-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Todd Zullinger wrote: > Greetings, > > I added a cgit package to Fedora yesterday. It's only in rawhide at > the moment. cgit is a cgi used to provide a web interface for viewing > git repositories (similar to gitweb¹). > > Is the preferred method to add policy to the selinux-policy package or > are package policy modules the way to go? I thought the former was > preferred, but I can't find anything on the wiki other than > http://fedoraproject.org/wiki/PackagingDrafts/SELinux, which seems > like it might have been a stalled attempt. > > The cgit requirements are fairly minimal, AFAICT. It needs: > > * write access to its cache dir, /var/cache/cgit > > * read access to git repositories, which default to /var/lib/git, > but are likely to be changed by admins (/srv/git is one popular > choice). For the moment, I created a README.SELinux file in the > package that details how to set generic contexts to allow the > package to work². > > That README suggests httpd_sys_content_rw_t for the cache and > httpd_sys_content_t (or public_content_t) for the git repos. It's > quite likely that we'd want a more specific type for the cache dir > especially. > > Additionally, the cgi itself needs to be httpd_sys_script_exec_t, > which happens automagically by virtue of installing it in > /var/www/cgi-bin/cgit. > > Any help or suggestions would be most welcome. I'd like to get these > things worked out before I build the package for F-9, F-10, and EL-5. > If crafting a policy requires moving anything around, I'd like to do > that before many users install the package and modify their configs. > > ¹ gitweb has some SELinux issues on F-10 itself, I filed this as > https://bugzilla.redhat.com/479613 the other day. > > ² http://cvs.fedoraproject.org/viewvc/rpms/cgit/devel/README.SELinux?view=co > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list What do you think of this simple policy package. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklviAgACgkQrlYvE4MpobPlygCgitezimX9aRbvp5pe4rmGCWTS 0EIAoN65uLSE7iwUPXf3AKDdGt50t10A =vxF5 -----END PGP SIGNATURE-----
Attachment:
git.tgz
Description: application/compressed-tar
Attachment:
git.tgz.sig
Description: Binary data
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
