Description of problem: Gitolite3 (code rewrite that replaces gitolite 2, cf http://sitaramc.github.com/gitolite/master-toc.html ) is being packaged in EPEL (cf https://bugzilla.redhat.com/show_bug.cgi?id=821838 The new package creates the git repositories under /var/lib/gitolite3 whereas the gitolite2 package used /var/lib/gitolite to host git repositories. selinux-policy knows about /var/lib/gitolite: * it lets sshd read ~/.ssh/* * it lets gitweb access the git repositories with the following file context rules: /var/lib/gitolite(/.*)? system_u:object_r:gitosis_var_lib_t:s0 /var/lib/gitolite/\.ssh(/.*)? system_u:object_r:ssh_home_t:s0 However, selinux-policy does NOT know about /var/lib/gitolite3, making EPEL gitolite3 unusable by default under RHEL 6.2 with SELinux enabled. Version-Release number of selected component (if applicable): RHEL 6.2 selinux-policy does NOT know about /var/lib/gitolite3 Steps to Reproduce: 1. grep gitolite /etc/selinux/targeted/modules/active/file_contexts Actual results: /var/lib/gitolite(/.*)? system_u:object_r:gitosis_var_lib_t:s0 /var/lib/gitolite/\.ssh(/.*)? system_u:object_r:ssh_home_t:s0 Expected results: /var/lib/gitolite3(/.*)? system_u:object_r:gitosis_var_lib_t:s0 /var/lib/gitolite3/\.ssh(/.*)? system_u:object_r:ssh_home_t:s0 Additional info: I contacted the gitolite3 packager, who suggested I filed a bug against selinux-policy in BZ.
Any reason to change the name of this directory? Do you want to ship both simultaniously?
Yes, this is to make upgrading safer for the admin, as there are steps that need to be taken after the old version is removed but before the new one is installed.
mgrepl please backport 3ca3417b4921bba52665e9a42ad35cb19baafbee
Fixed in selinux-policy-3.7.19-159.el6
Following files from gitolite3 package are labelled usr_t, but they are either shell scripts or perl scripts, therefore I suggest to label them bin_t: /usr/share/gitolite3/commands/D /usr/share/gitolite3/commands/access /usr/share/gitolite3/commands/creator /usr/share/gitolite3/commands/desc /usr/share/gitolite3/commands/fork /usr/share/gitolite3/commands/git-config /usr/share/gitolite3/commands/help /usr/share/gitolite3/commands/htpasswd /usr/share/gitolite3/commands/info /usr/share/gitolite3/commands/list-dangling-repos /usr/share/gitolite3/commands/lock /usr/share/gitolite3/commands/mirror /usr/share/gitolite3/commands/perms /usr/share/gitolite3/commands/print-default-rc /usr/share/gitolite3/commands/push /usr/share/gitolite3/commands/sshkeys-lint /usr/share/gitolite3/commands/sskm /usr/share/gitolite3/commands/sudo /usr/share/gitolite3/commands/svnserve /usr/share/gitolite3/commands/symbolic-ref /usr/share/gitolite3/commands/writable Following files from gitolite package are already labelled bin_t: /usr/share/gitolite/hooks/common/update /usr/share/gitolite/hooks/gitolite-admin/post-update
Yes, we should label /usr/share/gitolite3/commands as bin_t.
All these files are perl or shell script executables: # find /usr/share/gitolite3/ -type f | grep -v -e VREF -e \.pm | xargs file | grep executable | cut -d : -f 1 | sort /usr/share/gitolite3/commands/access /usr/share/gitolite3/commands/creator /usr/share/gitolite3/commands/D /usr/share/gitolite3/commands/desc /usr/share/gitolite3/commands/fork /usr/share/gitolite3/commands/git-config /usr/share/gitolite3/commands/help /usr/share/gitolite3/commands/htpasswd /usr/share/gitolite3/commands/info /usr/share/gitolite3/commands/list-dangling-repos /usr/share/gitolite3/commands/lock /usr/share/gitolite3/commands/mirror /usr/share/gitolite3/commands/perms /usr/share/gitolite3/commands/print-default-rc /usr/share/gitolite3/commands/push /usr/share/gitolite3/commands/sshkeys-lint /usr/share/gitolite3/commands/sskm /usr/share/gitolite3/commands/sudo /usr/share/gitolite3/commands/svnserve /usr/share/gitolite3/commands/symbolic-ref /usr/share/gitolite3/commands/writable /usr/share/gitolite3/gitolite /usr/share/gitolite3/gitolite-shell /usr/share/gitolite3/triggers/partial-copy /usr/share/gitolite3/triggers/post-compile/ssh-authkeys /usr/share/gitolite3/triggers/post-compile/ssh-authkeys-shell-users /usr/share/gitolite3/triggers/post-compile/update-git-configs /usr/share/gitolite3/triggers/post-compile/update-git-daemon-access-list /usr/share/gitolite3/triggers/post-compile/update-gitweb-access-list /usr/share/gitolite3/triggers/renice /usr/share/gitolite3/triggers/upstream #
Fixed in selinux-policy-3.7.19-186.el6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html