Bug 917196
| Summary: | httpd cannot write git_sys_content_t preventing pushes over http | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | James Hogarth <james.hogarth> | ||||||
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> | ||||||
| Status: | CLOSED WORKSFORME | QA Contact: | Ben Levenson <benl> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 20 | CC: | dwalsh, gspurgeon, james.hogarth | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2014-07-23 13:03:41 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
James Hogarth
2013-03-02 00:21:11 UTC
Created attachment 704376 [details]
a basic module to allow access
This was a basic module I put together for my systems to allow http based git clone if selinux boolean allow_httpd_write_git is set to true
# rpm -q selinux-policy On the centos system: selinux-policy-3.7.19-155.el6_3.14.noarch On the fedora system: selinux-policy-3.11.1-82.fc18.noarch Created attachment 759701 [details]
patch to selinux-policy to allow git-http-backend to write to git
I'm not entirely happy with this but it's a start ...
This patch is against selinux-policy-3.7.19-195.el6_4.6.src.rpm right now after the redhat patches have been applied with rpmbuild -bp
I tried using the macros exposed in git.if such as git_rwx_generic_system_content but I was getting a syntax error during the make that lead to the nfs/cifs tunable policies within the macro... commenting them out in the if file worked fine then but I don't know why.
It's just a basic boolean addition to apache.te with two lines in the tunable policy allowing the write access via manage_files_pattern and an addition to git.fc adding an appropriate httpd_git_script_exec_t context to properly isolate the write to the script domain as opposed to my old hack of a module allowing httpd_t overall ... git-http-backend currently just inherits bin_t which given the purpose it probably shouldn't anyway...
I know this should be cleaned up further but I'm trying to understand why the git_rwx_generic_system_content was exploding in my make before adding the matching patches for F19 and rawhide.
Dominick? I've made a very small test case module to try and clean this up:
policy_module(testmodule,0.0.1)
require {
attribute domain,exec_type;
}
type mytesttype_t, domain;
type mytesttype_exec_t, exec_type;
gen_tunable(letmytype_write_git,false)
domain_type(mytesttype_t)
domain_entry_file(mytesttype_t, mytesttype_exec_t)
optional_policy(`
tunable_policy(`letmytype_write_git',`
git_rwx_all_content(mytesttype_t)
')
')
With the tunable_policy uncommented I get this error on during make:
Compiling targeted testmodule module
/usr/bin/checkmodule: loading policy configuration from tmp/testmodule.tmp
testmodule.te":14:ERROR 'syntax error' at token 'if' on line 4055:
#line 14
if (use_nfs_home_dirs) {
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/testmodule.mod] Error 1
If I comment out the tunable_policy line then it does compile correctly ... is this a macro bug I'm encountering or just not using the macros correctly?
This message is a reminder that Fedora 18 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 18. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '18'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 18's end of life. Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 18 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 18's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Just carried out a test on F20 and confirmed that httpd can still read but not write git_sys_content_t and that there is no boolean to allow it. Tested with a git.conf for httpd of: [root@localhost selinuxtest.git]# cat /etc/httpd/conf.d/git.conf SetEnv GIT_PROJECT_ROOT /srv/git SetEnv GIT_HTTP_EXPORT_ALL ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/ <Location "/git"> Require all granted </Location> After setting the content of /srv/git to be writable by apache and to have type git_sys_content_t I can pull but not push when enforcing and I'm able to push when permissive. This should not be F18 auto-closed as a result. Just to be sure what AVCs you are getting? Just checked a system now and as of the current F20 policies /srv/git does not have a specific context by default (it just gets var_t) and there is an httpd_git_rw_content_t context that can now be applied to the repository so that git-http-backend works as expected out the box (after suitable configuration) without having to write a whole new selinux module... Closing this as a result of the changes in recent behaviour. |