Re: svnsync

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 06/28/2010 04:08 AM, Vadym Chepkov wrote:
> Hi,
> 
> I configured svnsync to be triggered from a subversion hook, to maintain remote replicas.
> I had my own type for hooks defined, so audit2allow shows it.
> 
> This is what it suggests:
> 
> require {
> 	type httpd_svn_script_t;
> 	class netlink_route_socket { write getattr read bind create nlmsg_read };
> }
> 
> #============= httpd_svn_script_t ==============
> allow httpd_svn_script_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
> kernel_read_kernel_sysctls(httpd_svn_script_t)
> 
> 
> I am kind of concerned about  kernel bits, why would svnsync need it, I have no clue.
> Also I can see a boolean httpd_can_network_relay, which is set to off by default and is not documented in man httpd_selinux.
> Could it be related somehow?

That boolean seems to not be related:


$ sesearch -SC --allow -s httpd_t | grep httpd_can_network_relay | less
DT allow httpd_t gopher_port_t : tcp_socket name_connect ; [
httpd_can_network_relay ]
DT allow httpd_t memcache_client_packet_t : packet { send recv } ; [
httpd_can_network_relay ]
DT allow httpd_t http_cache_client_packet_t : packet { send recv } ; [
httpd_can_network_relay ]
DT allow httpd_t ftp_port_t : tcp_socket name_connect ; [
httpd_can_network_relay ]
DT allow httpd_t ftp_client_packet_t : packet { send recv } ; [
httpd_can_network_relay ]
DT allow httpd_t http_client_packet_t : packet { send recv } ; [
httpd_can_network_relay ]
DT allow httpd_t http_cache_port_t : tcp_socket name_connect ; [
httpd_can_network_relay ]
DT allow httpd_t http_port_t : tcp_socket name_connect ; [
httpd_can_network_relay ]
DT allow httpd_t gopher_client_packet_t : packet { send recv } ; [
httpd_can_network_relay ]
DT allow httpd_t memcache_port_t : tcp_socket name_connect ; [
httpd_can_network_relay ]

Although i am currently not using fedoras' httpd policy, so yours may
differ.

I couldnt find tthe svn module on short notice either so i am not able
to verify either.

so with the information i do have, httpd domains currently arent able to
create_netlink_sockets.

Try to figure out why your web app needs it, and if legit use
audit2allow to permit it.




> Thanks,
> Vadym Chepkov 
> 
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Attachment: signature.asc
Description: OpenPGP digital signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux