git and selinux
Daniel J Walsh
dwalsh at redhat.com
Thu Jun 14 18:44:10 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/14/2012 12:18 PM, Pete Stieber wrote:
> On 6/14/2012 6:26 AM, PS = Pete Stieber wrote: PS>> Dan, how do I undo the
> original semanage command?
>
> On 6/14/2012 7:37 AM, DW = Daniel J Walsh wrote: DW> # semanage fcontext -d
> "/home/git(/.*)?"
>
> Thanks for the help. I seem to be stuck using the original solution
> suggestion made by audit2why. Here's what I tried.
>
> I removed all of my previous semanage commands to restored the original
> contexts for /home/git. ssh access to the repos worked. The
> /home/git/repos selinux context was set to
> unconfined_u:object_r:user_home_t:s0.
>
> I'm guessing the suggested system_u:object_r:git_system_content_t:s0 is for
> the git protocol because I didn't need to use this to get the ssh protocol
> to work.
>
> Now I was in my original state where the ssh protocol worked, but not http.
> I looked through man httpd_selinux for clues and found httpd_git_content_t.
> I tried the following
>
> # semanage fcontext -a -t httpd_git_content_t "/home/git/repos(/.*)?" #
> restorecon -R -v /home/git/repos
>
> but the http protocol didn't work. Here's the audit2why explanation:
>
> type=AVC msg=audit(1339689105.354:33404): avc: denied { getattr } for
> pid=14427 comm="httpd" path="/home/git" dev="dm-2" ino=34340865
> scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
>
> Was caused by: One of the following booleans was set incorrectly.
> Description: Allow httpd to read user content
>
> Allow access by executing: # setsebool -P httpd_read_user_content 1
> Description: Allow httpd to read home directories
>
> Allow access by executing: # setsebool -P httpd_enable_homedirs 1
>
> Apache still can't access something marked as user_home_dir_t.
>
> So I manually changed /home/git...
>
> # chcon -t httpd_git_content_t /home/git
>
> Now the http protocol works, but the ssh protocol stopped working. Here's
> the audit2why output:
>
> type=AVC msg=audit(1339689307.117:33409): avc: denied { search } for
> pid=14598 comm="sshd" name="git" dev="dm-2" ino=34340865
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:httpd_git_content_t:s0 tclass=dir
>
> Was caused by: Missing type enforcement (TE) allow rule.
>
> You can use audit2allow to generate a loadable module to allow this
> access.
>
> This isn't very clear, but the problem is the selinux type context on
> home/hit.
>
> I'm going to temporarily go back to default context settings for /home/git
> and the original solution of
>
> # setsebool -P httpd_read_user_content 1 # setsebool -P
> httpd_enable_homedirs 1
>
> but I'm willing to try other, more secure solutions.
>
> Patience is a virtue when dealing with selinux ;-)
>
> Again, thanks for your help, Pete
You actually want.
The solution that I am not crazy about is
# setsebool -P httpd_enable_homedirs 1
# semanage fcontext -a -t httpd_git_content_t "/home/git/repos(/.*)?"
# restorecon -R -v /home/git/repos
This should allow httpd to read /home/git/repos and search through the
/home/git directories. But not read general user content.
My problem with this solution is /home/git is really not a user login system.
I guess if you had a repo in your homedir
/home/dwalsh/repos
Then this solution would be perfect.
sshd not being allowed to read it, was probably caused by not being able to
search through httpd_git_content_t, and read /home/git/.ssh
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/aMPoACgkQrlYvE4MpobNA+gCdF1whwWzmoIGKQLCBfRr7A6JC
ScYAoOf4OHDtM6YTq87vPp/EWjRI+Bpd
=Bkmp
-----END PGP SIGNATURE-----
More information about the users
mailing list