Hi all,
I was recently setting up a webserver with cgit and apache on a fresh
Fedora 34 installation and ran into one issue that I still don't quite
understand. After installing both apache and cgit, I created the
default location expected for git repositories in /var/lib/git via:
# mkdir /var/lib/git
and then added a few bare repositories and pushed to them.
I wasn't able to view the cgit page though and was getting the
following errors in audit.log:
type=AVC msg=audit(1622927247.335:77187): avc: denied { getattr }
for pid=281294 comm="cgit" path="/var/lib/git/chroma.git/HEAD"
dev="sda" ino=134922 scontext=system_u:system_r:git_script_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
I eventually found out that I needed to run:
# restorecon -vR /var/lib/git/
which fixed the issue, but I thought it was supposed to happen
automatically since there was already a rule which was supposed to set
these as type git_content_t (I think that's it).
I emailed the cgit package maintainer and he was suprised too, and has
since updated the README to include instructions to run restorecon,
but I was curious as to whether this should be necessary. Why doesn't
the /var/lib/git directory get the correct context?
Thanks,
Tony
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
