Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux has denied the gitweb.cgi access to potentially mislabeled files /var/lib/git. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, httpdcontent, var_lib_t, var_run_t, configfile, httpd_tmp_t, mysqld_etc_t, var_log_t, samba_var_t, avahi_var_run_t, net_conf_t, httpd_sys_content_ra_t, httpd_sys_content_rw_t, public_content_t, sysctl_kernel_t, home_root_t, httpd_sys_script_t, setrans_var_run_t, abrt_var_run_t, sysctl_t, abrt_t, bin_t, lib_t, mnt_t, root_t, mysqld_db_t, usr_t, var_t, sysctl_crypto_t, etc_runtime_t, mysqld_var_run_t, nscd_var_run_t, nslcd_var_run_t, sssd_var_lib_t, sysctl_t, bin_t, cert_t, lib_t, tmp_t, usr_t, var_t, httpd_sys_content_t, public_content_rw_t, rpm_script_tmp_t, device_t, squirrelmail_spool_t, etc_t, security_t, proc_t, fonts_cache_t, httpd_log_t, default_t, httpd_rw_content, krb5_conf_t, winbind_var_run_t, autofs_t, device_t, var_run_t, etc_t, fonts_t, proc_t, var_spool_t, httpd_sys_script_exec_t, iso9660_t, httpdcontent, var_run_t, var_run_t, etc_runtime_t, nscd_var_run_t, pcscd_var_run_t, lib_t, usr_t, var_t, var_t, httpd_sys_content_t, httpd_sys_content_t, device_t, locale_t, etc_t, proc_t, src_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of /var/lib/git so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE '/var/lib/git'. where FILE_TYPE is one of the following: httpdcontent, var_lib_t, var_run_t, configfile, httpd_tmp_t, mysqld_etc_t, var_log_t, samba_var_t, avahi_var_run_t, net_conf_t, httpd_sys_content_ra_t, httpd_sys_content_rw_t, public_content_t, sysctl_kernel_t, home_root_t, httpd_sys_script_t, setrans_var_run_t, abrt_var_run_t, sysctl_t, abrt_t, bin_t, lib_t, mnt_t, root_t, mysqld_db_t, usr_t, var_t, sysctl_crypto_t, etc_runtime_t, mysqld_var_run_t, nscd_var_run_t, nslcd_var_run_t, sssd_var_lib_t, sysctl_t, bin_t, cert_t, lib_t, tmp_t, usr_t, var_t, httpd_sys_content_t, public_content_rw_t, rpm_script_tmp_t, device_t, squirrelmail_spool_t, etc_t, security_t, proc_t, fonts_cache_t, httpd_log_t, default_t, httpd_rw_content, krb5_conf_t, winbind_var_run_t, autofs_t, device_t, var_run_t, etc_t, fonts_t, proc_t, var_spool_t, httpd_sys_script_exec_t, iso9660_t, httpdcontent, var_run_t, var_run_t, etc_runtime_t, nscd_var_run_t, pcscd_var_run_t, lib_t, usr_t, var_t, var_t, httpd_sys_content_t, httpd_sys_content_t, device_t, locale_t, etc_t, proc_t, src_t. You can look at the httpd_selinux man page for additional information. Additional Information: Source Context unconfined_u:system_r:httpd_sys_script_t:s0 Target Context system_u:object_r:git_data_t:s0 Target Objects /var/lib/git [ dir ] Source gitweb.cgi Source Path /usr/bin/perl Port <Unknown> Host (removed) Source RPM Packages perl-5.10.0-87.fc12 Target RPM Packages git-daemon-1.6.6-1.fc12 Policy RPM selinux-policy-3.6.32-69.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name httpd_bad_labels Host Name (removed) Platform Linux (removed) 2.6.31.9-174.fc12.i686 #1 SMP Mon Dec 21 06:24:20 UTC 2009 i686 i686 Alert Count 3 First Seen Thu 21 Jan 2010 01:00:18 AM UTC Last Seen Thu 21 Jan 2010 01:00:18 AM UTC Local ID 634ae862-6d0a-45c1-a6fc-ac135fd8d042 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1264028418.296:19736): avc: denied { search } for pid=2390 comm="gitweb.cgi" name="git" dev=sda6 ino=152030 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:git_data_t:s0 tclass=dir node=(removed) type=AVC msg=audit(1264028418.296:19736): avc: denied { search } for pid=2390 comm="gitweb.cgi" name="conf" dev=sda6 ino=139628 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:git_data_t:s0 tclass=dir node=(removed) type=AVC msg=audit(1264028418.296:19736): avc: denied { getattr } for pid=2390 comm="gitweb.cgi" path="/var/lib/git/conf/gitweb-projects" dev=sda6 ino=134593 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:git_data_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1264028418.296:19736): arch=40000003 syscall=195 success=yes exit=0 a0=97625cc a1=93320c0 a2=d6dff4 a3=9332008 items=0 ppid=2364 pid=2390 auid=500 uid=48 gid=489 euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none) ses=1 comm="gitweb.cgi" exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null) This happens even after running restorecon -v -R /var/lib/git.
Could you try # chcon -R -t httpd_git_content_t /var/www/git # chcon -R -t httpd_git_script_exec_t /var/www/git/gitweb.cgi And see if that works for you?
Thanks a lot, these fixed it - I can now browse my git repo as I like and I get zero notifications! # chcon -R -t httpd_git_content_t /var/www/git # chcon -R -t httpd_git_script_exec_t /var/www/git/gitweb.cgi
Miroslav can you add this labeling for F12?
Actually after rebooting noticed one more: Summary: SELinux is preventing /usr/bin/perl "getattr" access on /var/tmp. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by gitweb.cgi. It is not expected that this access is required by gitweb.cgi and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:httpd_git_script_t:s0 Target Context system_u:object_r:tmp_t:s0 Target Objects /var/tmp [ dir ] Source gitweb.cgi Source Path /usr/bin/perl Port <Unknown> Host localhost.localdomain Source RPM Packages perl-5.10.0-87.fc12 Target RPM Packages filesystem-2.4.30-2.fc12 Policy RPM selinux-policy-3.6.32-69.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.31.12-174.2.3.fc12.i686 #1 SMP Mon Jan 18 20:22:46 UTC 2010 i686 i686 Alert Count 1 First Seen Thu 21 Jan 2010 08:38:17 PM UTC Last Seen Thu 21 Jan 2010 08:38:17 PM UTC Local ID 630f1ae1-9b64-4682-a295-b55308e9480e Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1264099097.84:19609): avc: denied { getattr } for pid=4163 comm="gitweb.cgi" path="/var/tmp" dev=sda6 ino=81922 scontext=unconfined_u:system_r:httpd_git_script_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir node=localhost.localdomain type=SYSCALL msg=audit(1264099097.84:19609): arch=40000003 syscall=195 success=yes exit=0 a0=97fda5c a1=97220c0 a2=280ff4 a3=9722008 items=0 ppid=4155 pid=4163 auid=500 uid=48 gid=489 euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none) ses=1 comm="gitweb.cgi" exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_git_script_t:s0 key=(null)
No idea why, I don't think it needs access. Miroslav you can add files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) Unless you know that gitweb.cgi reads files in /var/tmp?
And another! Summary: SELinux is preventing /usr/bin/perl from using potentially mislabeled files /var/lib. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux has denied the gitweb.cgi access to potentially mislabeled files /var/lib. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, var_run_t, configfile, var_log_t, httpd_git_content_ra_t, httpd_git_content_rw_t, public_content_t, home_root_t, httpd_git_content_t, setrans_var_run_t, abrt_var_run_t, sysctl_t, abrt_t, bin_t, lib_t, mnt_t, root_t, usr_t, var_t, sysctl_crypto_t, httpd_git_script_t, etc_runtime_t, nscd_var_run_t, bin_t, lib_t, usr_t, var_t, public_content_rw_t, rpm_script_tmp_t, device_t, etc_t, security_t, proc_t, fonts_cache_t, httpd_log_t, default_t, device_t, var_run_t, etc_t, fonts_t, git_data_t, httpd_git_script_exec_t, etc_runtime_t, lib_t, usr_t, httpd_sys_content_t, device_t, locale_t, etc_t, proc_t, src_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of /var/lib so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE '/var/lib'. where FILE_TYPE is one of the following: var_run_t, configfile, var_log_t, httpd_git_content_ra_t, httpd_git_content_rw_t, public_content_t, home_root_t, httpd_git_content_t, setrans_var_run_t, abrt_var_run_t, sysctl_t, abrt_t, bin_t, lib_t, mnt_t, root_t, usr_t, var_t, sysctl_crypto_t, httpd_git_script_t, etc_runtime_t, nscd_var_run_t, bin_t, lib_t, usr_t, var_t, public_content_rw_t, rpm_script_tmp_t, device_t, etc_t, security_t, proc_t, fonts_cache_t, httpd_log_t, default_t, device_t, var_run_t, etc_t, fonts_t, git_data_t, httpd_git_script_exec_t, etc_runtime_t, lib_t, usr_t, httpd_sys_content_t, device_t, locale_t, etc_t, proc_t, src_t. You can look at the httpd_selinux man page for additional information. Additional Information: Source Context unconfined_u:system_r:httpd_git_script_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib [ dir ] Source gitweb.cgi Source Path /usr/bin/perl Port <Unknown> Host localhost.localdomain Source RPM Packages perl-5.10.0-87.fc12 Target RPM Packages filesystem-2.4.30-2.fc12 Policy RPM selinux-policy-3.6.32-69.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name httpd_bad_labels Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.31.12-174.2.3.fc12.i686 #1 SMP Mon Jan 18 20:22:46 UTC 2010 i686 i686 Alert Count 0 First Seen Thu 21 Jan 2010 08:48:44 PM UTC Last Seen Thu 21 Jan 2010 08:48:44 PM UTC Local ID 2c63351b-b9ea-439e-be73-80807b61c004 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1264099724.318:19629): avc: denied { search } for pid=4305 comm="gitweb.cgi" name="lib" dev=sda6 ino=24578 scontext=unconfined_u:system_r:httpd_git_script_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir node=localhost.localdomain type=SYSCALL msg=audit(1264099724.318:19629): arch=40000003 syscall=195 success=yes exit=0 a0=84b96b4 a1=80890c0 a2=d6dff4 a3=8089008 items=0 ppid=4158 pid=4305 auid=500 uid=48 gid=489 euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none) ses=1 comm="gitweb.cgi" exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_git_script_t:s0 key=(null)
CC'ing the git maintainer if he would have an idea about the access violations.
The last one is ours. Miroslav, change all files_search_var to files_search_var_lib in git.if.
I'm not sure about the /var/tmp access. A quick grep in the git tree doesn't show anything obvious.
Ok, the labeling and changes in git.if added to selinux-policy-3.6.32-76.fc12. Not sure why gitweb reads /var/tmp. Let's dontaudit it how you suggest above. I did a quick test and it does not block anything. files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) also added to selinux-policy-3.6.32-76.fc12.
selinux-policy-3.6.32-78.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-78.fc12
selinux-policy-3.6.32-78.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1207
selinux-policy-3.6.32-78.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.