I'm updating the cgit package in Fedora (and EPEL, FWIW). Cgit is a caching web interface for git. It's primarily a C-based CGI script. As part of that update I'm installing some filter scripts that can be used to extend cgit. I'd like to get some help ensuring that we determine proper labeling/policy and get it included in future selinux-policy updates. My intention is to install the scripts in /usr/libexec/cgit/filters. Currently, there are only two scripts: $ ll -Z /usr/libexec/cgit/filters/ -rwxr-xr-x. root root system_u:object_r:bin_t:s0 commit-links.sh -rwxr-xr-x. root root system_u:object_r:bin_t:s0 syntax-highlighting.sh This causes an AVC that I think looks safe to dontaudit: $ sudo getenforce Enforcing $ sudo ausearch -m AVC -ts recent ---- time->Tue Sep 7 09:13:25 2010 type=SYSCALL msg=audit(1283865205.736:31359): arch=40000003 syscall=195 success=no exit=-13 a0=80e9693 a1=bfaac25c a2=297ff4 a3=83a6d50 items=0 ppid=22480 pid=22481 auid=500 uid=48 gid=486 euid=48 suid=48 fsuid=48 egid=486 sgid=486 fsgid=486 tty=(none) ses=1 comm="syntax-highligh" exe="/bin/bash" subj=unconfined_u:system_r:httpd_git_script_t:s0 key=(null) type=AVC msg=audit(1283865205.736:31359): avc: denied { search } for pid=22481 comm="syntax-highligh" name="cgi-bin" dev=dm-2 ino=396996 scontext=unconfined_u:system_r:httpd_git_script_t:s0 tcontext=system_u:object_r:httpd_sys_script_exec_t:s0 tclass=dir Despite the denial, the script succeeds in it's purpose, which is to run the file cgit is about to display through the highlight command for syntax highlighting. A similar AVC is produced for the commit-links.sh script, and the filter similarly succeeds.
Fixed in selinux-policy-3.9.3-1.fc14 Miroslav can you add search_dirs_pattern($1, httpd_sys_content_t, httpd_script_exec_type) to apache_content_template.
Fixed in selinux-policy-3.7.19-55.fc13
selinux-policy-3.7.19-57.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-57.fc13
selinux-policy-3.7.19-57.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-57.fc13
selinux-policy-3.7.19-57.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.