Re: svnsync

Vadym Chepkov <vchepkov@xxxxxxxxx> · Mon, 28 Jun 2010 12:13:52 -0400

On Jun 28, 2010, at 11:33 AM, Daniel J Walsh wrote:

> On 06/27/2010 10:08 PM, Vadym Chepkov wrote:
>> Hi,
>> 
>> I configured svnsync to be triggered from a subversion hook, to maintain remote replicas.
>> I had my own type for hooks defined, so audit2allow shows it.
>> 
>> This is what it suggests:
>> 
>> require {
>> 	type httpd_svn_script_t;
>> 	class netlink_route_socket { write getattr read bind create nlmsg_read };
>> }
>> 
>> #============= httpd_svn_script_t ==============
>> allow httpd_svn_script_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
>> kernel_read_kernel_sysctls(httpd_svn_script_t)
>> 
> Do you have the Raw AVC output.  Some times the tools pick too much access.
> 
> Did you build local policy?  httpd_svn_script_t does not exist in the
> Fedora Policy package.

Correct, I did, standard policy is not sufficient for subversion's hooks and I don't expect it to be.

This is what I have:

# grep svn local.te
apache_content_template(svn)
domain_auto_trans(httpd_svn_script_t, sendmail_exec_t, sendmail_t)
allow httpd_t httpd_svn_script_exec_t:lnk_file { read getattr };
allow httpd_svn_script_t httpd_svn_script_exec_t:lnk_file { read getattr };
files_search_var_lib(httpd_svn_script_t)
allow httpd_svn_script_t httpd_reviewboard_log_t:file append;

# grep svn local.fc 
# svn
/var/svn(/.*)?                           	    gen_context(system_u:object_r:httpd_svn_script_ro_t,s0)
/var/svn/(.*/)?hooks(/.*)?                          gen_context(system_u:object_r:httpd_svn_script_exec_t,s0)
/var/svn/(.*/)?dav(/.*)?                            gen_context(system_u:object_r:httpd_svn_script_rw_t,s0)
/var/svn/(.*/)?locks(/.*)?                          gen_context(system_u:object_r:httpd_svn_script_rw_t,s0)
/var/svn/(.*/)?db(/.*)?                             gen_context(system_u:object_r:httpd_svn_script_rw_t,s0)
/var/lib/apache(/.*)?                               gen_context(system_u:object_r:httpd_svn_script_rw_t,s0)

# ausearch -m avc -ts yesterday
----
time->Sun Jun 27 23:44:12 2010
type=SYSCALL msg=audit(1277682252.265:79349): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=0 a3=0 items=0 ppid=31750 pid=31751 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="svnsync" exe="/usr/bin/svnsync" subj=user_u:system_r:httpd_svn_script_t:s0 key=(null)
type=AVC msg=audit(1277682252.265:79349): avc:  denied  { create } for  pid=31751 comm="svnsync" scontext=user_u:system_r:httpd_svn_script_t:s0 tcontext=user_u:system_r:httpd_svn_script_t:s0 tclass=netlink_route_socket
----
time->Mon Jun 28 01:37:57 2010
type=SYSCALL msg=audit(1277689077.355:79537): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fffdf7eebf0 a2=c a3=0 items=0 ppid=32628 pid=32629 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="svnsync" exe="/usr/bin/svnsync" subj=user_u:system_r:httpd_svn_script_t:s0 key=(null)
type=AVC msg=audit(1277689077.355:79537): avc:  denied  { bind } for  pid=32629 comm="svnsync" scontext=user_u:system_r:httpd_svn_script_t:s0 tcontext=user_u:system_r:httpd_svn_script_t:s0 tclass=netlink_route_socket
----
time->Mon Jun 28 01:38:04 2010
type=SYSCALL msg=audit(1277689084.599:79543): arch=c000003e syscall=49 success=no exit=-13 a0=4 a1=7fffdf7ee9a0 a2=c a3=0 items=0 ppid=32628 pid=32629 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="svnsync" exe="/usr/bin/svnsync" subj=user_u:system_r:httpd_svn_script_t:s0 key=(null)
type=AVC msg=audit(1277689084.599:79543): avc:  denied  { bind } for  pid=32629 comm="svnsync" scontext=user_u:system_r:httpd_svn_script_t:s0 tcontext=user_u:system_r:httpd_svn_script_t:s0 tclass=netlink_route_socket
----
time->Mon Jun 28 01:42:46 2010
type=SYSCALL msg=audit(1277689366.029:79554): arch=c000003e syscall=51 success=no exit=-13 a0=3 a1=7fff4846b650 a2=7fff4846b65c a3=0 items=0 ppid=32742 pid=32743 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="svnsync" exe="/usr/bin/svnsync" subj=user_u:system_r:httpd_svn_script_t:s0 key=(null)
type=AVC msg=audit(1277689366.029:79554): avc:  denied  { getattr } for  pid=32743 comm="svnsync" scontext=user_u:system_r:httpd_svn_script_t:s0 tcontext=user_u:system_r:httpd_svn_script_t:s0 tclass=netlink_route_socket
----
time->Mon Jun 28 01:42:53 2010
type=SYSCALL msg=audit(1277689373.236:79555): arch=c000003e syscall=51 success=no exit=-13 a0=4 a1=7fff4846b400 a2=7fff4846b40c a3=0 items=0 ppid=32742 pid=32743 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="svnsync" exe="/usr/bin/svnsync" subj=user_u:system_r:httpd_svn_script_t:s0 key=(null)
type=AVC msg=audit(1277689373.236:79555): avc:  denied  { getattr } for  pid=32743 comm="svnsync" scontext=user_u:system_r:httpd_svn_script_t:s0 tcontext=user_u:system_r:httpd_svn_script_t:s0 tclass=netlink_route_socket
----
time->Mon Jun 28 01:59:08 2010
type=SYSCALL msg=audit(1277690348.206:79788): arch=c000003e syscall=2 success=yes exit=3 a0=7fe6c3f60a12 a1=0 a2=515384 a3=ffffffff items=0 ppid=1232 pid=1258 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="post-commit-syn" exe="/bin/ksh93" subj=user_u:system_r:httpd_svn_script_t:s0 key=(null)
type=AVC msg=audit(1277690348.206:79788): avc:  denied  { read } for  pid=1258 comm="post-commit-syn" scontext=user_u:system_r:httpd_svn_script_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
----
time->Mon Jun 28 01:59:08 2010
type=SYSCALL msg=audit(1277690348.290:79789): arch=c000003e syscall=44 success=yes exit=20 a0=3 a1=7fffd01ba510 a2=14 a3=0 items=0 ppid=1261 pid=1262 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="svnsync" exe="/usr/bin/svnsync" subj=user_u:system_r:httpd_svn_script_t:s0 key=(null)
type=AVC msg=audit(1277690348.290:79789): avc:  denied  { nlmsg_read } for  pid=1262 comm="svnsync" scontext=user_u:system_r:httpd_svn_script_t:s0 tcontext=user_u:system_r:httpd_svn_script_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1277690348.290:79789): avc:  denied  { write } for  pid=1262 comm="svnsync" scontext=user_u:system_r:httpd_svn_script_t:s0 tcontext=user_u:system_r:httpd_svn_script_t:s0 tclass=netlink_route_socket
----
time->Mon Jun 28 01:59:08 2010
type=SYSCALL msg=audit(1277690348.290:79790): arch=c000003e syscall=47 success=yes exit=108 a0=3 a1=7fffd01ba4d0 a2=0 a3=0 items=0 ppid=1261 pid=1262 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="svnsync" exe="/usr/bin/svnsync" subj=user_u:system_r:httpd_svn_script_t:s0 key=(null)
type=AVC msg=audit(1277690348.290:79790): avc:  denied  { read } for  pid=1262 comm="svnsync" scontext=user_u:system_r:httpd_svn_script_t:s0 tcontext=user_u:system_r:httpd_svn_script_t:s0 tclass=netlink_route_socket

Thank you,
Vadym 

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux