Bug 732196

Summary: SELinux module needed for ssh access to git
Product: Red Hat Enterprise Linux 6 Reporter: Patrick C. F. Ernzer <pcfe>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dominick.grift, dwalsh, ksrot, mmalik
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-108.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 10:13:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 494837    

Description Patrick C. F. Ernzer 2011-08-20 15:21:05 UTC
Description of problem:
access to git-daemon over ssh with keys seems to need a SELinux module

Version-Release number of selected component (if applicable):
git-1.7.1-2.el6_0.1.x86_64
git-daemon-1.7.1-2.el6_0.1.x86_64
selinux-policy-targeted-3.7.19-93.el6_1.2.noarch
selinux-policy-3.7.19-93.el6_1.2.noarch


How reproducible:
always

Steps to Reproduce:
1. install git-daemon
2. dump ~git/.ssh/authorized_keys with the usual chmod, chown, semanage and restorecon
3. make a test repo:
    [root@server]# cd ~git
    [root@server]# mkdir test.git
    [root@server]# cd test.git
    [root@server]# git init –bare
    [root@server]# chown -R git:git /var/lib/git/test.git/
4. work with it from another box:
    [user@machine]$ git clone git.pcfe.net:test.git  

Actual results:
user is prompted for password because SELinux denies access to the authorized_keys file

Expected results:
user is able to use the git server via ssh key authentication


Additional info:
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

### mind you, I forced the ssh_home_t myself with
semanage fcontext -a -f 'all files' -t ssh_home_t '/var/lib/git/.ssh'
semanage fcontext -a -f 'all files' -t ssh_home_t '/var/lib/git/.ssh/authorized_keys'
still no joy without the policy module though

# ls -aZ ~git/.ssh/  
drwx------. git  git  system_u:object_r:ssh_home_t:s0  .
drwxr-xr-x. root root system_u:object_r:git_system_content_t:s0 ..
-rw-------. git  git  system_u:object_r:ssh_home_t:s0  authorized_keys

local policy module needed when the files are not relebelled as above
# cat local.te 

module local 1.0;

require {
	type file_t;
	type git_system_content_t;
	type sshd_t;
	class file { read getattr open };
	class dir { search getattr };
}

#============= sshd_t ==============
allow sshd_t file_t:dir search;
allow sshd_t git_system_content_t:dir { search getattr };
allow sshd_t git_system_content_t:file { read getattr open };

local policy module for correctly labelled files
# cat gitssh.te 

module gitssh 1.0;

require {
	type git_system_content_t;
	type sshd_t;
	class dir { search getattr };
}

#============= sshd_t ==============
allow sshd_t git_system_content_t:dir { search getattr };

Comment 2 Patrick C. F. Ernzer 2011-08-21 08:51:15 UTC
One error I was made aware of; I should have created the git user with -Z git_shell_u . Fixed that with

usermod -Z git_shell_u git

policy module still seemingly needed.

Comment 3 Patrick C. F. Ernzer 2011-08-21 16:20:31 UTC
The other error I did (and this makes it NOTABUG) is that I should not have set the home directory of the git user to /var/lib/git as that introduced user_home_dir_t which made me see the error.

Apologies for the noise, closing bug.

Comment 4 Dominick Grift 2011-08-21 16:36:39 UTC
man git_selinux.8 is not packaged in:

selinux-policy-targeted-3.7.19-93.el6_1.2.noarch
selinux-policy-3.7.19-93.el6_1.2.noarch

It has much of the information that is needed to avoid this misunderstanding.

Comment 5 Miroslav Grepl 2011-08-22 12:36:29 UTC
Dominick,
good point. I should backport this man page to RHEL6.

Comment 7 Miroslav Grepl 2011-08-24 15:28:30 UTC
Fixed in selinux-policy-3.7.19-108.el6

Comment 10 errata-xmlrpc 2011-12-06 10:13:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html