630959 – Policy and/or labeling needed for new cgit filter scripts

Bug 630959 - Policy and/or labeling needed for new cgit filter scripts

Summary: Policy and/or labeling needed for new cgit filter scripts

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	13
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-09-07 13:34 UTC by Todd Zullinger
Modified:	2010-09-22 00:38 UTC (History)
CC List:	2 users (show)
Fixed In Version:	selinux-policy-3.7.19-57.fc13
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-09-22 00:38:15 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Todd Zullinger 2010-09-07 13:34:12 UTC

I'm updating the cgit package in Fedora (and EPEL, FWIW). Cgit is a caching web interface for git.  It's primarily a C-based CGI script.  As part of that update I'm installing some filter scripts that can be used to extend cgit.

I'd like to get some help ensuring that we determine proper labeling/policy and get it included in future selinux-policy updates.

My intention is to install the scripts in /usr/libexec/cgit/filters.  Currently, there are only two scripts:

$ ll -Z /usr/libexec/cgit/filters/
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       commit-links.sh
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       syntax-highlighting.sh

This causes an AVC that I think looks safe to dontaudit:

$ sudo getenforce
Enforcing

$ sudo ausearch -m AVC -ts recent
----
time->Tue Sep  7 09:13:25 2010
type=SYSCALL msg=audit(1283865205.736:31359): arch=40000003 syscall=195 success=no exit=-13 a0=80e9693 a1=bfaac25c a2=297ff4 a3=83a6d50 items=0 ppid=22480 pid=22481 auid=500 uid=48 gid=486 euid=48 suid=48 fsuid=48 egid=486 sgid=486 fsgid=486 tty=(none) ses=1 comm="syntax-highligh" exe="/bin/bash" subj=unconfined_u:system_r:httpd_git_script_t:s0 key=(null)
type=AVC msg=audit(1283865205.736:31359): avc:  denied  { search } for  pid=22481 comm="syntax-highligh" name="cgi-bin" dev=dm-2 ino=396996 scontext=unconfined_u:system_r:httpd_git_script_t:s0 tcontext=system_u:object_r:httpd_sys_script_exec_t:s0 tclass=dir

Despite the denial, the script succeeds in it's purpose, which is to run the file cgit is about to display through the highlight command for syntax highlighting.  A similar AVC is produced for the commit-links.sh script, and the filter similarly succeeds.

Comment 1 Daniel Walsh 2010-09-07 18:21:01 UTC

Fixed in selinux-policy-3.9.3-1.fc14

Miroslav can you add

	search_dirs_pattern($1, httpd_sys_content_t, httpd_script_exec_type)


to apache_content_template.

Comment 2 Miroslav Grepl 2010-09-09 11:16:44 UTC

Fixed in selinux-policy-3.7.19-55.fc13

Comment 3 Fedora Update System 2010-09-13 16:08:30 UTC

selinux-policy-3.7.19-57.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-57.fc13

Comment 4 Fedora Update System 2010-09-15 05:29:46 UTC

selinux-policy-3.7.19-57.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-57.fc13

Comment 5 Fedora Update System 2010-09-22 00:37:13 UTC

selinux-policy-3.7.19-57.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.