On Thu, Jun 20, 2019 at 06:38:10PM +0300, Alexander Miroshnichenko wrote: > On четверг, 20 июня 2019 г. 18:27:31 MSK, Dominick Grift wrote: > > On Thu, Jun 20, 2019 at 06:05:57PM +0300, Alexander Miroshnichenko wrote: > > > On четверг, 20 июня 2019 г. 17:50:11 MSK, Dominick Grift wrote: ... > > > > Yes this sucks. I would probably do the following instead: > > > > 1. echo "ignoredirs=/var/lib/gitolite" >> /etc/selinux/semanage.conf > > 2. semodule -B && restorecon -RvF /var/lib/gitolite > > 3. gitosis_read_lib_files(sshd_t) > > I can't use sshd_t in another policy without require statement. > Or I need to add gitosis_read_lib_files(sshd_t) to ssh.te policy file. > All 3 steps are ugly comparing with new ssh_search_dir() interface. > Why such restrictions where caller must be the source for interface? It is > not flexible. You would need to add the gitosis_read_var_lib_files(sshd_t) to ssh.te yes. I agree that this is ugly but the alternative is even more ugly, and I will say that this is just what I would do (you might want to wait for maintainer's advice instead of taking my advice) This is one of those scenario's that are the exception rather than the rule. All options are bad. The "restriction" is actually an unwritten rule as I cannot find any references to it in https://github.com/SELinuxProject/refpolicy/wiki/StyleGuide so you might be able to get away with it. > > > > > Dont bother with labeling /var/lib/gitolite/.ssh differently > > > > > ... > > > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: PGP signature
