Bug 1313800 - SELinux prevents cgit from traversing user_home_dir_t
SELinux prevents cgit from traversing user_home_dir_t
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
23
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-02 06:19 EST by Dan Callaghan
Modified: 2016-04-04 18:56 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-04-04 18:56:19 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dan Callaghan 2016-03-02 06:19:39 EST
Description of problem:
I run cgit configured to serve up some user's git repos out of /home/*/public_git/. On F21 this was fine but after upgrading to F23 with the same configuration, cgit now hits an AVC denial for search like this:

type=AVC msg=audit(1456917059.991:79808): avc:  denied  { search } for  pid=4474 comm="cgit" name="dan" dev="dm-0" ino=13107202 scontext=system_u:system_r:git_script_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0

The files in question are not mislabelled, and the labels make sense to me:

drwx--x--x. 34 dan users unconfined_u:object_r:user_home_dir_t:s0    12288 Mar  2 21:10 /home/dan
drwxr-xr-x.  3 dan users unconfined_u:object_r:git_user_content_t:s0  4096 Mar  2 20:54 /home/dan/public_git

cgit should indeed be prevented from *reading* inside my homedir, but it does need to be able to traverse it to get to ~/public_git.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-158.7.fc23.noarch
cgit-0.12-1.fc23.x86_64

How reproducible:
relatively easily

Steps to Reproduce:
1. dnf install cgit httpd, start httpd
2. Create ~/public_git and put a git repo there to be served up:
mkdir /home/user/public_git
restorecon /home/user/public_git
git init --bare /home/user/public_git/testrepo
3. Configure cgit to serve it, append the following to /etc/cgitrc:
repo.url=testrepo
repo.path=/home/dan/public_git/testrepo
4. Visit http://localhost/cgit/testrepo/

Actual results:
500 Internal Server Error, and AVC denial for search, like the one pasted above

Expected results:
Should successfully serve an HTML page showing the git repo contents (or "Repository seems to be empty" or whatever)

Additional info:
Seems like a policy regression since the same setup was working without denials on F21.
Comment 1 Dan Callaghan 2016-04-04 18:56:19 EDT
Never mind, it seems there is an sebool for this: git_cgi_enable_homedirs. I'm guessing this is new or maybe wasn't enforced properly before, because I don't remember setting it previously. audit2allow -R didn't point it out to me which is why I didn't find it initially.

Note You need to log in before you can comment on or make changes to this bug.