fifo_file rw_fifo_file_perms;
allow $1_git_daemon_t self:netlink_route_socket { write getattr read
bind create nlmsg_read };
allow $1_git_daemon_t self:tcp_socket { bind read write accept create
setopt listen };
allow $1_git_daemon_t self:udp_socket { create connect write read
getattr };
allow $1_git_daemon_t $2:process sigchld;
allow $2 $1_git_daemon_t:process { ptrace signal_perms };
git_daemon_read_user_content($1, $1_git_daemon_t)
manage_dirs_pattern($2, git_daemon_user_content_type,
git_daemon_user_content_type)
manage_files_pattern($2, git_daemon_user_content_type,
git_daemon_user_content_type)
exec_files_pattern($2, git_daemon_user_content_type,
git_daemon_user_content_type)
userdom_search_user_home_dirs($1, $1_git_daemon_t)
userdom_user_home_dir_filetrans($1, $1_git_daemon_t,
$1_git_daemon_home_t, { dir file })
relabel_dirs_pattern($2, git_daemon_user_content_type,
git_daemon_user_content_type)
relabel_files_pattern($2, git_daemon_user_content_type,
git_daemon_user_content_type)
domain_auto_trans($2, git_daemon_exec_t, $1_git_daemon_t)
ps_process_pattern($2, $1_git_daemon_t)
corecmd_exec_bin($1_git_daemon_t)
corenet_all_recvfrom_unlabeled($1_git_daemon_t)
corenet_all_recvfrom_netlabel($1_git_daemon_t)
corenet_tcp_sendrecv_all_if($1_git_daemon_t)
corenet_tcp_sendrecv_all_nodes($1_git_daemon_t)
corenet_tcp_bind_all_nodes($1_git_daemon_t)
corenet_tcp_bind_git_daemon_port($1_git_daemon_t)
files_read_etc_files($1_git_daemon_t)
files_search_home($1_git_daemon_t)
files_search_usr($1_git_daemon_t)
fs_search_auto_mountpoints($1_git_daemon_t)
kernel_read_system_state($1_git_daemon_t)
libs_use_ld_so($1_git_daemon_t)
libs_use_shared_libs($1_git_daemon_t)
logging_send_syslog_msg($1_git_daemon_t)
miscfiles_read_localization($1_git_daemon_t)
sysnet_read_config($1_git_daemon_t)
userdom_use_user_terminals($1, $1_git_daemon_t)
tunable_policy(`use_nfs_home_dirs', `
fs_list_nfs($1_git_daemon_t)
fs_read_nfs_files($1_git_daemon_t)
')
tunable_policy(`use_samba_home_dirs', `
fs_list_cifs($1_git_daemon_t)
fs_read_cifs_files($1_git_daemon_t)
')
optional_policy(`
nscd_read_pid($1_git_daemon_t)
')
optional_policy(`
nis_use_ypbind($1_git_daemon_t)
')
')
########################################
## <summary>
## Allow the specified domain to read
## Git daemon system content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`git_daemon_read_system_content', `
gen_require(`
attribute git_daemon_system_content_type;
')
files_search_var($1)
list_dirs_pattern($1, git_daemon_system_content_type,
git_daemon_system_content_type)
read_files_pattern($1, git_daemon_system_content_type,
git_daemon_system_content_type)
')
########################################
## <summary>
## Allow the specified domain to manage
## Git daemon system content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`git_daemon_manage_system_content', `
gen_require(`
attribute git_daemon_system_content_type;
')
files_search_var($1)
manage_dirs_pattern($1, git_daemon_system_content_type,
git_daemon_system_content_type)
manage_files_pattern($1, git_daemon_system_content_type,
git_daemon_system_content_type)
')
########################################
## <summary>
## Allow the specified domain to execute
## Git daemon system content files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`git_daemon_execute_system_content_files', `
gen_require(`
attribute git_daemon_system_content_type;
')
files_search_var($1)
exec_files_pattern($1, git_daemon_system_content_type,
git_daemon_system_content_type)
')
########################################
## <summary>
## Allow the specified domain to read
## Git daemon personal repositories.
## </summary>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`git_daemon_read_user_content', `
gen_require(`
attribute git_daemon_user_content_type;
')
allow $2 git_daemon_user_content_type:dir list_dir_perms;
allow $2 git_daemon_user_content_type:file read_file_perms;
userdom_search_user_home_dirs($1, $2)
')
########################################
## <summary>
## Allow the specified domain to manage
## Git daemon personal repositories.
## </summary>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`git_daemon_manage_user_content', `
gen_require(`
attribute git_daemon_user_content_type;
')
allow $2 git_daemon_user_content_type:dir manage_dir_perms;
allow $2 git_daemon_user_content_type:file manage_file_perms;
userdom_user_home_dir_filetrans($1, $2, git_daemon_user_content_type,
{ dir file })
userdom_search_user_home_dirs($1, $2)
')
########################################
## <summary>
## Allow the specified domain to relabel
## Git daemon personal repositories.
## </summary>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`git_daemon_relabel_user_content', `
gen_require(`
attribute git_daemon_user_content_type;
')
allow $2 git_daemon_user_content_type:dir relabel_dir_perms;
allow $2 git_daemon_user_content_type:file relabel_file_perms;
userdom_search_user_home_dirs($1, $2)
')
########################################
## <summary>
## Allow the specified domain to manage
## all Git daemon content.
## </summary>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`git_daemon_manage_all_content', `
git_daemon_manage_user_content($1, $2)
git_daemon_manage_system_content($2)
')
########################################
## <summary>
## Allow the specified domain to read
## all Git daemon content.
## </summary>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`git_daemon_read_all_content', `
git_daemon_read_user_content($1, $2)
git_daemon_read_system_content($2)
')
########################################
## <summary>
## Allow the specified domain to relabel
## all Git daemon content.
## </summary>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`git_daemon_relabel_all_content', `
git_daemon_relabel_user_content($1, $2)
git_daemon_relabel_system_content($2)
')
########################################
## <summary>
## Allow the specified domain to list
## Git daemon system content directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`git_daemon_list_system_content_dirs', `
gen_require(`
attribute git_daemon_system_content_type;
')
files_search_var($1)
list_dirs_pattern($1, git_daemon_system_content_type,
git_daemon_system_content_type)
')
########################################
## <summary>
## Allow the specified domain to search
## Git daemon system content directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`git_daemon_search_system_content_dirs', `
gen_require(`
attribute git_daemon_system_content_type;
')
files_search_var($1)
search_dirs_pattern($1, git_daemon_system_content_type,
git_daemon_system_content_type)
')
#######################################
## <summary>
## The template for creating a Git user domain.
## </summary>
## <desc>
## <p>
## This template creates a user domain, types, and
## rules for the user's pty.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
#
template(`git_daemon_git_user_template',`
gen_require(`
attribute unpriv_userdomain, userdomain;
class context contains;
')
##############################
#
# Git user public declarations.
#
attribute $1_file_type;
attribute $1_usertype;
type $1_t, userdomain, $1_usertype;
domain_type($1_t)
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
domain_user_exemption_target($1_t)
role $1_r types $1_t;
allow system_r $1_r;
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
##############################
#
# Git user public policy.
#
allow $1_usertype self:context contains;
allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
corecmd_exec_bin($1_usertype)
kernel_read_system_state($1_usertype)
files_read_etc_files($1_usertype)
files_search_home($1_usertype)
git_daemon_manage_system_content($1_usertype)
git_daemon_execute_system_content_files($1_usertype)
libs_use_ld_so($1_usertype)
libs_use_shared_libs($1_usertype)
miscfiles_read_localization($1_usertype)
ssh_rw_stream_sockets($1_usertype)
optional_policy(`
nscd_read_pid($1_usertype)
')
')
########################################
## <summary>
## All of the rules required to administrate an
## Git daemon environment
## </summary>
## <param name="userdomain_prefix">
## <summary>
## Prefix of the domain. Example, user would be
## the prefix for the user_t domain.
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the Git daemon domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`git_daemon_admin', `
gen_require(`
type git_daemon_t, git_daemon_exec_t, httpd_gitweb_script_exec_t;
')
allow $1 git_daemon_t:process { getattr ptrace signal_perms };
git_daemon_manage_all_content($1, $2)
git_daemon_relabel_all_content($1, $2)
miscfiles_manage_public_files($1)
kernel_search_proc($1)
allow $1 git_daemon_t:dir list_dir_perms;
read_files_pattern($1, git_daemon_t, git_daemon_t)
read_lnk_files_pattern($1, git_daemon_t, git_daemon_t)
manage_files_pattern($1, httpd_gitweb_script_exec_t,
httpd_gitweb_script_exec_t)
manage_files_pattern($1, git_daemon_exec_t, git_daemon_exec_t)
seutil_domtrans_setfiles($1)
')
#EOF
########################################
#
# Git daemon contexts
#
HOME_DIR/public_git(/.*)?
gen_context(system_u:object_r:ROLE_git_daemon_home_t, s0)
HOME_DIR/\.gitconfig --
gen_context(system_u:object_r:ROLE_git_daemon_home_t, s0)
/srv/git(/.*)?
gen_context(system_u:object_r:git_daemon_system_content_t, s0)
/usr/bin/git-daemon --
gen_context(system_u:object_r:git_daemon_exec_t, s0)
/var/www/git/gitweb\.cgi --
gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0)
#EOF
But it wont work unless its modified or integrated properly. Also it
might need some polishing.
gitweb.fc
/var/www/git/gitweb.cgi --
gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0)
5515
days inactive
5516
days old
selinux@lists.fedoraproject.org
7 comments
3 participants
participants (3)
-
Aaron Gray -
Dominick Grift -
John Dennis