-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/14/2012 09:26 AM, Pete Stieber wrote: > On 06/11/2012 08:34 AM, Pete Stieber wrote: PS>>>> I'm trying to setup a > git server on a PS>>>> Fedora 17 box. I created user name git PS>>>> and > setup bare Git repos under PS>>>> /home/git/repos. When I clone these > PS>>>> repos from another machine using PS>>>> PS>>>> $ git clone > git@server_name/repos/RepoName.git RepoName PS>>>> PS>>>> selinux wants the > type of /home/git to be PS>>>> user_home_t. PS>>>> PS>>>> When I try to use > http for read-only, public PS>>>> access using PS>>>> PS>>>> $ git clone > http://server_name/git/RepoName.git RepoName PS>>>> PS>>>> I'm not sure > what to do to use both. PS>>>> PS>>>> A few versions of Fedora ago, I would > get PS>>>> sealert entries in some log (/var/log/messages ?) PS>>>> that > would give me hints on how to fix this type PS>>>> of problem. Is that > still available? > > On 6/11/2012 6:40 PM, JG = Jeff Gipson wrote: JG>>> Indeed, the package > names are (on mt system, F17) JG>>> setroubleshoot.x86_64 > setroubleshoot-plugins.noarch JG>>> setroubleshoot-server.x86_64 > setroubleshoot-doc.x86_64 JG>>> If you use Runlevel 5/Graphical target, you > also JG>>> want to run seapplet. At the command-line, it's JG>>> sealert. > > On 06/12/2012 09:34 AM, Pete Stieber wrote: PS>> Thanks for the info. PS>> > PS>> I ended up using PS>> PS>> # audit2why< /var/log/audit/audit.log > PS>> PS>> to figure out the complaints and used PS> the suggested fixed: > PS>> PS>> # setsebool -P httpd_enable_homedirs 1 # setsebool -P PS>> > httpd_read_user_content 1 > > On 6/12/2012 5:15 AM, Daniel J Walsh wrote: DW> Well, we have default > labeling for git DW> stores in /var/lib/git DW> DW> matchpathcon > /var/lib/git DW> /var/lib/git system_u:object_r:git_sys_content_t:s0 > DW> DW> # semanage fcontext -a -t git_sys_content_t "/home/git(/.*)?" DW> # > restorecon -R -v /home/git/ DW DW> I think will solve your problem. Or > move you content to /var/lib/git. > > On 6/12/2012 7:05 AM, DW = Daniel Walsh wrote: DW> Those booleans allow > httpd to read all user content. DW> My solution would be better security. > IE your git DW> scripts got hacked apache would be allowed to read DW> your > homedir, not just /home/git. > > I tried to do it the right way on my Fedora 17 setup. I'm getting a > different context when running matchpathcon... > > matchpathcon /var/lib/git /var/lib/git > system_u:object_r:git_system_content_t:s0 > > So I tried... > > # semanage fcontext -a -t git_system_content_t "/home/git(/.*)?" # > restorecon -R -v /home/git/ > > This broke my ability to clone the because the protocol used is ssh via the > git user. I had to restore the selinux contexts of all of the other files > and directories around /home/git/repos by hand. Now I can clone the git > repos using both ssh and http. I think the commands should have been: > > # semanage fcontext -a -t git_system_content_t "/home/git/repos(/.*)?" # > restorecon -R -v /home/git/repos/ > > Dan, how do I undo the original semanage command? > > Thanks for the help. Look for a redmine selinux related post soon. Pete > > # semanage fcontext -d "/home/git(/.*)?" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/Z90UACgkQrlYvE4MpobO0jQCgr2ppBy5lbdq0FQIiB1kPgIDA jVsAnAgQJ8WkC8yqHTIvqUpOtTmY3Sda =j7L5 -----END PGP SIGNATURE----- -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
