New fedora cgit packages could use some policy updates

Daniel J Walsh dwalsh at redhat.com
Thu Jan 15 19:01:29 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Todd Zullinger wrote:
> Greetings,
> 
> I added a cgit package to Fedora yesterday.  It's only in rawhide at
> the moment.  cgit is a cgi used to provide a web interface for viewing
> git repositories (similar to gitweb¹).
> 
> Is the preferred method to add policy to the selinux-policy package or
> are package policy modules the way to go?  I thought the former was
> preferred, but I can't find anything on the wiki other than
> http://fedoraproject.org/wiki/PackagingDrafts/SELinux, which seems
> like it might have been a stalled attempt.
> 
> The cgit requirements are fairly minimal, AFAICT.  It needs:
> 
>     * write access to its cache dir, /var/cache/cgit
>     
>     * read access to git repositories, which default to /var/lib/git,
>       but are likely to be changed by admins (/srv/git is one popular
>       choice).  For the moment, I created a README.SELinux file in the
>       package that details how to set generic contexts to allow the
>       package to work².
> 
> That README suggests httpd_sys_content_rw_t for the cache and
> httpd_sys_content_t (or public_content_t) for the git repos.  It's
> quite likely that we'd want a more specific type for the cache dir
> especially.
> 
> Additionally, the cgi itself needs to be httpd_sys_script_exec_t,
> which happens automagically by virtue of installing it in
> /var/www/cgi-bin/cgit.
> 
> Any help or suggestions would be most welcome.  I'd like to get these
> things worked out before I build the package for F-9, F-10, and EL-5.
> If crafting a policy requires moving anything around, I'd like to do
> that before many users install the package and modify their configs.
> 
> ¹ gitweb has some SELinux issues on F-10 itself, I filed this as
>   https://bugzilla.redhat.com/479613 the other day.
> 
> ² http://cvs.fedoraproject.org/viewvc/rpms/cgit/devel/README.SELinux?view=co
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

What do you think of this simple policy package.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklviAgACgkQrlYvE4MpobPlygCgitezimX9aRbvp5pe4rmGCWTS
0EIAoN65uLSE7iwUPXf3AKDdGt50t10A
=vxF5
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: git.tgz
Type: application/x-compressed-tar
Size: 359 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20090115/a3ab5b9d/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: git.tgz.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20090115/a3ab5b9d/attachment.obj

More information about the selinux mailing list