git and selinux

Daniel J Walsh dwalsh at redhat.com
Thu Jun 14 14:37:57 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/14/2012 09:26 AM, Pete Stieber wrote:
> On 06/11/2012 08:34 AM, Pete Stieber wrote: PS>>>> I'm trying to setup a
> git server on a PS>>>> Fedora 17 box. I created user name git PS>>>> and
> setup bare Git repos under PS>>>> /home/git/repos. When I clone these 
> PS>>>> repos from another machine using PS>>>> PS>>>> $ git clone
> git at server_name/repos/RepoName.git RepoName PS>>>> PS>>>> selinux wants the
> type of /home/git to be PS>>>> user_home_t. PS>>>> PS>>>> When I try to use
> http for read-only, public PS>>>> access using PS>>>> PS>>>> $ git clone
> http://server_name/git/RepoName.git RepoName PS>>>> PS>>>> I'm not sure
> what to do to use both. PS>>>> PS>>>> A few versions of Fedora ago, I would
> get PS>>>> sealert entries in some log (/var/log/messages ?) PS>>>> that
> would give me hints on how to fix this type PS>>>> of problem. Is that
> still available?
> 
> On 6/11/2012 6:40 PM, JG = Jeff Gipson wrote: JG>>> Indeed, the package
> names are (on mt system, F17) JG>>> setroubleshoot.x86_64
> setroubleshoot-plugins.noarch JG>>> setroubleshoot-server.x86_64
> setroubleshoot-doc.x86_64 JG>>> If you use Runlevel 5/Graphical target, you
> also JG>>> want to run seapplet. At the command-line, it's JG>>> sealert.
> 
> On 06/12/2012 09:34 AM, Pete Stieber wrote: PS>> Thanks for the info. PS>> 
> PS>> I ended up using PS>> PS>> # audit2why<  /var/log/audit/audit.log 
> PS>> PS>> to figure out the complaints and used PS> the suggested fixed: 
> PS>> PS>> # setsebool -P httpd_enable_homedirs 1 # setsebool -P PS>>
> httpd_read_user_content 1
> 
> On 6/12/2012 5:15 AM, Daniel J Walsh wrote: DW> Well, we have default
> labeling for git DW> stores in /var/lib/git DW> DW> matchpathcon
> /var/lib/git DW> /var/lib/git    system_u:object_r:git_sys_content_t:s0 
> DW> DW> # semanage fcontext -a -t git_sys_content_t "/home/git(/.*)?" DW> #
> restorecon -R -v /home/git/ DW DW> I think will solve your problem.  Or
> move you content to /var/lib/git.
> 
> On 6/12/2012 7:05 AM, DW = Daniel Walsh wrote: DW> Those booleans allow
> httpd to read all user content. DW> My solution would be better security.
> IE your git DW> scripts got hacked apache would be allowed to read DW> your
> homedir, not just /home/git.
> 
> I tried to do it the right way on my Fedora 17 setup.  I'm getting a
> different context when running matchpathcon...
> 
> matchpathcon /var/lib/git /var/lib/git
> system_u:object_r:git_system_content_t:s0
> 
> So I tried...
> 
> # semanage fcontext -a -t git_system_content_t "/home/git(/.*)?" #
> restorecon -R -v /home/git/
> 
> This broke my ability to clone the because the protocol used is ssh via the
> git user.  I had to restore the selinux contexts of all of the other files
> and directories around /home/git/repos by hand.  Now I can clone the git
> repos using both ssh and http.  I think the commands should have been:
> 
> # semanage fcontext -a -t git_system_content_t "/home/git/repos(/.*)?" #
> restorecon -R -v /home/git/repos/
> 
> Dan, how do I undo the original semanage command?
> 
> Thanks for the help.  Look for a redmine selinux related post soon. Pete
> 
> 
# semanage fcontext -d "/home/git(/.*)?"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/Z90UACgkQrlYvE4MpobO0jQCgr2ppBy5lbdq0FQIiB1kPgIDA
jVsAnAgQJ8WkC8yqHTIvqUpOtTmY3Sda
=j7L5
-----END PGP SIGNATURE-----

More information about the users mailing list