Greetings, I added a cgit package to Fedora yesterday. It's only in rawhide at the moment. cgit is a cgi used to provide a web interface for viewing git repositories (similar to gitweb¹). Is the preferred method to add policy to the selinux-policy package or are package policy modules the way to go? I thought the former was preferred, but I can't find anything on the wiki other than http://fedoraproject.org/wiki/PackagingDrafts/SELinux, which seems like it might have been a stalled attempt. The cgit requirements are fairly minimal, AFAICT. It needs: * write access to its cache dir, /var/cache/cgit * read access to git repositories, which default to /var/lib/git, but are likely to be changed by admins (/srv/git is one popular choice). For the moment, I created a README.SELinux file in the package that details how to set generic contexts to allow the package to work². That README suggests httpd_sys_content_rw_t for the cache and httpd_sys_content_t (or public_content_t) for the git repos. It's quite likely that we'd want a more specific type for the cache dir especially. Additionally, the cgi itself needs to be httpd_sys_script_exec_t, which happens automagically by virtue of installing it in /var/www/cgi-bin/cgit. Any help or suggestions would be most welcome. I'd like to get these things worked out before I build the package for F-9, F-10, and EL-5. If crafting a policy requires moving anything around, I'd like to do that before many users install the package and modify their configs. ¹ gitweb has some SELinux issues on F-10 itself, I filed this as https://bugzilla.redhat.com/479613 the other day. ² http://cvs.fedoraproject.org/viewvc/rpms/cgit/devel/README.SELinux?view=co -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well at first I was skeptical but then I thought I could be like Hillary Clinton, just without the penis. -- Lois Griffin, The Family Guy
Attachment:
pgpsNmfeMEtil.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
