-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/14/2012 12:18 PM, Pete Stieber wrote: > On 6/14/2012 6:26 AM, PS = Pete Stieber wrote: PS>> Dan, how do I undo the > original semanage command? > > On 6/14/2012 7:37 AM, DW = Daniel J Walsh wrote: DW> # semanage fcontext -d > "/home/git(/.*)?" > > Thanks for the help. I seem to be stuck using the original solution > suggestion made by audit2why. Here's what I tried. > > I removed all of my previous semanage commands to restored the original > contexts for /home/git. ssh access to the repos worked. The > /home/git/repos selinux context was set to > unconfined_u:object_r:user_home_t:s0. > > I'm guessing the suggested system_u:object_r:git_system_content_t:s0 is for > the git protocol because I didn't need to use this to get the ssh protocol > to work. > > Now I was in my original state where the ssh protocol worked, but not http. > I looked through man httpd_selinux for clues and found httpd_git_content_t. > I tried the following > > # semanage fcontext -a -t httpd_git_content_t "/home/git/repos(/.*)?" # > restorecon -R -v /home/git/repos > > but the http protocol didn't work. Here's the audit2why explanation: > > type=AVC msg=audit(1339689105.354:33404): avc: denied { getattr } for > pid=14427 comm="httpd" path="/home/git" dev="dm-2" ino=34340865 > scontext=system_u:system_r:httpd_t:s0 > tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir > > Was caused by: One of the following booleans was set incorrectly. > Description: Allow httpd to read user content > > Allow access by executing: # setsebool -P httpd_read_user_content 1 > Description: Allow httpd to read home directories > > Allow access by executing: # setsebool -P httpd_enable_homedirs 1 > > Apache still can't access something marked as user_home_dir_t. > > So I manually changed /home/git... > > # chcon -t httpd_git_content_t /home/git > > Now the http protocol works, but the ssh protocol stopped working. Here's > the audit2why output: > > type=AVC msg=audit(1339689307.117:33409): avc: denied { search } for > pid=14598 comm="sshd" name="git" dev="dm-2" ino=34340865 > scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:httpd_git_content_t:s0 tclass=dir > > Was caused by: Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this > access. > > This isn't very clear, but the problem is the selinux type context on > home/hit. > > I'm going to temporarily go back to default context settings for /home/git > and the original solution of > > # setsebool -P httpd_read_user_content 1 # setsebool -P > httpd_enable_homedirs 1 > > but I'm willing to try other, more secure solutions. > > Patience is a virtue when dealing with selinux ;-) > > Again, thanks for your help, Pete You actually want. The solution that I am not crazy about is # setsebool -P httpd_enable_homedirs 1 # semanage fcontext -a -t httpd_git_content_t "/home/git/repos(/.*)?" # restorecon -R -v /home/git/repos This should allow httpd to read /home/git/repos and search through the /home/git directories. But not read general user content. My problem with this solution is /home/git is really not a user login system. I guess if you had a repo in your homedir /home/dwalsh/repos Then this solution would be perfect. sshd not being allowed to read it, was probably caused by not being able to search through httpd_git_content_t, and read /home/git/.ssh -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/aMPoACgkQrlYvE4MpobNA+gCdF1whwWzmoIGKQLCBfRr7A6JC ScYAoOf4OHDtM6YTq87vPp/EWjRI+Bpd =Bkmp -----END PGP SIGNATURE----- -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org