| Summary: | SELinux module needed for ssh access to git | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Patrick C. F. Ernzer <pcfe> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.1 | CC: | dominick.grift, dwalsh, ksrot, mmalik |
| Target Milestone: | rc | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-108.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-06 10:13:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 494837 | ||
One error I was made aware of; I should have created the git user with -Z git_shell_u . Fixed that with usermod -Z git_shell_u git policy module still seemingly needed. The other error I did (and this makes it NOTABUG) is that I should not have set the home directory of the git user to /var/lib/git as that introduced user_home_dir_t which made me see the error. Apologies for the noise, closing bug. man git_selinux.8 is not packaged in: selinux-policy-targeted-3.7.19-93.el6_1.2.noarch selinux-policy-3.7.19-93.el6_1.2.noarch It has much of the information that is needed to avoid this misunderstanding. Dominick, good point. I should backport this man page to RHEL6. Fixed in selinux-policy-3.7.19-108.el6 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html |
Description of problem: access to git-daemon over ssh with keys seems to need a SELinux module Version-Release number of selected component (if applicable): git-1.7.1-2.el6_0.1.x86_64 git-daemon-1.7.1-2.el6_0.1.x86_64 selinux-policy-targeted-3.7.19-93.el6_1.2.noarch selinux-policy-3.7.19-93.el6_1.2.noarch How reproducible: always Steps to Reproduce: 1. install git-daemon 2. dump ~git/.ssh/authorized_keys with the usual chmod, chown, semanage and restorecon 3. make a test repo: [root@server]# cd ~git [root@server]# mkdir test.git [root@server]# cd test.git [root@server]# git init –bare [root@server]# chown -R git:git /var/lib/git/test.git/ 4. work with it from another box: [user@machine]$ git clone git.pcfe.net:test.git Actual results: user is prompted for password because SELinux denies access to the authorized_keys file Expected results: user is able to use the git server via ssh key authentication Additional info: # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted ### mind you, I forced the ssh_home_t myself with semanage fcontext -a -f 'all files' -t ssh_home_t '/var/lib/git/.ssh' semanage fcontext -a -f 'all files' -t ssh_home_t '/var/lib/git/.ssh/authorized_keys' still no joy without the policy module though # ls -aZ ~git/.ssh/ drwx------. git git system_u:object_r:ssh_home_t:s0 . drwxr-xr-x. root root system_u:object_r:git_system_content_t:s0 .. -rw-------. git git system_u:object_r:ssh_home_t:s0 authorized_keys local policy module needed when the files are not relebelled as above # cat local.te module local 1.0; require { type file_t; type git_system_content_t; type sshd_t; class file { read getattr open }; class dir { search getattr }; } #============= sshd_t ============== allow sshd_t file_t:dir search; allow sshd_t git_system_content_t:dir { search getattr }; allow sshd_t git_system_content_t:file { read getattr open }; local policy module for correctly labelled files # cat gitssh.te module gitssh 1.0; require { type git_system_content_t; type sshd_t; class dir { search getattr }; } #============= sshd_t ============== allow sshd_t git_system_content_t:dir { search getattr };