Hide Forgot
Description of problem: access to git-daemon over ssh with keys seems to need a SELinux module Version-Release number of selected component (if applicable): git-1.7.1-2.el6_0.1.x86_64 git-daemon-1.7.1-2.el6_0.1.x86_64 selinux-policy-targeted-3.7.19-93.el6_1.2.noarch selinux-policy-3.7.19-93.el6_1.2.noarch How reproducible: always Steps to Reproduce: 1. install git-daemon 2. dump ~git/.ssh/authorized_keys with the usual chmod, chown, semanage and restorecon 3. make a test repo: [root@server]# cd ~git [root@server]# mkdir test.git [root@server]# cd test.git [root@server]# git init –bare [root@server]# chown -R git:git /var/lib/git/test.git/ 4. work with it from another box: [user@machine]$ git clone git.pcfe.net:test.git Actual results: user is prompted for password because SELinux denies access to the authorized_keys file Expected results: user is able to use the git server via ssh key authentication Additional info: # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted ### mind you, I forced the ssh_home_t myself with semanage fcontext -a -f 'all files' -t ssh_home_t '/var/lib/git/.ssh' semanage fcontext -a -f 'all files' -t ssh_home_t '/var/lib/git/.ssh/authorized_keys' still no joy without the policy module though # ls -aZ ~git/.ssh/ drwx------. git git system_u:object_r:ssh_home_t:s0 . drwxr-xr-x. root root system_u:object_r:git_system_content_t:s0 .. -rw-------. git git system_u:object_r:ssh_home_t:s0 authorized_keys local policy module needed when the files are not relebelled as above # cat local.te module local 1.0; require { type file_t; type git_system_content_t; type sshd_t; class file { read getattr open }; class dir { search getattr }; } #============= sshd_t ============== allow sshd_t file_t:dir search; allow sshd_t git_system_content_t:dir { search getattr }; allow sshd_t git_system_content_t:file { read getattr open }; local policy module for correctly labelled files # cat gitssh.te module gitssh 1.0; require { type git_system_content_t; type sshd_t; class dir { search getattr }; } #============= sshd_t ============== allow sshd_t git_system_content_t:dir { search getattr };
One error I was made aware of; I should have created the git user with -Z git_shell_u . Fixed that with usermod -Z git_shell_u git policy module still seemingly needed.
The other error I did (and this makes it NOTABUG) is that I should not have set the home directory of the git user to /var/lib/git as that introduced user_home_dir_t which made me see the error. Apologies for the noise, closing bug.
man git_selinux.8 is not packaged in: selinux-policy-targeted-3.7.19-93.el6_1.2.noarch selinux-policy-3.7.19-93.el6_1.2.noarch It has much of the information that is needed to avoid this misunderstanding.
Dominick, good point. I should backport this man page to RHEL6.
Fixed in selinux-policy-3.7.19-108.el6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html