Gitweb and SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I am attempting to use gitweb to display git repos that live in /home directories. The developers use ssh to push changes to their home directory. It seems every Fedora release gitweb and SELinux have changes. With Fedora 12, I cannot get SELinux to be happy about accessing the git repos. 

Gitweb is pointing to:
/srv/git/
Inside of that directory live symlinks to the git repos that live in
/home/user1/git
/home/user2/git
etc.
I've attached the sealert output about the denial. I tried to assign a context of httpd_git_content_ra_t to my git repo, but that did not allow access. I realize this may not be "100%" secure, but this setup was functioning in Fedoras 11 and under. I'd create a bug, but I'm not sure if this setup would be considered a bug of SELinux. 

Additional info:
$ ls -Z /var/www/git/
-rw-r--r--. root root system_u:object_r:httpd_git_content_t:s0 git-favicon.png 
-rw-r--r--. root root system_u:object_r:httpd_git_content_t:s0 git-logo.png
-rwxr-xr-x. root root system_u:object_r:httpd_git_script_exec_t:s0 gitweb.cgi -rw-r--r--. root root system_u:object_r:httpd_git_content_t:s0 gitweb_config.perl 
-rw-r--r--. root root system_u:object_r:httpd_git_content_t:s0 gitweb.css

Any ideas to allow access?

Thanks,
Michael

Summary:

SELinux is preventing /usr/bin/perl from using potentially mislabeled files
/srv/git/michael.

Detailed Description:

SELinux has denied the gitweb.cgi access to potentially mislabeled files
/srv/git/michael. This means that SELinux will not allow httpd to use these
files. If httpd should be allowed this access to these files you should change
the file context to one of the following types, textrel_shlib_t, fonts_cache_t,
device_t, rpm_script_tmp_t, ld_so_t, proc_t, etc_t, fonts_t, ld_so_t,
configfile, httpd_git_content_ra_t, httpd_git_content_rw_t, public_content_t,
httpd_git_content_t, abrt_t, httpd_git_script_t, etc_runtime_t, lib_t, root_t,
bin_t, exec_type, lib_t, public_content_rw_t, locale_t, etc_t, proc_t, src_t,
etc_runtime_t, lib_t, usr_t. Many third party apps install html files in
directories that SELinux policy cannot predict. These directories have to be
labeled with a file context which httpd can access.

Allowing Access:

If you want to change the file context of /srv/git/michael so that the httpd
daemon can access it, you need to execute it using semanage fcontext -a -t
FILE_TYPE '/srv/git/michael'.
where FILE_TYPE is one of the following: textrel_shlib_t, fonts_cache_t,
device_t, rpm_script_tmp_t, ld_so_t, proc_t, etc_t, fonts_t, ld_so_t,
configfile, httpd_git_content_ra_t, httpd_git_content_rw_t, public_content_t,
httpd_git_content_t, abrt_t, httpd_git_script_t, etc_runtime_t, lib_t, root_t,
bin_t, exec_type, lib_t, public_content_rw_t, locale_t, etc_t, proc_t, src_t,
etc_runtime_t, lib_t, usr_t. You can look at the httpd_selinux man page for
additional information.

Additional Information:

Source Context                unconfined_u:system_r:httpd_git_script_t:s0
Target Context                system_u:object_r:git_data_t:s0
Target Objects                /srv/git/michael [ lnk_file ]
Source                        gitweb.cgi
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          balthasar
Source RPM Packages           perl-5.10.0-87.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-78.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   httpd_bad_labels
Host Name                     balthasar
Platform                      Linux balthasar 2.6.30.10-105.2.14.fc11.x86_64 #1
                              SMP Wed Feb 3 20:57:05 UTC 2010 x86_64 x86_64
Alert Count                   8
First Seen                    Thu Feb  4 06:28:18 2010
Last Seen                     Fri Feb  5 09:40:07 2010
Local ID                      1dce29b2-fe07-4f6a-a54d-ce543f3db725
Line Numbers                  

Raw Audit Messages            

node=balthasar type=AVC msg=audit(1265384407.169:36613): avc:  denied  { read } for  pid=4293 comm="gitweb.cgi" name="michael" dev=dm-2 ino=1075529239 scontext=unconfined_u:system_r:httpd_git_script_t:s0 tcontext=system_u:object_r:git_data_t:s0 tclass=lnk_file

node=balthasar type=SYSCALL msg=audit(1265384407.169:36613): arch=c000003e syscall=4 success=no exit=-13 a0=1479428 a1=d2c130 a2=d2c130 a3=14d9ea8 items=0 ppid=4290 pid=4293 auid=502 uid=48 gid=489 euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none) ses=57 comm="gitweb.cgi" exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_git_script_t:s0 key=(null)

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux