Bug 732196 - SELinux module needed for ssh access to git
Summary: SELinux module needed for ssh access to git
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 494837
TreeView+ depends on / blocked
 
Reported: 2011-08-20 15:21 UTC by Patrick C. F. Ernzer
Modified: 2012-10-16 12:32 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.7.19-108.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 10:13:19 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Patrick C. F. Ernzer 2011-08-20 15:21:05 UTC
Description of problem:
access to git-daemon over ssh with keys seems to need a SELinux module

Version-Release number of selected component (if applicable):
git-1.7.1-2.el6_0.1.x86_64
git-daemon-1.7.1-2.el6_0.1.x86_64
selinux-policy-targeted-3.7.19-93.el6_1.2.noarch
selinux-policy-3.7.19-93.el6_1.2.noarch


How reproducible:
always

Steps to Reproduce:
1. install git-daemon
2. dump ~git/.ssh/authorized_keys with the usual chmod, chown, semanage and restorecon
3. make a test repo:
    [root@server]# cd ~git
    [root@server]# mkdir test.git
    [root@server]# cd test.git
    [root@server]# git init –bare
    [root@server]# chown -R git:git /var/lib/git/test.git/
4. work with it from another box:
    [user@machine]$ git clone git@hp-microserver.internal.pcfe.net:test.git  

Actual results:
user is prompted for password because SELinux denies access to the authorized_keys file

Expected results:
user is able to use the git server via ssh key authentication


Additional info:
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

### mind you, I forced the ssh_home_t myself with
semanage fcontext -a -f 'all files' -t ssh_home_t '/var/lib/git/.ssh'
semanage fcontext -a -f 'all files' -t ssh_home_t '/var/lib/git/.ssh/authorized_keys'
still no joy without the policy module though

# ls -aZ ~git/.ssh/  
drwx------. git  git  system_u:object_r:ssh_home_t:s0  .
drwxr-xr-x. root root system_u:object_r:git_system_content_t:s0 ..
-rw-------. git  git  system_u:object_r:ssh_home_t:s0  authorized_keys

local policy module needed when the files are not relebelled as above
# cat local.te 

module local 1.0;

require {
	type file_t;
	type git_system_content_t;
	type sshd_t;
	class file { read getattr open };
	class dir { search getattr };
}

#============= sshd_t ==============
allow sshd_t file_t:dir search;
allow sshd_t git_system_content_t:dir { search getattr };
allow sshd_t git_system_content_t:file { read getattr open };

local policy module for correctly labelled files
# cat gitssh.te 

module gitssh 1.0;

require {
	type git_system_content_t;
	type sshd_t;
	class dir { search getattr };
}

#============= sshd_t ==============
allow sshd_t git_system_content_t:dir { search getattr };

Comment 2 Patrick C. F. Ernzer 2011-08-21 08:51:15 UTC
One error I was made aware of; I should have created the git user with -Z git_shell_u . Fixed that with

usermod -Z git_shell_u git

policy module still seemingly needed.

Comment 3 Patrick C. F. Ernzer 2011-08-21 16:20:31 UTC
The other error I did (and this makes it NOTABUG) is that I should not have set the home directory of the git user to /var/lib/git as that introduced user_home_dir_t which made me see the error.

Apologies for the noise, closing bug.

Comment 4 Dominick Grift 2011-08-21 16:36:39 UTC
man git_selinux.8 is not packaged in:

selinux-policy-targeted-3.7.19-93.el6_1.2.noarch
selinux-policy-3.7.19-93.el6_1.2.noarch

It has much of the information that is needed to avoid this misunderstanding.

Comment 5 Miroslav Grepl 2011-08-22 12:36:29 UTC
Dominick,
good point. I should backport this man page to RHEL6.

Comment 7 Miroslav Grepl 2011-08-24 15:28:30 UTC
Fixed in selinux-policy-3.7.19-108.el6

Comment 10 errata-xmlrpc 2011-12-06 10:13:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html


Note You need to log in before you can comment on or make changes to this bug.