I am trying to audit2allow on F10 to allow a cgi-bin perl script to run on Apache. Runs fine in permissive mode not in enforcing.
I bought the O'Reilly SE Linux book and learned the basics but it does not really seem to help me on Fedora.
there was no /var/log/kernel so I tried /var/log/secure with the following command sequence
setenforce 0
# access the cgi from the web
setenforce 1
audit2allow -l -i /var/log/secure
What is strange also is the system is not flagging things up as a notification icon anymore in enforcing mode.
If someone could guide me or push me in the right direction I would be most thankful.
Aaron
Aaron Gray wrote:
I am trying to audit2allow on F10 to allow a cgi-bin perl script to run on Apache. Runs fine in permissive mode not in enforcing.
I bought the O'Reilly SE Linux book and learned the basics but it does not really seem to help me on Fedora.
there was no /var/log/kernel so I tried /var/log/secure with the following command sequence
setenforce 0
# access the cgi from the web
setenforce 1
audit2allow -l -i /var/log/secure
The audit log file is /var/log/audit/audit.log. Note, you must have root privileges to read it.
What is strange also is the system is not flagging things up as a notification icon anymore in enforcing mode.
Do you mean the "Star" Icon which opens the SETroubleshoot browser is not appearing on your desktop?
If so are there any errors in /var/log/setroubleshoot/setroubleshootd.log?
Are there actually AVC messages in the /var/log/audit/audit.log file?
What version of setroubleshoot is installed?
If someone could guide me or push me in the right direction I would be most thankful.
Aaron
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Aaron Gray wrote:
I am trying to audit2allow on F10 to allow a cgi-bin perl script to run on Apache. Runs fine in permissive mode not in enforcing.
I bought the O'Reilly SE Linux book and learned the basics but it does not really seem to help me on Fedora.
there was no /var/log/kernel so I tried /var/log/secure with the following command sequence
setenforce 0
# access the cgi from the web
setenforce 1
audit2allow -l -i /var/log/secure
The audit log file is /var/log/audit/audit.log. Note, you must have root privileges to read it.
What is strange also is the system is not flagging things up as a notification icon anymore in enforcing mode.
Thanks for the reply.
Do you mean the "Star" Icon which opens the SETroubleshoot browser is not appearing on your desktop?
Yep.
If so are there any errors in /var/log/setroubleshoot/setroubleshootd.log?
Yep.
Are there actually AVC messages in the /var/log/audit/audit.log file?
Yep.
What version of setroubleshoot is installed?
F10's ? Version 2.0.12
It runs when I select it from the command line but not automatically on violations.
~~~~~~~~~~~~setroubleshooth.log~~~~~~~~~~~~ 2009-03-20 16:58:15,020 [program.ERROR] setroubleshoot generated AVC, exiting to avoid recursion, context=system_u:system_r:setroubleshootd_t:s0, AVC scontext=system_u:system_r:setroubleshootd_t:s0 2009-03-20 16:58:15,020 [program.ERROR] audit event node=localhost.localdomain type=AVC msg=audit(1237568294.768:209): avc: denied { signull } for pid=2480 comm="setroubleshootd" scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
node=localhost.localdomain type=SYSCALL msg=audit(1237568294.768:209): arch=40000003 syscall=37 success=yes exit=0 a0=7d11 a1=0 a2=5cf70c a3=7d11 items=0 ppid=1 pid=2480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Does this give any clues ?
Aaron
On Fri, 2009-03-20 at 20:14 +0000, Aaron Gray wrote:
I am trying to audit2allow on F10 to allow a cgi-bin perl script to run on Apache. Runs fine in permissive mode not in enforcing.
I bought the O'Reilly SE Linux book and learned the basics but it does not really seem to help me on Fedora.
there was no /var/log/kernel so I tried /var/log/secure with the following command sequence
setenforce 0 # access the cgi from the web setenforce 1 audit2allow -l -i /var/log/secure
What is strange also is the system is not flagging things up as a notification icon anymore in enforcing mode.
If someone could guide me or push me in the right direction I would be most thankful.
auditd logs to /var/log/audit/audit.log
To use cgi you must set the boolean httpd_enable_cgi.
Then either label the cgi type httpd_sys_script_exec_t or create a custom domain for your script:
mkdir myscript; cd myscript; echo "policy_module(myscript, 0.0.1)" > myscript.te echo "apache_content_template(myscript)" >> myscript.te echo "/var/www/cgi-bin/myscript.pl -- gen_context(system_u:object_r:httpd_myscript_script_exec_t, s0)" > myscript.fc
make -f /usr/share/selinux/devel/Makefile semodule -i myscript.pp restorecon -R -v /var/www/cgi-bin/myscript.pl
This is just a base module you will likely need to extend it. you can do so why making the httpd_myscript_script_t permissive and then extend your source policy with any rules required frpm audit.log/audit2why
semanage permissive -a httpd_myscript_script_t
ausearch -m avc -ts today | grep httpd_myscript_script_t | audit2allow -R >> myscript.te; make -f /usr/share/selinux/devel/Makefile; semodule -i myscript.pp
semanage permissive -d httpd_myscript_script_t
(to remove the permissive domain)
hth , Dominick
Aaron
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Fri, 2009-03-20 at 20:14 +0000, Aaron Gray wrote:
I am trying to audit2allow on F10 to allow a cgi-bin perl script to run on Apache. Runs fine in permissive mode not in enforcing.
I bought the O'Reilly SE Linux book and learned the basics but it does not really seem to help me on Fedora.
there was no /var/log/kernel so I tried /var/log/secure with the following command sequence
setenforce 0 # access the cgi from the web setenforce 1 audit2allow -l -i /var/log/secure
What is strange also is the system is not flagging things up as a notification icon anymore in enforcing mode.
If someone could guide me or push me in the right direction I would be most thankful.
auditd logs to /var/log/audit/audit.log
To use cgi you must set the boolean httpd_enable_cgi.
Great GIT on Apache running now !:) Thanks
But not accessing the repositories, looks like a script is needed.
Then either label the cgi type httpd_sys_script_exec_t or create a custom domain for your script:
mkdir myscript; cd myscript; echo "policy_module(myscript, 0.0.1)" > myscript.te echo "apache_content_template(myscript)" >> myscript.te echo "/var/www/cgi-bin/myscript.pl -- gen_context(system_u:object_r:httpd_myscript_script_exec_t, s0)" > myscript.fc
make -f /usr/share/selinux/devel/Makefile semodule -i myscript.pp restorecon -R -v /var/www/cgi-bin/myscript.pl
This is interesting. command line, thanks, interesting I will have to learn this stuff on the command line to understand it properly.
This is just a base module you will likely need to extend it. you can do so why making the httpd_myscript_script_t permissive and then extend your source policy with any rules required frpm audit.log/audit2why
semanage permissive -a httpd_myscript_script_t
Nice :)
ausearch -m avc -ts today | grep httpd_myscript_script_t | audit2allow -R >> myscript.te; make -f /usr/share/selinux/devel/Makefile; semodule -i myscript.pp
This might just do the job !
semanage permissive -d httpd_myscript_script_t
(to remove the permissive domain)
Is there any reason not to be using setenforce 0/1, on a machine behind firewall.
I will try this. Looks like theres a need of a good howto that shows how simple these things can be.
Many thanks Dominick
Aaron
On Fri, 2009-03-20 at 23:12 +0000, Aaron Gray wrote:
On Fri, 2009-03-20 at 20:14 +0000, Aaron Gray wrote:
I am trying to audit2allow on F10 to allow a cgi-bin perl script to run on Apache. Runs fine in permissive mode not in enforcing.
I bought the O'Reilly SE Linux book and learned the basics but it does not really seem to help me on Fedora.
there was no /var/log/kernel so I tried /var/log/secure with the following command sequence
setenforce 0 # access the cgi from the web setenforce 1 audit2allow -l -i /var/log/secure
What is strange also is the system is not flagging things up as a notification icon anymore in enforcing mode.
If someone could guide me or push me in the right direction I would be most thankful.
auditd logs to /var/log/audit/audit.log
To use cgi you must set the boolean httpd_enable_cgi.
Great GIT on Apache running now !:) Thanks
But not accessing the repositories, looks like a script is needed.
Then either label the cgi type httpd_sys_script_exec_t or create a custom domain for your script:
mkdir myscript; cd myscript; echo "policy_module(myscript, 0.0.1)" > myscript.te echo "apache_content_template(myscript)" >> myscript.te echo "/var/www/cgi-bin/myscript.pl -- gen_context(system_u:object_r:httpd_myscript_script_exec_t, s0)" > myscript.fc
make -f /usr/share/selinux/devel/Makefile semodule -i myscript.pp restorecon -R -v /var/www/cgi-bin/myscript.pl
This is interesting. command line, thanks, interesting I will have to learn this stuff on the command line to understand it properly.
This is just a base module you will likely need to extend it. you can do so why making the httpd_myscript_script_t permissive and then extend your source policy with any rules required frpm audit.log/audit2why
semanage permissive -a httpd_myscript_script_t
Nice :)
ausearch -m avc -ts today | grep httpd_myscript_script_t | audit2allow -R >> myscript.te; make -f /usr/share/selinux/devel/Makefile; semodule -i myscript.pp
This might just do the job !
semanage permissive -d httpd_myscript_script_t
(to remove the permissive domain)
Is there any reason not to be using setenforce 0/1, on a machine behind firewall.
What makes you think that the security threat only comes from the network? There might be a rogue program local to the system, and if you setenforce 0 , you allow everything. not what i would want.
by using semanage permissive -a <domain> you only allow a specific domain to run in permissive mode. This minimizes the risks and it conforms to SELinux least privilege philosophy.
I will try this. Looks like theres a need of a good howto that shows how simple these things can be.
Many thanks Dominick
Aaron
On Fri, 2009-03-20 at 20:14 +0000, Aaron Gray wrote:
I am trying to audit2allow on F10 to allow a cgi-bin perl script to run on Apache. Runs fine in permissive mode not in enforcing.
I had to use 'setenforce 0', remove the grep, and then whittle down the code a bit.
mkdir gitweb-policy; cd gitweb-policy; echo "policy_module(gitweb, 0.0.1)" > gitweb.te echo "apache_content_template(gitweb)" >> gitweb.te echo "/var/www/git/gitweb.cgi -- gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0)" >gitweb.fc
make -f /usr/share/selinux/devel/Makefile semodule -i gitweb.pp restorecon -R -v /var/www/git/gitweb.cgi
setenforce 0;
Do the http access !
setenforce 1;
ausearch -m avc -ts today | audit2allow -R >> gitweb.te;
make -f /usr/share/selinux/devel/Makefile;
semodule -i gitweb.pp
Whittle the code down a bit to :- gitweb.te policy_module(gitweb, 0.0.1) apache_content_template(gitweb)
require { type httpd_sys_script_t; }
#============= httpd_sys_script_t ============== files_list_default(httpd_sys_script_t) files_read_default_files(httpd_sys_script_t) gitweb.fc /var/www/git/gitweb.cgi -- gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0)
On Sat, 2009-03-21 at 02:26 +0000, Aaron Gray wrote:
On Fri, 2009-03-20 at 20:14 +0000, Aaron Gray wrote:
I am trying to audit2allow on F10 to allow a cgi-bin perl script to run on Apache. Runs fine in permissive mode not in enforcing.
I had to use 'setenforce 0', remove the grep, and then whittle down the code a bit.
mkdir gitweb-policy; cd gitweb-policy; echo "policy_module(gitweb, 0.0.1)" > gitweb.te echo "apache_content_template(gitweb)" >> gitweb.te echo "/var/www/git/gitweb.cgi -- gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0)" >gitweb.fc
make -f /usr/share/selinux/devel/Makefile semodule -i gitweb.pp restorecon -R -v /var/www/git/gitweb.cgi
setenforce 0;
Do the http access !
setenforce 1;
ausearch -m avc -ts today | audit2allow -R >> gitweb.te;
make -f /usr/share/selinux/devel/Makefile;
semodule -i gitweb.pp
Whittle the code down a bit to :- gitweb.te policy_module(gitweb, 0.0.1) apache_content_template(gitweb)
require { type httpd_sys_script_t; }
#============= httpd_sys_script_t ============== files_list_default(httpd_sys_script_t) files_read_default_files(httpd_sys_script_t)
Looks like something went wrong here. for starters something is running in the httpd_sys_script_t domain and not httpd_gitweb_script_t.
Second youre giving httpd_sys_script_t access to read files with type default_t (not recommended)
http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/
Heres my git policy: policy_module(git_daemon, 0.0.1)
######################################## # # Git daemon declarations #
attribute git_daemon_user_content_type; attribute git_daemon_system_content_type;
type git_daemon_t; type git_daemon_exec_t; inetd_service_domain(git_daemon_t, git_daemon_exec_t) role system_r types git_daemon_t;
application_executable_file(git_daemon_exec_t)
type git_daemon_system_content_t, git_daemon_system_content_type; typeattribute git_daemon_system_content_t git_daemon_system_content_type; files_type(git_daemon_system_content_t)
## <desc> ## <p> ## Allow Git daemon to read home directories. ## </p> ## </desc> gen_tunable(git_daemon_enable_homedirs, false)
## <desc> ## <p> ## Allow Git daemon to access nfs file systems. ## </p> ## </desc> gen_tunable(git_daemon_use_nfs, false)
## <desc> ## <p> ## Allow Git daemon to access cifs file systems. ## </p> ## </desc> gen_tunable(git_daemon_use_cifs, false)
######################################## # # Git daemon policy #
allow git_daemon_t self:fifo_file rw_fifo_file_perms; allow git_daemon_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; allow git_daemon_t self:udp_socket { write read create connect getattr }; allow git_daemon_t self:unix_dgram_socket { write create connect };
list_dirs_pattern(git_daemon_t, git_daemon_system_content_type, git_daemon_system_content_type) read_files_pattern(git_daemon_t, git_daemon_system_content_type, git_daemon_system_content_type)
corecmd_exec_bin(git_daemon_t)
corenet_all_recvfrom_unlabeled(git_daemon_t) corenet_all_recvfrom_netlabel(git_daemon_t)
files_read_etc_files(git_daemon_t) files_search_usr(git_daemon_t)
fs_search_auto_mountpoints(git_daemon_t)
kernel_read_system_state(git_daemon_t)
libs_use_ld_so(git_daemon_t) libs_use_shared_libs(git_daemon_t)
logging_send_syslog_msg(git_daemon_t)
miscfiles_read_localization(git_daemon_t)
miscfiles_read_public_files(git_daemon_t)
sysnet_read_config(git_daemon_t)
optional_policy(` apache_content_template(gitweb) apache_search_sys_content(httpd_gitweb_script_t) files_getattr_tmp_dirs(httpd_gitweb_script_t) git_daemon_read_system_content(httpd_gitweb_script_t) ')
optional_policy(` nscd_read_pid(git_daemon_t) ')
tunable_policy(`git_daemon_enable_homedirs && use_nfs_home_dirs', ` fs_list_nfs(git_daemon_t) fs_read_nfs_files(git_daemon_t) ')
tunable_policy(`git_daemon_use_nfs', ` fs_list_nfs(git_daemon_t) fs_read_nfs_files(git_daemon_t) ')
tunable_policy(`git_daemon_enable_homedirs && use_samba_home_dirs', ` fs_list_cifs(git_daemon_t) fs_read_cifs_files(git_daemon_t) ')
tunable_policy(`git_daemon_use_cifs', ` fs_list_cifs(git_daemon_t) fs_read_cifs_files(git_daemon_t) ')
tunable_policy(`git_daemon_enable_homedirs', ` list_dirs_pattern(git_daemon_t, git_daemon_user_content_type, git_daemon_user_content_type) read_files_pattern(git_daemon_t, git_daemon_user_content_type, git_daemon_user_content_type) userdom_search_all_users_home_dirs(git_daemon_t) ')
#EOF
## <summary>SELinux policy for Git daemon.</summary> ## <desc> ## <p> ## Git daemon is a really simple server for Git ## repositories. ## </p> ## </desc>
####################################### ## <summary> ## The per role template for the Git daemon module. ## </summary> ## <desc> ## <p> ## This template creates derived domains which are used ## for Git daemon. ## </p> ## <p> ## This template is invoked automatically for each user, and ## generally does not need to be invoked directly ## by policy writers. ## </p> ## </desc> ## <param name="userdomain_prefix"> ## <summary> ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## </summary> ## </param> ## <param name="user_domain"> ## <summary> ## The type of the user domain. ## </summary> ## </param> ## <param name="user_role"> ## <summary> ## The role associated with the user domain. ## </summary> ## </param> # template(`git_daemon_per_role_template', ` gen_require(` type git_daemon_exec_t; attribute git_daemon_user_content_type; ')
######################################## # # Git daemon public declarations. #
type $1_git_daemon_t; application_domain($1_git_daemon_t, git_daemon_exec_t) role $3 types $1_git_daemon_t;
type $1_git_daemon_home_t, git_daemon_user_content_type; userdom_user_home_content($1, $1_git_daemon_home_t)
typeattribute $1_git_daemon_home_t git_daemon_user_content_type;
######################################## # # Git daemon public policy. #
allow $1_git_daemon_t self:fifo_file rw_fifo_file_perms; allow $1_git_daemon_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; allow $1_git_daemon_t self:tcp_socket { bind read write accept create setopt listen }; allow $1_git_daemon_t self:udp_socket { create connect write read getattr };
allow $1_git_daemon_t $2:process sigchld;
allow $2 $1_git_daemon_t:process { ptrace signal_perms };
git_daemon_read_user_content($1, $1_git_daemon_t)
manage_dirs_pattern($2, git_daemon_user_content_type, git_daemon_user_content_type) manage_files_pattern($2, git_daemon_user_content_type, git_daemon_user_content_type) exec_files_pattern($2, git_daemon_user_content_type, git_daemon_user_content_type) userdom_search_user_home_dirs($1, $1_git_daemon_t) userdom_user_home_dir_filetrans($1, $1_git_daemon_t, $1_git_daemon_home_t, { dir file })
relabel_dirs_pattern($2, git_daemon_user_content_type, git_daemon_user_content_type) relabel_files_pattern($2, git_daemon_user_content_type, git_daemon_user_content_type)
domain_auto_trans($2, git_daemon_exec_t, $1_git_daemon_t)
ps_process_pattern($2, $1_git_daemon_t)
corecmd_exec_bin($1_git_daemon_t)
corenet_all_recvfrom_unlabeled($1_git_daemon_t) corenet_all_recvfrom_netlabel($1_git_daemon_t)
corenet_tcp_sendrecv_all_if($1_git_daemon_t) corenet_tcp_sendrecv_all_nodes($1_git_daemon_t)
corenet_tcp_bind_all_nodes($1_git_daemon_t)
corenet_tcp_bind_git_daemon_port($1_git_daemon_t)
files_read_etc_files($1_git_daemon_t)
files_search_home($1_git_daemon_t) files_search_usr($1_git_daemon_t)
fs_search_auto_mountpoints($1_git_daemon_t)
kernel_read_system_state($1_git_daemon_t)
libs_use_ld_so($1_git_daemon_t) libs_use_shared_libs($1_git_daemon_t)
logging_send_syslog_msg($1_git_daemon_t)
miscfiles_read_localization($1_git_daemon_t)
sysnet_read_config($1_git_daemon_t)
userdom_use_user_terminals($1, $1_git_daemon_t)
tunable_policy(`use_nfs_home_dirs', ` fs_list_nfs($1_git_daemon_t) fs_read_nfs_files($1_git_daemon_t) ')
tunable_policy(`use_samba_home_dirs', ` fs_list_cifs($1_git_daemon_t) fs_read_cifs_files($1_git_daemon_t) ')
optional_policy(` nscd_read_pid($1_git_daemon_t) ')
optional_policy(` nis_use_ypbind($1_git_daemon_t) ') ')
######################################## ## <summary> ## Allow the specified domain to read ## Git daemon system content. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`git_daemon_read_system_content', ` gen_require(` attribute git_daemon_system_content_type; ')
files_search_var($1) list_dirs_pattern($1, git_daemon_system_content_type, git_daemon_system_content_type) read_files_pattern($1, git_daemon_system_content_type, git_daemon_system_content_type) ')
######################################## ## <summary> ## Allow the specified domain to manage ## Git daemon system content. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`git_daemon_manage_system_content', ` gen_require(` attribute git_daemon_system_content_type; ')
files_search_var($1) manage_dirs_pattern($1, git_daemon_system_content_type, git_daemon_system_content_type) manage_files_pattern($1, git_daemon_system_content_type, git_daemon_system_content_type) ')
######################################## ## <summary> ## Allow the specified domain to execute ## Git daemon system content files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`git_daemon_execute_system_content_files', ` gen_require(` attribute git_daemon_system_content_type; ') files_search_var($1) exec_files_pattern($1, git_daemon_system_content_type, git_daemon_system_content_type) ')
######################################## ## <summary> ## Allow the specified domain to read ## Git daemon personal repositories. ## </summary> ## <param name="userdomain_prefix"> ## <summary> ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## </summary> ## </param> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`git_daemon_read_user_content', ` gen_require(` attribute git_daemon_user_content_type; ')
allow $2 git_daemon_user_content_type:dir list_dir_perms; allow $2 git_daemon_user_content_type:file read_file_perms; userdom_search_user_home_dirs($1, $2) ')
######################################## ## <summary> ## Allow the specified domain to manage ## Git daemon personal repositories. ## </summary> ## <param name="userdomain_prefix"> ## <summary> ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## </summary> ## </param> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`git_daemon_manage_user_content', ` gen_require(` attribute git_daemon_user_content_type; ')
allow $2 git_daemon_user_content_type:dir manage_dir_perms; allow $2 git_daemon_user_content_type:file manage_file_perms; userdom_user_home_dir_filetrans($1, $2, git_daemon_user_content_type, { dir file }) userdom_search_user_home_dirs($1, $2) ')
######################################## ## <summary> ## Allow the specified domain to relabel ## Git daemon personal repositories. ## </summary> ## <param name="userdomain_prefix"> ## <summary> ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## </summary> ## </param> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`git_daemon_relabel_user_content', ` gen_require(` attribute git_daemon_user_content_type; ')
allow $2 git_daemon_user_content_type:dir relabel_dir_perms; allow $2 git_daemon_user_content_type:file relabel_file_perms; userdom_search_user_home_dirs($1, $2) ')
######################################## ## <summary> ## Allow the specified domain to manage ## all Git daemon content. ## </summary> ## <param name="userdomain_prefix"> ## <summary> ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## </summary> ## </param> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`git_daemon_manage_all_content', ` git_daemon_manage_user_content($1, $2) git_daemon_manage_system_content($2) ')
######################################## ## <summary> ## Allow the specified domain to read ## all Git daemon content. ## </summary> ## <param name="userdomain_prefix"> ## <summary> ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## </summary> ## </param> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`git_daemon_read_all_content', ` git_daemon_read_user_content($1, $2) git_daemon_read_system_content($2) ')
######################################## ## <summary> ## Allow the specified domain to relabel ## all Git daemon content. ## </summary> ## <param name="userdomain_prefix"> ## <summary> ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## </summary> ## </param> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`git_daemon_relabel_all_content', ` git_daemon_relabel_user_content($1, $2) git_daemon_relabel_system_content($2) ')
######################################## ## <summary> ## Allow the specified domain to list ## Git daemon system content directories. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`git_daemon_list_system_content_dirs', ` gen_require(` attribute git_daemon_system_content_type; ')
files_search_var($1) list_dirs_pattern($1, git_daemon_system_content_type, git_daemon_system_content_type) ')
######################################## ## <summary> ## Allow the specified domain to search ## Git daemon system content directories. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`git_daemon_search_system_content_dirs', ` gen_require(` attribute git_daemon_system_content_type; ')
files_search_var($1) search_dirs_pattern($1, git_daemon_system_content_type, git_daemon_system_content_type) ')
####################################### ## <summary> ## The template for creating a Git user domain. ## </summary> ## <desc> ## <p> ## This template creates a user domain, types, and ## rules for the user's pty. ## </p> ## </desc> ## <param name="userdomain_prefix"> ## <summary> ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## </summary> ## </param> # template(`git_daemon_git_user_template',` gen_require(` attribute unpriv_userdomain, userdomain; class context contains; ')
############################## # # Git user public declarations. #
attribute $1_file_type; attribute $1_usertype;
type $1_t, userdomain, $1_usertype; domain_type($1_t)
corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) domain_user_exemption_target($1_t)
role $1_r types $1_t; allow system_r $1_r;
typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t)
############################## # # Git user public policy. #
allow $1_usertype self:context contains;
allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
corecmd_exec_bin($1_usertype)
kernel_read_system_state($1_usertype)
files_read_etc_files($1_usertype)
files_search_home($1_usertype)
git_daemon_manage_system_content($1_usertype) git_daemon_execute_system_content_files($1_usertype)
libs_use_ld_so($1_usertype) libs_use_shared_libs($1_usertype)
miscfiles_read_localization($1_usertype)
ssh_rw_stream_sockets($1_usertype)
optional_policy(` nscd_read_pid($1_usertype) ') ')
######################################## ## <summary> ## All of the rules required to administrate an ## Git daemon environment ## </summary> ## <param name="userdomain_prefix"> ## <summary> ## Prefix of the domain. Example, user would be ## the prefix for the user_t domain. ## </summary> ## </param> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <param name="role"> ## <summary> ## The role to be allowed to manage the Git daemon domain. ## </summary> ## </param> ## <rolecap/> # interface(`git_daemon_admin', `
gen_require(` type git_daemon_t, git_daemon_exec_t, httpd_gitweb_script_exec_t; ')
allow $1 git_daemon_t:process { getattr ptrace signal_perms };
git_daemon_manage_all_content($1, $2) git_daemon_relabel_all_content($1, $2)
miscfiles_manage_public_files($1)
kernel_search_proc($1) allow $1 git_daemon_t:dir list_dir_perms; read_files_pattern($1, git_daemon_t, git_daemon_t) read_lnk_files_pattern($1, git_daemon_t, git_daemon_t)
manage_files_pattern($1, httpd_gitweb_script_exec_t, httpd_gitweb_script_exec_t) manage_files_pattern($1, git_daemon_exec_t, git_daemon_exec_t)
seutil_domtrans_setfiles($1) ')
#EOF
######################################## # # Git daemon contexts #
HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:ROLE_git_daemon_home_t, s0)
HOME_DIR/.gitconfig -- gen_context(system_u:object_r:ROLE_git_daemon_home_t, s0)
/srv/git(/.*)? gen_context(system_u:object_r:git_daemon_system_content_t, s0)
/usr/bin/git-daemon -- gen_context(system_u:object_r:git_daemon_exec_t, s0)
/var/www/git/gitweb.cgi -- gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0)
#EOF
But it wont work unless its modified or integrated properly. Also it might need some polishing.
gitweb.fc /var/www/git/gitweb.cgi -- gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0)
selinux@lists.fedoraproject.org