Re: New fedora cgit packages could use some policy updates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Todd Zullinger wrote:
> Daniel J Walsh wrote:
>> What do you think of this simple policy package.
> 
> That looks nice and simple to start with.  Thanks.
> 
> Thinking ahead a bit, would we want to name it git or cgit?  There are
> several packages/daemons that should eventually become confined by
> stricter policy:
> 
>     git-daemon - provides the git:// protocol support
>     gitweb - provides a CGI in perl for viewing git repos via http[s]
>     cgit - provides a CGI in C for viewing git repos via http[s]
> 
> For example, gitweb would have no need to access the cgit cache, but
> may have other areas that it needs to write to, which would mean
> httpd_git_content_rw_t might need to encompass more than needed if it
> includes both gitweb and cgit.
> 
> There have been a few recent security bugs with gitweb¹, serious
> enough to allow remote code execution.  This is definitely the sort of
> thing a nice policy could help mitigate. :)
> 
> Do you have some links handy for how I'd go about creating a confined
> policy for either cgit or gitweb?  That way I could test and add to
> the policy to allow it to be as limited as is reasonable.  I'd be
> happy to try and help beat something into shape for these git tools.
> But I've really not spent a lot of time reading up on creating policy
> from scratch.  I've perused your excellent blog, but not enough to be
> able to do this yet.
> 
> ¹ https://bugzilla.redhat.com/show_bug.cgi?id=477523
>   https://bugzilla.redhat.com/show_bug.cgi?id=479715
> 
> 
Sorry about this, I seem to have lost this email.

THe following might help you with writing policy.

http://magazine.redhat.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-module/

>     git-daemon - provides the git:// protocol support
>     gitweb - provides a CGI in perl for viewing git repos via http[s]
>     cgit - provides a CGI in C for viewing git repos via http[s]
>

I would combine gitweb and cgit into the same policy since there is
really very little different between the two, it really does not matter
what you call them, unless one is readonly?

I have added git policy to the base package for rawhide.

selinux-policy-3.6.5-2.fc11

If you could install this policy out with gitweb and cgit, that would be
helpful.

I made the httpd_git_script_t permissive and have added file context for
gitweb as well as cgit.

Extract the tgz file.
execute

make -f /usr/share/selinux/devel/Makefile
semodule -i git.pp
restorecon -R -v /var/cache/cgit /var/www/cgi-bin/cgit
/var/www/git/gitweb.cgi  /var/lib/git

Run git and cgit.

Use

audit2allow -R >> git.te

to add
make -f /usr/share/selinux/devel/Makefile
semodule -i git.ppnew rules

Test again, to make sure there are no avc's.

Then if you send me the new policy and the audit.log, I can update
fedora policy.
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmRZsQACgkQrlYvE4MpobMnHgCgzsabAv8/QD7RJS1SX7LQUuG0
ZsUAoKumZBFJnrrWvl5q3KY4zp/qNgw3
=WPT7
-----END PGP SIGNATURE-----

Attachment: git.tgz
Description: application/compressed-tar

Attachment: git.tgz.sig
Description: PGP signature

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux