[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: SELinux and gitosis (FC11)

From: Miroslav Grepl <mgrepl redhat com>
To: Jonathan Stott <jonathan stott gmail com>
Cc: fedora-selinux-list redhat com
Subject: Re: SELinux and gitosis (FC11)
Date: Tue, 30 Jun 2009 19:20:20 +0200

On 06/30/2009 05:21 PM, Jonathan Stott wrote:

Hi all

Today I updated to FC11 and gitosis stopped working (gitosis is a collection of scripts for easing multiuser access to git repositories over ssh).  I can tell it's an SELinux problem, because '/sbin/setenforcing 0' clears it up.

On the server, the git repositories are managed by the 'git' user, which has the guest_u selinux type (though it also fails when given the user_u user).  The home directory (/home/git) has the correct selinux context (user_home_t) as far as I can tell and I've run 'restorecon -Rvv' anyway, just to be sure.  gitosis works by calling a system binary, gitosis-serve, which lives in /usr/bin/ and has the type of 'bin_t'

What is your verison of selinux-policy?

# rpm -q selinux-policy selinux-policy-targeted

gitosis-serve should have the following context:

# ls -Z /usr/bin/gitosis-serve
-rwxr-xr-x. root root system_u:object_r:gitosis_exec_t:s0 /usr/bin/gitosis-serve

  so guest_u should be able to execute it.  Even with 'setenforcing 0' no AVC denials are created though.  Checking /var/log/secure shows that the key is being accepted, and it seems like the process then hangs.

Any suggestions appreciated,
Regards
Jon

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

References:
- SELinux and gitosis (FC11)
  - From: Jonathan Stott

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]