Bug 1429790 - wrong selinux file context in README.selinux
Summary: wrong selinux file context in README.selinux
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: cgit
Version: epel7
Hardware: All
OS: Unspecified
unspecified
low
Target Milestone: ---
Assignee: Todd Zullinger
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-07 05:42 UTC by Matthew Hannigan
Modified: 2017-08-09 15:23 UTC (History)
3 users (show)

Fixed In Version: cgit-1.1-5.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-09 15:23:43 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1036123 None None None Never

Internal Links: 1036123

Description Matthew Hannigan 2017-03-07 05:42:05 UTC
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. read cgit's README.selinux
2. perform command suggested: semanage fcontext -a -t httpd_git_content_t "/srv/git(/.*)"


Actual results:
ValueError: Type httpd_git_content_t is invalid, must be a file or device type

Expected results:
Execute without error 

Additional info:
1. This fcontext is parameterised in the rpm build but is wrong for rhel7
2. It probably should be git_sys_content_t as that exists.
3. It's probably wrong for Fedora too; README.linux there has git_content_t but /var/lib/git is (I think!) actually git_sys_content_t

Comment 1 Pavel Raiskup 2017-03-07 16:28:32 UTC
Thanks for the report.  I agree that 'git_sys_content_t' is a very good
guess for RHEL6, RHEL7 and also Fedora.

I originally thought (bug 1036123) that looking at /var/www/git makes some
sense, but it doesn't.

I checked Fedora Rawhide and RHEL7 selinux-policy sources, and there's
something like:

    optional_policy(`
            git_read_generic_sys_content_files(httpd_t)
    `)

Which operates on git_sys_content_t.

Further checking:

| RHEL5> matchpathcon /var/www/git /var/lib/git
| /var/www/git    system_u:object_r:httpd_sys_content_t
| /var/lib/git    system_u:object_r:var_lib_t

var_lib_t is just a bad default.  So we still need to use
httpd_sys_content_t on RHEL5.

| RHEL6> matchpathcon /var/www/git /var/lib/git
| /var/www/git    system_u:object_r:httpd_git_content_t:s0
| /var/lib/git    system_u:object_r:git_sys_content_t:s0

httpd_sys_content_t works here, too, together with git_sys_content_t.

| RHEL7> matchpathcon /var/www/git /var/lib/git
| /var/www/git    system_u:object_r:git_content_t:s0
| /var/lib/git    system_u:object_r:git_sys_content_t:s0

| F25> matchpathcon /var/www/git /var/lib/git
| /var/www/git    system_u:object_r:git_content_t:s0
| /var/lib/git    system_u:object_r:git_sys_content_t:s0

git_sys_content_t works here.  Fixed as
3ede86ef29356c3872d74c6db76a3c78db4fd234 commit in epel7 and f27
(rawhide).

Comment 2 Fedora Update System 2017-03-07 16:49:47 UTC
cgit-1.1-3.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-473d31b05f

Comment 3 Matthew Hannigan 2017-03-08 03:24:43 UTC
Hi Pavel, Thanks for the prompt and complete response.
I have a secondary bug (or at least I think I do) on rhel7.
I have never been able to make cgit work no matter what context I make various files.
I know is that works with selinux off and doesn't work with it on.
The actual error -- as given by audit2allow is

   # === httpd_t ===
   allow httpd_t httpd_sys_script_exec_t:file execute_no_trans;

But I suspect that that is a symptom.  
I know I should raise another bug report but could you please check whether cgit works out of the box for you on rhel7?

It works OK on Fedora 25.

Comment 4 Pavel Raiskup 2017-03-08 11:22:38 UTC
Matthew, it looks your /var/www/cgi-bin/cgit has httpd_sys_script_exec_t
but it should have git_script_exec_t.  Can you confirm (and fix)?

Comment 5 Fedora Update System 2017-03-08 16:17:23 UTC
cgit-1.1-3.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-473d31b05f

Comment 6 Matthew Hannigan 2017-03-21 00:13:53 UTC
Pavel, yes it had a different context.  That was me attempting to fix.
It failed with git_script_exec_t as well.

I found the problem underlying both failures.

The fs was mounted nosuid.  This prevents the selinux transition.

Simply re-mounting suid fixed the problem.
It is also possible to make /var/www/cgi-bin a bind mount and make the bind mount suid while the rest of /var is nosuid.

The remounts require a restart of httpd.

Feel free to close this issue.

Thanks,
Matt

PS it would be nice if nosuid was mentioned more prominently in selinux docs; perhaps the FAQ section on resolving problems
https://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#faq-div-resolving-problems

Comment 7 Pavel Raiskup 2017-03-21 06:58:55 UTC
(In reply to Matthew Hannigan from comment #6)
> The fs was mounted nosuid.  This prevents the selinux transition.
> Simply re-mounting suid fixed the problem.
> It is also possible to make /var/www/cgi-bin a bind mount and make the bind
> mount suid while the rest of /var is nosuid.

Hmm.  I'm curious how you get to this resolution;  I'm able to reproduce
the issue though I don't see anything in audit.log.  So for me it would be
really hard to debug.

> The remounts require a restart of httpd.
> 
> Feel free to close this issue.

It should close itself once the update is pushed.

> PS it would be nice if nosuid was mentioned more prominently in selinux
> docs; perhaps the FAQ section on resolving problems
> https://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.
> html#faq-div-resolving-problems

It is IMO fair to submit such request to selinux guys.

Comment 8 Matthew Hannigan 2017-03-21 07:17:25 UTC
> I'm curious how you get to this resolution

Sheer dogged determination and elimination of the impossible :-)
Comparing a system that worked against a system that didn't.

I knew that our sysadmins did extra hardening on our machines but they said they did not tweak or add any selinux policies themselves.
So I had to look elsewhere but somewhere closely related.

Actually, I remember a very similar problem I had a couple of years ago.
Possibly also with a cgi-bin. Nagios perhaps?

So, I half-remembered that incident too.

Comment 9 Fedora Update System 2017-07-24 22:46:37 UTC
cgit-1.1-4.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-a00c707deb

Comment 10 Fedora Update System 2017-07-25 00:51:47 UTC
cgit-1.1-5.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-c089298a4c

Comment 11 Fedora Update System 2017-07-26 01:48:51 UTC
cgit-1.1-5.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-c089298a4c

Comment 12 Fedora Update System 2017-08-09 15:23:43 UTC
cgit-1.1-5.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.