git and selinux

Daniel J Walsh dwalsh at redhat.com
Thu Jun 14 18:44:10 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/14/2012 12:18 PM, Pete Stieber wrote:
> On 6/14/2012 6:26 AM, PS = Pete Stieber wrote: PS>> Dan, how do I undo the
> original semanage command?
> 
> On 6/14/2012 7:37 AM, DW = Daniel J Walsh wrote: DW> # semanage fcontext -d
> "/home/git(/.*)?"
> 
> Thanks for the help.  I seem to be stuck using the original solution
> suggestion made by audit2why.  Here's what I tried.
> 
> I removed all of my previous semanage commands to restored the original
> contexts for /home/git.  ssh access to the repos worked.  The
> /home/git/repos selinux context was set to
> unconfined_u:object_r:user_home_t:s0.
> 
> I'm guessing the suggested system_u:object_r:git_system_content_t:s0 is for
> the git protocol because I didn't need to use this to get the ssh protocol
> to work.
> 
> Now I was in my original state where the ssh protocol worked, but not http.
> I looked through man httpd_selinux for clues and found httpd_git_content_t.
> I tried the following
> 
> # semanage fcontext -a -t httpd_git_content_t "/home/git/repos(/.*)?" #
> restorecon -R -v /home/git/repos
> 
> but the http protocol didn't work.  Here's the audit2why explanation:
> 
> type=AVC msg=audit(1339689105.354:33404): avc:  denied  { getattr } for 
> pid=14427 comm="httpd" path="/home/git" dev="dm-2" ino=34340865 
> scontext=system_u:system_r:httpd_t:s0 
> tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
> 
> Was caused by: One of the following booleans was set incorrectly. 
> Description: Allow httpd to read user content
> 
> Allow access by executing: # setsebool -P httpd_read_user_content 1 
> Description: Allow httpd to read home directories
> 
> Allow access by executing: # setsebool -P httpd_enable_homedirs 1
> 
> Apache still can't access something marked as user_home_dir_t.
> 
> So I manually changed /home/git...
> 
> # chcon -t httpd_git_content_t /home/git
> 
> Now the http protocol works, but the ssh protocol stopped working. Here's
> the audit2why output:
> 
> type=AVC msg=audit(1339689307.117:33409): avc:  denied  { search } for
> pid=14598 comm="sshd" name="git" dev="dm-2" ino=34340865 
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 
> tcontext=unconfined_u:object_r:httpd_git_content_t:s0 tclass=dir
> 
> Was caused by: Missing type enforcement (TE) allow rule.
> 
> You can use audit2allow to generate a loadable module to allow this
> access.
> 
> This isn't very clear, but the problem is the selinux type context on
> home/hit.
> 
> I'm going to temporarily go back to default context settings for /home/git
> and the original solution of
> 
> # setsebool -P httpd_read_user_content 1 # setsebool -P
> httpd_enable_homedirs 1
> 
> but I'm willing to try other, more secure solutions.
> 
> Patience is a virtue when dealing with selinux ;-)
> 
> Again, thanks for your help, Pete

You actually want.



The solution that I am not crazy about is
# setsebool -P httpd_enable_homedirs 1
# semanage fcontext -a -t httpd_git_content_t "/home/git/repos(/.*)?"
# restorecon -R -v /home/git/repos

This should allow httpd to read /home/git/repos and search through the
/home/git directories.  But not read general user content.


My problem with this solution is /home/git is really not a user login system.

I guess if you had a repo in your homedir

/home/dwalsh/repos

Then this solution would be perfect.

sshd not being allowed to read it, was probably caused by not being able to
search through httpd_git_content_t, and read /home/git/.ssh

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/aMPoACgkQrlYvE4MpobNA+gCdF1whwWzmoIGKQLCBfRr7A6JC
ScYAoOf4OHDtM6YTq87vPp/EWjRI+Bpd
=Bkmp
-----END PGP SIGNATURE-----

More information about the users mailing list