Bug 827389

Summary: Gitolite3 policy missing
Product: Red Hat Enterprise Linux 6 Reporter: Antoine Brenner <brenner+bugzilla>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2CC: brenner+bugzilla, dwalsh, gwync, hopmann, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-186.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 08:35:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Antoine Brenner 2012-06-01 10:29:15 UTC 
Description of problem:

Gitolite3 (code rewrite that replaces gitolite 2, cf http://sitaramc.github.com/gitolite/master-toc.html ) is being packaged in EPEL (cf https://bugzilla.redhat.com/show_bug.cgi?id=821838

The new package creates the git repositories under /var/lib/gitolite3 whereas the gitolite2 package used /var/lib/gitolite to host git repositories.

selinux-policy knows about /var/lib/gitolite:
 * it lets sshd read ~/.ssh/*
 * it lets gitweb access the git repositories
with the following file context rules:
/var/lib/gitolite(/.*)? system_u:object_r:gitosis_var_lib_t:s0
/var/lib/gitolite/\.ssh(/.*)?   system_u:object_r:ssh_home_t:s0

However, selinux-policy does NOT know about /var/lib/gitolite3, making EPEL gitolite3 unusable by default under RHEL 6.2 with SELinux enabled.


Version-Release number of selected component (if applicable):
RHEL 6.2 selinux-policy does NOT know about /var/lib/gitolite3


Steps to Reproduce:
1. grep gitolite /etc/selinux/targeted/modules/active/file_contexts
  
Actual results:
/var/lib/gitolite(/.*)? system_u:object_r:gitosis_var_lib_t:s0
/var/lib/gitolite/\.ssh(/.*)?   system_u:object_r:ssh_home_t:s0

Expected results:
/var/lib/gitolite3(/.*)? system_u:object_r:gitosis_var_lib_t:s0
/var/lib/gitolite3/\.ssh(/.*)?   system_u:object_r:ssh_home_t:s0

Additional info:
I contacted the gitolite3 packager, who suggested I filed a bug against selinux-policy in BZ.
Comment 2 Daniel Walsh 2012-06-04 15:27:33 UTC 
Any reason to change the name of this directory?  Do you want to ship both simultaniously?
Comment 3 Gwyn Ciesla 2012-06-04 15:29:56 UTC 
Yes, this is to make upgrading safer for the admin, as there are steps that need to be taken after the old version is removed but before the new one is installed.
Comment 4 Daniel Walsh 2012-06-04 15:31:26 UTC 
mgrepl please backport 3ca3417b4921bba52665e9a42ad35cb19baafbee
Comment 5 Miroslav Grepl 2012-08-08 08:08:32 UTC 
Fixed in selinux-policy-3.7.19-159.el6
Comment 7 Milos Malik 2012-12-06 11:17:42 UTC 
Following files from gitolite3 package are labelled usr_t, but they are either shell scripts or perl scripts, therefore I suggest to label them bin_t:

/usr/share/gitolite3/commands/D
/usr/share/gitolite3/commands/access
/usr/share/gitolite3/commands/creator
/usr/share/gitolite3/commands/desc
/usr/share/gitolite3/commands/fork
/usr/share/gitolite3/commands/git-config
/usr/share/gitolite3/commands/help
/usr/share/gitolite3/commands/htpasswd
/usr/share/gitolite3/commands/info
/usr/share/gitolite3/commands/list-dangling-repos
/usr/share/gitolite3/commands/lock
/usr/share/gitolite3/commands/mirror
/usr/share/gitolite3/commands/perms
/usr/share/gitolite3/commands/print-default-rc
/usr/share/gitolite3/commands/push
/usr/share/gitolite3/commands/sshkeys-lint
/usr/share/gitolite3/commands/sskm
/usr/share/gitolite3/commands/sudo
/usr/share/gitolite3/commands/svnserve
/usr/share/gitolite3/commands/symbolic-ref
/usr/share/gitolite3/commands/writable

Following files from gitolite package are already labelled bin_t:

/usr/share/gitolite/hooks/common/update
/usr/share/gitolite/hooks/gitolite-admin/post-update
Comment 8 Miroslav Grepl 2012-12-06 12:09:03 UTC 
Yes, we should label /usr/share/gitolite3/commands as bin_t.
Comment 9 Milos Malik 2012-12-06 14:17:59 UTC 
All these files are perl or shell script executables:

# find /usr/share/gitolite3/ -type f | grep -v -e VREF -e \.pm | xargs file | grep executable | cut -d : -f 1 | sort
/usr/share/gitolite3/commands/access
/usr/share/gitolite3/commands/creator
/usr/share/gitolite3/commands/D
/usr/share/gitolite3/commands/desc
/usr/share/gitolite3/commands/fork
/usr/share/gitolite3/commands/git-config
/usr/share/gitolite3/commands/help
/usr/share/gitolite3/commands/htpasswd
/usr/share/gitolite3/commands/info
/usr/share/gitolite3/commands/list-dangling-repos
/usr/share/gitolite3/commands/lock
/usr/share/gitolite3/commands/mirror
/usr/share/gitolite3/commands/perms
/usr/share/gitolite3/commands/print-default-rc
/usr/share/gitolite3/commands/push
/usr/share/gitolite3/commands/sshkeys-lint
/usr/share/gitolite3/commands/sskm
/usr/share/gitolite3/commands/sudo
/usr/share/gitolite3/commands/svnserve
/usr/share/gitolite3/commands/symbolic-ref
/usr/share/gitolite3/commands/writable
/usr/share/gitolite3/gitolite
/usr/share/gitolite3/gitolite-shell
/usr/share/gitolite3/triggers/partial-copy
/usr/share/gitolite3/triggers/post-compile/ssh-authkeys
/usr/share/gitolite3/triggers/post-compile/ssh-authkeys-shell-users
/usr/share/gitolite3/triggers/post-compile/update-git-configs
/usr/share/gitolite3/triggers/post-compile/update-git-daemon-access-list
/usr/share/gitolite3/triggers/post-compile/update-gitweb-access-list
/usr/share/gitolite3/triggers/renice
/usr/share/gitolite3/triggers/upstream
#
Comment 10 Miroslav Grepl 2012-12-10 14:56:19 UTC 
Fixed in selinux-policy-3.7.19-186.el6
Comment 13 errata-xmlrpc 2013-02-21 08:35:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html