In my quest to confine git, i noticed that confined users may not interact with public content types. Should confined users be able to read public_content_types by default? I have experimented with the idea of allowing confined users access to public_content_types by implementing booleans. for example, i have created a miscfiles_per_role_template with 3 booleans: miscfiles_$1_read_public_content_files, false miscfiles_$1_manage_public_content_files, false miscfiles_$1_exec_public_content_files, false This way i can allow user domains access to these public content types. I will attach my concept git-daemon module for reference. Please note that this module is for testing purposes only.
Created attachment 312988 [details] type enforcement file
Created attachment 312989 [details] interface file
Created attachment 312990 [details] File context file
I think they should be allowed to read public_content by default no boolean needed. After all it is public.
Fixed in selinux-policy-3.5.1-4.fc10.noarch
Created attachment 313027 [details] apache interface file
Created attachment 313028 [details] apache type enforcement file
Created attachment 313029 [details] git-daemon file context file
Created attachment 313030 [details] git-daemon interface file
Created attachment 313031 [details] git-daemon type enforcement file
Created attachment 313032 [details] gitusr file context file
Created attachment 313033 [details] gitusr interface file
Created attachment 313034 [details] gitusr type enforcement file
Created attachment 313035 [details] user domain interface file
Thanks, please ignore attached policy modules. It is still a work in progress.
Created attachment 313195 [details] git_daemon domain patch Here is my current git_daemon domain policy. This seems to work great, but it could use more testing.
Created attachment 313344 [details] git_daemon domain. Attached is my latest update for my git daemon domain. I have tried to keep it as simple as possible. Note that i also tried to make the optional_policy block: git_daemon_read_all_git_daemon_content(httpd_t) tunable in apache.te, this did not work as expected. git-shell users need a special git userdomain: git_daemon_git_user_template(git_user), because unprivileged users do not have access to git_daemon_system_content_t. The git-shell user domain has to be the primary for git+ssh:// to work. One would have to add git_user_u to /etc/selinux/targeted/contexts/users/ with: system_r:remote_login_t:s0 git_user_r:git_user_t:s0 system_r:sshd_t:s0 git_user_r:git_user_t:s0 personal repositories can be hosted by regular local users by default in ~/public_git and should be labeled git_daemon_user_content_t by default) if git_daemon runs as a inetd service than one can enable/disable the use of personal git repositories. if a user runs the git-daemon , the user will only be able to host git_daemon_user_content_t in his home location. git_daemon_admin() is pretty useless at the moment.
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.