Red Hat Bugzilla – Bug 457223
confined user access to public content types
Last modified: 2008-11-17 17:05:23 EST
In my quest to confine git, i noticed that confined users may not interact with
public content types.
Should confined users be able to read public_content_types by default?
I have experimented with the idea of allowing confined users access to
public_content_types by implementing booleans.
for example, i have created a miscfiles_per_role_template with 3 booleans:
This way i can allow user domains access to these public content types.
I will attach my concept git-daemon module for reference. Please note that this
module is for testing purposes only.
Created attachment 312988 [details]
type enforcement file
Created attachment 312989 [details]
Created attachment 312990 [details]
File context file
I think they should be allowed to read public_content by default no boolean
needed. After all it is public.
Fixed in selinux-policy-3.5.1-4.fc10.noarch
Created attachment 313027 [details]
apache interface file
Created attachment 313028 [details]
apache type enforcement file
Created attachment 313029 [details]
git-daemon file context file
Created attachment 313030 [details]
git-daemon interface file
Created attachment 313031 [details]
git-daemon type enforcement file
Created attachment 313032 [details]
gitusr file context file
Created attachment 313033 [details]
gitusr interface file
Created attachment 313034 [details]
gitusr type enforcement file
Created attachment 313035 [details]
user domain interface file
Thanks, please ignore attached policy modules. It is still a work in progress.
Created attachment 313195 [details]
git_daemon domain patch
Here is my current git_daemon domain policy. This seems to work great, but it
could use more testing.
Created attachment 313344 [details]
Attached is my latest update for my git daemon domain. I have tried to keep it as simple as possible. Note that i also tried to make the optional_policy block: git_daemon_read_all_git_daemon_content(httpd_t) tunable in apache.te, this did not work as expected.
git-shell users need a special git userdomain: git_daemon_git_user_template(git_user), because unprivileged users do not have access to git_daemon_system_content_t.
The git-shell user domain has to be the primary for git+ssh:// to work. One would have to add git_user_u to /etc/selinux/targeted/contexts/users/ with:
personal repositories can be hosted by regular local users by default in ~/public_git and should be labeled git_daemon_user_content_t by default)
if git_daemon runs as a inetd service than one can enable/disable the use of personal git repositories.
if a user runs the git-daemon , the user will only be able to host git_daemon_user_content_t in his home location.
git_daemon_admin() is pretty useless at the moment.
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.