New fedora cgit packages could use some policy updates
Daniel J Walsh
dwalsh at redhat.com
Tue Feb 10 11:36:37 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Todd Zullinger wrote:
> Daniel J Walsh wrote:
>> What do you think of this simple policy package.
>
> That looks nice and simple to start with. Thanks.
>
> Thinking ahead a bit, would we want to name it git or cgit? There are
> several packages/daemons that should eventually become confined by
> stricter policy:
>
> git-daemon - provides the git:// protocol support
> gitweb - provides a CGI in perl for viewing git repos via http[s]
> cgit - provides a CGI in C for viewing git repos via http[s]
>
> For example, gitweb would have no need to access the cgit cache, but
> may have other areas that it needs to write to, which would mean
> httpd_git_content_rw_t might need to encompass more than needed if it
> includes both gitweb and cgit.
>
> There have been a few recent security bugs with gitweb¹, serious
> enough to allow remote code execution. This is definitely the sort of
> thing a nice policy could help mitigate. :)
>
> Do you have some links handy for how I'd go about creating a confined
> policy for either cgit or gitweb? That way I could test and add to
> the policy to allow it to be as limited as is reasonable. I'd be
> happy to try and help beat something into shape for these git tools.
> But I've really not spent a lot of time reading up on creating policy
> from scratch. I've perused your excellent blog, but not enough to be
> able to do this yet.
>
> ¹ https://bugzilla.redhat.com/show_bug.cgi?id=477523
> https://bugzilla.redhat.com/show_bug.cgi?id=479715
>
>
Sorry about this, I seem to have lost this email.
THe following might help you with writing policy.
http://magazine.redhat.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-module/
> git-daemon - provides the git:// protocol support
> gitweb - provides a CGI in perl for viewing git repos via http[s]
> cgit - provides a CGI in C for viewing git repos via http[s]
>
I would combine gitweb and cgit into the same policy since there is
really very little different between the two, it really does not matter
what you call them, unless one is readonly?
I have added git policy to the base package for rawhide.
selinux-policy-3.6.5-2.fc11
If you could install this policy out with gitweb and cgit, that would be
helpful.
I made the httpd_git_script_t permissive and have added file context for
gitweb as well as cgit.
Extract the tgz file.
execute
make -f /usr/share/selinux/devel/Makefile
semodule -i git.pp
restorecon -R -v /var/cache/cgit /var/www/cgi-bin/cgit
/var/www/git/gitweb.cgi /var/lib/git
Run git and cgit.
Use
audit2allow -R >> git.te
to add
make -f /usr/share/selinux/devel/Makefile
semodule -i git.ppnew rules
Test again, to make sure there are no avc's.
Then if you send me the new policy and the audit.log, I can update
fedora policy.
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmRZsQACgkQrlYvE4MpobMnHgCgzsabAv8/QD7RJS1SX7LQUuG0
ZsUAoKumZBFJnrrWvl5q3KY4zp/qNgw3
=WPT7
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: git.tgz
Type: application/x-compressed-tar
Size: 394 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090210/65faa365/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: git.tgz.sig
Type: application/pgp-signature
Size: 72 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090210/65faa365/attachment.sig>
More information about the fedora-selinux-list
mailing list