Bug 736623
Summary: | cgit does not work with default selinux policy | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Sander Hoentjen <sander> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.1 | CC: | dominick.grift, dwalsh, ewoud+redhat, mmalik, tmz |
Target Milestone: | rc | ||
Target Release: | 6.1 | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-112.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-12-06 10:18:32 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Sander Hoentjen
2011-09-08 09:38:14 UTC
This looks to be trouble between using gitolite and cgit. The README.SELinux file shipped with cgit says that if you have repos in a non-default location (with /var/lib/git being the default location), you should run: semanage fcontext -a -t httpd_sys_content_t "/srv/git(/.*)?" Whether that's possible or advisable when using gitolite, which seems to have it's own policy and labels is a question for the good folks that manage the selinux-policy. I'll try to move the product/component to RHEL6/selinux-policy. I have no problem with allowing this. I'm not familiar with cgit, gitolite etc. Could you be more specific in following steps: 3. put some git projects in place 4. show cgit web interface Milos, you need just create a git repo in /var/lib/gitolite/repositories and setup cgit to show this repo in your web browser. The issue described above is: 1. Git repositories are not in the usual Git location ( /var/lib/git or /srv/git ), but rather in gitolites usual location ( /var/lib/gitolite/.* ) 2. cgit ( the httpd_git_script_t domain ) currently only supports git repositories in /var/lib/git or /srv/git. It is currently not allowed to read Git repositories in /var/lib/gitolite. (at least last time i checked) So the solution would be to: Support Cgit/Gitweb hosting Git repositories in /var/lib/gitolite. ( allow httpd_git_script_t to read gitolite_var_lib_t directories and files ) This would need to be added to policy. ( that is the simple solution ) We might however need to consider what other contents gitolite stores in /var/lib/gitolite. If it is sensitive stuff like login credentials then we may want to implement a named file transition to a git content type when Git repositories are created in Gitolites var lib directories as opposed to Gits var lib directory. The easiest solution would be to store your Git repository content in the correct place ( /var/lib/git or /srv/git ) and tell gitolite to look for it/ manage it there. (In reply to comment #6) > Support Cgit/Gitweb hosting Git repositories in /var/lib/gitolite. ( allow > httpd_git_script_t to read gitolite_var_lib_t directories and files ) Note that gitolite uses gitosis_var_lib_t. (In reply to comment #7) > (In reply to comment #6) > > Support Cgit/Gitweb hosting Git repositories in /var/lib/gitolite. ( allow > > httpd_git_script_t to read gitolite_var_lib_t directories and files ) > Note that gitolite uses gitosis_var_lib_t. Right , that is because gitolite is the new gitosis ( so i meant gitosis_var_lib_t ) I believe we can allow it since we have /var/lib/gitolite/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) We don't have file name transition in RHEL6. Please consider adding a file context spec for /var/lib/gitolite/repositories(/.*)? with type git_system_content_t, and then allow git_system_t, git_shell_t, and httpd_git_script_t to search gitosis_var_lib_t. This solution seem better to me. Because just allowing cgit to read gitosis_var_lib_t content breaks stuff since git_system_t still cannot host/read it, and git_shell_t wont be able to manage/execute git repositories there. In that case also make sure that gitolite can interact with any git shared repository content type. (probably should already?) The problem with this is "/var/lib/gitolite/repositories" is not owned by gitolite package. Also it looks like a lot of changes in RHEL6 in this phase. Sander, if you execute # grep gitosis /var/log/audit/audit.log |audit2allow -M mygitosis # semodule -i mygitosis.pp Does it work then? (In reply to comment #12) > Sander, > if you execute > > # grep gitosis /var/log/audit/audit.log |audit2allow -M mygitosis > # semodule -i mygitosis.pp > > > Does it work then? As Sanders colleague I can tell that we've already done so on our production machine and it works. Now i get it i think: This is some exotic user configuration? (in other words a misconfiguration or atleast a configration not supported.) I was already surprised that gitosis/cgit/gitweb would not work in EL6.1, but this explains it. Git repositories belong in /var/lib/git or /srv/git, and not in /var/lib/gitolite/repositories. Since it's the default gitolite behavior to place it there we assumed it's a bug, especially since it worked before we updated cgit from 0.9-1 to 0.9.0.2-2. Your solution would be to move the repositories instead of changing the policy? To be quite frank with you, i have no experience with gitolite since i get the impression that it does not add any additional functionality and only overhead ( i do not like overhead ) To the point: I thought Miroslav said that gitolite does not own /var/lib/gitolite/repositories. If that is true, then what owns it? If gitolite created /var/lib/gitolite/repositories, then i would probably ask the gitolite maintainers whether there is a possibility to install that location, so that it can be labelled properly. What puzzles me even more is, how come, if this is default behaviour it has not been dealt with in Fedora already? I am wondering how gitolite in Fedora works or is supposed to work compared to gitolite shipped with EL6.1 If this is, as you say, default configuration then it is a bug indeed. (in my view a probably a bug in gitolites default configuration and possibly git selinux policy) I would, if possible, indeed move my repositories to /var/lib/git and tell gitolite to go look for it there, but i would not be surprised if that exposes other policy issues. ( again i have no experience with gitolite but i did design much of the git selinux policy shipped with EL6.1, so i feel kind of responsible in a sense) Nonetheless, i personally do not feel comfortable with allowing cgit to read gitosis_var_lib_t, If my memory serves me correct, there was a vulnerability in cgit not long ago, and i wouldnt want cgit to be able to interact with only what is strictly needed (git repositories, not gitolite var lib content in general). Ewoud, what does on your RHEL6 # rpm -qf /var/lib/gitolite/repositories Maybe a new boolean for this would be a "solution". I get back my comment #3 and I agree with Dominick to not allow it (by default). I will play with this issue together with Milos more. (In reply to comment #17) > Ewoud, > what does on your RHEL6 > > # rpm -qf /var/lib/gitolite/repositories > [root@git ~]# rpm -qf /var/lib/gitolite/repositories file /var/lib/gitolite/repositories is not owned by any package Typically you install gitolite as the gitolite user with gl-setup. This performs a few steps 1. Copy /usr/share/gitolite/conf/example.gitolite.rc to ~gitolite/.gitolite.rc 2. Call $EDITOR ~gitolite/.gitolite.rc 3. Run the rest of the install Step 3 will will (amongst other actions) ensure the repository directory exists. The default directory is ~gitolite/repositories, but you can modify this in step 2. One solution would be to ensure the default is /var/lib/git. That should be fairly simple given step 1. However, it would require the user to ensure /var/lib/git exists with the proper permissions (i.e. writable for the gitolite user). On a VM this works for me. I will add "git_cgit_read_gitolite_content" boolean and users can choose if they want to allow cgit to read gitolite content or not. To stay consistent you might want to make it to "git_cgit_read_gitosis_content". (In reply to comment #20) > To stay consistent you might want to make it to > "git_cgit_read_gitosis_content". Yes, you are right. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html |