New fedora cgit packages could use some policy updates

[Todd Zullinger]

Daniel J Walsh wrote:
> What do you think of this simple policy package.

That looks nice and simple to start with.  Thanks.

Thinking ahead a bit, would we want to name it git or cgit?  There are
several packages/daemons that should eventually become confined by
stricter policy:

    git-daemon - provides the git:// protocol support
    gitweb - provides a CGI in perl for viewing git repos via http[s]
    cgit - provides a CGI in C for viewing git repos via http[s]

For example, gitweb would have no need to access the cgit cache, but
may have other areas that it needs to write to, which would mean
httpd_git_content_rw_t might need to encompass more than needed if it
includes both gitweb and cgit.

There have been a few recent security bugs with gitweb¹, serious
enough to allow remote code execution.  This is definitely the sort of
thing a nice policy could help mitigate. :)

Do you have some links handy for how I'd go about creating a confined
policy for either cgit or gitweb?  That way I could test and add to
the policy to allow it to be as limited as is reasonable.  I'd be
happy to try and help beat something into shape for these git tools.
But I've really not spent a lot of time reading up on creating policy
from scratch.  I've perused your excellent blog, but not enough to be
able to do this yet.

¹ https://bugzilla.redhat.com/show_bug.cgi?id=477523
  https://bugzilla.redhat.com/show_bug.cgi?id=479715

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A vacuum is a hell of a lot better than some of the stuff that nature
replaces it with.
    -- Tennessee Williams

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20090119/2d1d0b4f/attachment.bin