Description of problem: Git repositories (in /srv/git or /var/lib/git) are labelled as git_sys_content_t but the selinux targeted policy only allows read access to this type. This is fine for a read only dumb http endpoint to clone from but does not allow for pushes with the smarter git-http-backend endpoint. Version-Release number of selected component (if applicable): Tested on updated centos (6.3) and updated fedora 18 How reproducible: Always Steps to Reproduce: 1. Install git 2. Install httpd 3. Configure httpd environment settings and ScriptAlias as per these: http://git-scm.com/2010/03/04/smart-http.html https://www.kernel.org/pub/software/scm/git/docs/git-http-backend.html 4. git clone from the http interface 5. Make a change and attempt to push to origin Actual results: Attempt to push to origin fails and selinux exceptions found in logs Expected results: Attempt to push to origin works Additional info:
Created attachment 704376 [details] a basic module to allow access This was a basic module I put together for my systems to allow http based git clone if selinux boolean allow_httpd_write_git is set to true
# rpm -q selinux-policy
On the centos system: selinux-policy-3.7.19-155.el6_3.14.noarch On the fedora system: selinux-policy-3.11.1-82.fc18.noarch
Created attachment 759701 [details] patch to selinux-policy to allow git-http-backend to write to git I'm not entirely happy with this but it's a start ... This patch is against selinux-policy-3.7.19-195.el6_4.6.src.rpm right now after the redhat patches have been applied with rpmbuild -bp I tried using the macros exposed in git.if such as git_rwx_generic_system_content but I was getting a syntax error during the make that lead to the nfs/cifs tunable policies within the macro... commenting them out in the if file worked fine then but I don't know why. It's just a basic boolean addition to apache.te with two lines in the tunable policy allowing the write access via manage_files_pattern and an addition to git.fc adding an appropriate httpd_git_script_exec_t context to properly isolate the write to the script domain as opposed to my old hack of a module allowing httpd_t overall ... git-http-backend currently just inherits bin_t which given the purpose it probably shouldn't anyway... I know this should be cleaned up further but I'm trying to understand why the git_rwx_generic_system_content was exploding in my make before adding the matching patches for F19 and rawhide.
Dominick?
I've made a very small test case module to try and clean this up: policy_module(testmodule,0.0.1) require { attribute domain,exec_type; } type mytesttype_t, domain; type mytesttype_exec_t, exec_type; gen_tunable(letmytype_write_git,false) domain_type(mytesttype_t) domain_entry_file(mytesttype_t, mytesttype_exec_t) optional_policy(` tunable_policy(`letmytype_write_git',` git_rwx_all_content(mytesttype_t) ') ') With the tunable_policy uncommented I get this error on during make: Compiling targeted testmodule module /usr/bin/checkmodule: loading policy configuration from tmp/testmodule.tmp testmodule.te":14:ERROR 'syntax error' at token 'if' on line 4055: #line 14 if (use_nfs_home_dirs) { /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/testmodule.mod] Error 1 If I comment out the tunable_policy line then it does compile correctly ... is this a macro bug I'm encountering or just not using the macros correctly?
This message is a reminder that Fedora 18 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 18. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '18'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 18's end of life. Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 18 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 18's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Just carried out a test on F20 and confirmed that httpd can still read but not write git_sys_content_t and that there is no boolean to allow it. Tested with a git.conf for httpd of: [root@localhost selinuxtest.git]# cat /etc/httpd/conf.d/git.conf SetEnv GIT_PROJECT_ROOT /srv/git SetEnv GIT_HTTP_EXPORT_ALL ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/ <Location "/git"> Require all granted </Location> After setting the content of /srv/git to be writable by apache and to have type git_sys_content_t I can pull but not push when enforcing and I'm able to push when permissive. This should not be F18 auto-closed as a result.
Just to be sure what AVCs you are getting?
Just checked a system now and as of the current F20 policies /srv/git does not have a specific context by default (it just gets var_t) and there is an httpd_git_rw_content_t context that can now be applied to the repository so that git-http-backend works as expected out the box (after suitable configuration) without having to write a whole new selinux module... Closing this as a result of the changes in recent behaviour.