-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Todd Zullinger wrote: > Daniel J Walsh wrote: >> Sorry about this, I seem to have lost this email. > > No worries. :) > >> THe following might help you with writing policy. >> >> http://magazine.redhat.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-module/ > > Indeed it will. Thank you. > >> I would combine gitweb and cgit into the same policy since there is >> really very little different between the two, it really does not matter >> what you call them, unless one is readonly? > > Well, only cgit needs write access to /var/cache/cgit. I don't know > where, or if, gitweb writes any temp files. If it does, I don't see > the policy you attached denying them. > >> I have added git policy to the base package for rawhide. >> >> selinux-policy-3.6.5-2.fc11 >> >> If you could install this policy out with gitweb and cgit, that would be >> helpful. >> >> I made the httpd_git_script_t permissive and have added file context for >> gitweb as well as cgit. > > Is there a corresponding strict mode? For this: > > permissive httpd_git_script_t; > Removing the line makes it strict. > If so, I could test it that way and maybe tighten up the policy > further. > >> Extract the tgz file. >> execute >> >> make -f /usr/share/selinux/devel/Makefile >> semodule -i git.pp >> restorecon -R -v /var/cache/cgit /var/www/cgi-bin/cgit >> /var/www/git/gitweb.cgi /var/lib/git >> >> Run git and cgit. >> >> Use >> >> audit2allow -R>> git.te >> >> to add >> make -f /usr/share/selinux/devel/Makefile >> semodule -i git.ppnew rules >> >> Test again, to make sure there are no avc's. >> >> Then if you send me the new policy and the audit.log, I can update >> fedora policy. > > Done. There weren't many additional AVCs in my testing (which I'm > sure could miss some odd use case that someone else will find). > Attached is an updated git.te and the raw audit messages (broken down > by which tool caused the AVC). > > Is the search on var_lib_t something that we would want to limit? no I > don't think cgit, git-daemon, or gitweb should need more than > /var/lib/git (and /var/cache/cgit in cgit's case). It _seemed_ that > they ran fine even when this was denied, but perhaps I just didn't > notice some subtle breakage. > > Thanks for all the help. > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkma+C4ACgkQrlYvE4MpobM+xQCePczBb4m5srneZ7EIUsxP0pGI v3QAoLWFUgz5JuuUgHJFOXdXlXHhQ9n0 =D4SA -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list