Re: SELinux and gitosis (FC11)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2009-06-30 at 16:21 +0100, Jonathan Stott wrote:
> Hi all
> 
> Today I updated to FC11 and gitosis stopped working (gitosis is a collection of scripts for easing multiuser access to git repositories over ssh).  I can tell it's an SELinux problem, because '/sbin/setenforcing 0' clears it up.
> 
> On the server, the git repositories are managed by the 'git' user, which has the guest_u selinux type (though it also fails when given the user_u user).  The home directory (/home/git) has the correct selinux context (user_home_t) as far as I can tell and I've run 'restorecon -Rvv' anyway, just to be sure.  gitosis works by calling a system binary, gitosis-serve, which lives in /usr/bin/ and has the type of 'bin_t' so guest_u should be able to execute it.  Even with 'setenforcing 0' no AVC denials are created though.  Checking /var/log/secure shows that the key is being accepted, and it seems like the process then hangs.
> 
> Any suggestions appreciated,
> Regards
> Jon

Hi,

Unload any silenced denials by running: semodule -DB

try gitosis again (in permissive mode)

After that see /var/log/audit/audit.log and attach the applicable part
so that we can have a look.

After testing put it back into enforcing mode and reload the silenced
denials with semodule -B

We need to have a look at avc denials.

> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Attachment: signature.asc
Description: This is a digitally signed message part

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux