New fedora cgit packages could use some policy updates

Daniel J Walsh dwalsh at redhat.com
Tue Feb 17 17:47:26 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Todd Zullinger wrote:
> Daniel J Walsh wrote:
>> Sorry about this, I seem to have lost this email.
> 
> No worries. :)
> 
>> THe following might help you with writing policy.
>>
>> http://magazine.redhat.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-module/
> 
> Indeed it will.  Thank you.
> 
>> I would combine gitweb and cgit into the same policy since there is
>> really very little different between the two, it really does not matter
>> what you call them, unless one is readonly?
> 
> Well, only cgit needs write access to /var/cache/cgit.  I don't know
> where, or if, gitweb writes any temp files.  If it does, I don't see
> the policy you attached denying them.

> 
>> I have added git policy to the base package for rawhide.
>>
>> selinux-policy-3.6.5-2.fc11
>>
>> If you could install this policy out with gitweb and cgit, that would be
>> helpful.
>>
>> I made the httpd_git_script_t permissive and have added file context for
>> gitweb as well as cgit.
> 
> Is there a corresponding strict mode?  For this:
> 
> permissive httpd_git_script_t;
> 
Removing the line makes it strict.
> If so, I could test it that way and maybe tighten up the policy
> further.
> 
>> Extract the tgz file.
>> execute
>>
>> make -f /usr/share/selinux/devel/Makefile
>> semodule -i git.pp
>> restorecon -R -v /var/cache/cgit /var/www/cgi-bin/cgit
>> /var/www/git/gitweb.cgi  /var/lib/git
>>
>> Run git and cgit.
>>
>> Use
>>
>> audit2allow -R>> git.te
>>
>> to add
>> make -f /usr/share/selinux/devel/Makefile
>> semodule -i git.ppnew rules
>>
>> Test again, to make sure there are no avc's.
>>
>> Then if you send me the new policy and the audit.log, I can update
>> fedora policy.
> 
> Done.  There weren't many additional AVCs in my testing (which I'm
> sure could miss some odd use case that someone else will find).
> Attached is an updated git.te and the raw audit messages (broken down
> by which tool caused the AVC).
> 
> Is the search on var_lib_t something that we would want to limit?  
no
I
> don't think cgit, git-daemon, or gitweb should need more than
> /var/lib/git (and /var/cache/cgit in cgit's case).  It _seemed_ that
> they ran fine even when this was denied, but perhaps I just didn't
> notice some subtle breakage.
> 
> Thanks for all the help.
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkma+C4ACgkQrlYvE4MpobM+xQCePczBb4m5srneZ7EIUsxP0pGI
v3QAoLWFUgz5JuuUgHJFOXdXlXHhQ9n0
=D4SA
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list