Gitweb and SELinux

Dominick Grift domg472 at gmail.com
Fri Feb 5 16:10:28 UTC 2010 

On 02/05/2010 04:53 PM, Michael Cronenworth wrote:
> I am attempting to use gitweb to display git repos that live in /home
> directories. The developers use ssh to push changes to their home
> directory. It seems every Fedora release gitweb and SELinux have
> changes. With Fedora 12, I cannot get SELinux to be happy about
> accessing the git repos.
> 
> Gitweb is pointing to:
> /srv/git/
> Inside of that directory live symlinks to the git repos that live in
> /home/user1/git
> /home/user2/git
> etc.
> 
> I've attached the sealert output about the denial. I tried to assign a
> context of httpd_git_content_ra_t to my git repo, but that did not allow
> access. I realize this may not be "100%" secure, but this setup was
> functioning in Fedoras 11 and under. I'd create a bug, but I'm not sure
> if this setup would be considered a bug of SELinux.
> 

Not really a bug but this access could be added. Although a revisited
git policy is in rawhide (i do not know if it will also be pushed to f12)

You can use audit2allow to permit this access. or manually write a module:


cat mygitweb.te

policy_module(mygitweb, 1.0.0)
optional_policy(`
gen_require(`
type git_data_t, httpd_git_script_t;
')

read_lnk_files_pattern(httpd_git_script_t, git_data_t, git_data_t)
read_files_pattern(httpd_git_script_t, git_data_t, git_data_t)
read_dirs_pattern(httpd_git_script_t, git_data_t, git_data_t)
')


(build the module)

make -f /usr/share/selinux/devel/Makefile mygitweb.pp

(install the module)

sudo semodule -i mygitweb.pp

> Additional info:
> $ ls -Z /var/www/git/
> -rw-r--r--. root root system_u:object_r:httpd_git_content_t:s0
> git-favicon.png
> -rw-r--r--. root root system_u:object_r:httpd_git_content_t:s0 git-logo.png
> -rwxr-xr-x. root root system_u:object_r:httpd_git_script_exec_t:s0
> gitweb.cgi
> -rw-r--r--. root root system_u:object_r:httpd_git_content_t:s0
> gitweb_config.perl
> -rw-r--r--. root root system_u:object_r:httpd_git_content_t:s0 gitweb.css
> 
> Any ideas to allow access?
> 
> Thanks,
> Michael
> 
> 
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100205/f80e118a/attachment.bin

More information about the selinux mailing list