New fedora cgit packages could use some policy updates

Todd Zullinger tmz at pobox.com
Wed Jan 14 16:45:16 UTC 2009 

Greetings,

I added a cgit package to Fedora yesterday.  It's only in rawhide at
the moment.  cgit is a cgi used to provide a web interface for viewing
git repositories (similar to gitweb¹).

Is the preferred method to add policy to the selinux-policy package or
are package policy modules the way to go?  I thought the former was
preferred, but I can't find anything on the wiki other than
http://fedoraproject.org/wiki/PackagingDrafts/SELinux, which seems
like it might have been a stalled attempt.

The cgit requirements are fairly minimal, AFAICT.  It needs:

    * write access to its cache dir, /var/cache/cgit
    
    * read access to git repositories, which default to /var/lib/git,
      but are likely to be changed by admins (/srv/git is one popular
      choice).  For the moment, I created a README.SELinux file in the
      package that details how to set generic contexts to allow the
      package to work².

That README suggests httpd_sys_content_rw_t for the cache and
httpd_sys_content_t (or public_content_t) for the git repos.  It's
quite likely that we'd want a more specific type for the cache dir
especially.

Additionally, the cgi itself needs to be httpd_sys_script_exec_t,
which happens automagically by virtue of installing it in
/var/www/cgi-bin/cgit.

Any help or suggestions would be most welcome.  I'd like to get these
things worked out before I build the package for F-9, F-10, and EL-5.
If crafting a policy requires moving anything around, I'd like to do
that before many users install the package and modify their configs.

¹ gitweb has some SELinux issues on F-10 itself, I filed this as
  https://bugzilla.redhat.com/479613 the other day.

² http://cvs.fedoraproject.org/viewvc/rpms/cgit/devel/README.SELinux?view=co

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well at first I was skeptical but then I thought I could be like
Hillary Clinton, just without the penis.
    -- Lois Griffin, The Family Guy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20090114/2113f7e2/attachment.bin

More information about the selinux mailing list