-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Todd Zullinger wrote: > Daniel J Walsh wrote: >> What do you think of this simple policy package. > > That looks nice and simple to start with. Thanks. > > Thinking ahead a bit, would we want to name it git or cgit? There are > several packages/daemons that should eventually become confined by > stricter policy: > > git-daemon - provides the git:// protocol support > gitweb - provides a CGI in perl for viewing git repos via http[s] > cgit - provides a CGI in C for viewing git repos via http[s] > > For example, gitweb would have no need to access the cgit cache, but > may have other areas that it needs to write to, which would mean > httpd_git_content_rw_t might need to encompass more than needed if it > includes both gitweb and cgit. > > There have been a few recent security bugs with gitweb¹, serious > enough to allow remote code execution. This is definitely the sort of > thing a nice policy could help mitigate. :) > > Do you have some links handy for how I'd go about creating a confined > policy for either cgit or gitweb? That way I could test and add to > the policy to allow it to be as limited as is reasonable. I'd be > happy to try and help beat something into shape for these git tools. > But I've really not spent a lot of time reading up on creating policy > from scratch. I've perused your excellent blog, but not enough to be > able to do this yet. > > ¹ https://bugzilla.redhat.com/show_bug.cgi?id=477523 > https://bugzilla.redhat.com/show_bug.cgi?id=479715 > > Sorry about this, I seem to have lost this email. THe following might help you with writing policy. http://magazine.redhat.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-module/ > git-daemon - provides the git:// protocol support > gitweb - provides a CGI in perl for viewing git repos via http[s] > cgit - provides a CGI in C for viewing git repos via http[s] > I would combine gitweb and cgit into the same policy since there is really very little different between the two, it really does not matter what you call them, unless one is readonly? I have added git policy to the base package for rawhide. selinux-policy-3.6.5-2.fc11 If you could install this policy out with gitweb and cgit, that would be helpful. I made the httpd_git_script_t permissive and have added file context for gitweb as well as cgit. Extract the tgz file. execute make -f /usr/share/selinux/devel/Makefile semodule -i git.pp restorecon -R -v /var/cache/cgit /var/www/cgi-bin/cgit /var/www/git/gitweb.cgi /var/lib/git Run git and cgit. Use audit2allow -R >> git.te to add make -f /usr/share/selinux/devel/Makefile semodule -i git.ppnew rules Test again, to make sure there are no avc's. Then if you send me the new policy and the audit.log, I can update fedora policy. > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmRZsQACgkQrlYvE4MpobMnHgCgzsabAv8/QD7RJS1SX7LQUuG0 ZsUAoKumZBFJnrrWvl5q3KY4zp/qNgw3 =WPT7 -----END PGP SIGNATURE-----
Attachment:
git.tgz
Description: application/compressed-tar
Attachment:
git.tgz.sig
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
