| Summary: | SELinux prevents cgit from traversing user_home_dir_t | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dan Callaghan <dcallagh> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 23 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, plautrba |
| Target Milestone: | --- | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-04-04 22:56:19 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Never mind, it seems there is an sebool for this: git_cgi_enable_homedirs. I'm guessing this is new or maybe wasn't enforced properly before, because I don't remember setting it previously. audit2allow -R didn't point it out to me which is why I didn't find it initially. |
Description of problem: I run cgit configured to serve up some user's git repos out of /home/*/public_git/. On F21 this was fine but after upgrading to F23 with the same configuration, cgit now hits an AVC denial for search like this: type=AVC msg=audit(1456917059.991:79808): avc: denied { search } for pid=4474 comm="cgit" name="dan" dev="dm-0" ino=13107202 scontext=system_u:system_r:git_script_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0 The files in question are not mislabelled, and the labels make sense to me: drwx--x--x. 34 dan users unconfined_u:object_r:user_home_dir_t:s0 12288 Mar 2 21:10 /home/dan drwxr-xr-x. 3 dan users unconfined_u:object_r:git_user_content_t:s0 4096 Mar 2 20:54 /home/dan/public_git cgit should indeed be prevented from *reading* inside my homedir, but it does need to be able to traverse it to get to ~/public_git. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-158.7.fc23.noarch cgit-0.12-1.fc23.x86_64 How reproducible: relatively easily Steps to Reproduce: 1. dnf install cgit httpd, start httpd 2. Create ~/public_git and put a git repo there to be served up: mkdir /home/user/public_git restorecon /home/user/public_git git init --bare /home/user/public_git/testrepo 3. Configure cgit to serve it, append the following to /etc/cgitrc: repo.url=testrepo repo.path=/home/dan/public_git/testrepo 4. Visit http://localhost/cgit/testrepo/ Actual results: 500 Internal Server Error, and AVC denial for search, like the one pasted above Expected results: Should successfully serve an HTML page showing the git repo contents (or "Repository seems to be empty" or whatever) Additional info: Seems like a policy regression since the same setup was working without denials on F21.