New fedora cgit packages could use some policy updates

Todd Zullinger tmz at pobox.com
Tue Feb 17 17:33:10 UTC 2009 

Daniel J Walsh wrote:
> Sorry about this, I seem to have lost this email.

No worries. :)

> THe following might help you with writing policy.
>
> http://magazine.redhat.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-module/

Indeed it will.  Thank you.

> I would combine gitweb and cgit into the same policy since there is
> really very little different between the two, it really does not matter
> what you call them, unless one is readonly?

Well, only cgit needs write access to /var/cache/cgit.  I don't know
where, or if, gitweb writes any temp files.  If it does, I don't see
the policy you attached denying them.

> I have added git policy to the base package for rawhide.
>
> selinux-policy-3.6.5-2.fc11
>
> If you could install this policy out with gitweb and cgit, that would be
> helpful.
>
> I made the httpd_git_script_t permissive and have added file context for
> gitweb as well as cgit.

Is there a corresponding strict mode?  For this:

permissive httpd_git_script_t;

If so, I could test it that way and maybe tighten up the policy
further.

> Extract the tgz file.
> execute
>
> make -f /usr/share/selinux/devel/Makefile
> semodule -i git.pp
> restorecon -R -v /var/cache/cgit /var/www/cgi-bin/cgit
> /var/www/git/gitweb.cgi  /var/lib/git
>
> Run git and cgit.
>
> Use
>
> audit2allow -R>> git.te
>
> to add
> make -f /usr/share/selinux/devel/Makefile
> semodule -i git.ppnew rules
>
> Test again, to make sure there are no avc's.
>
> Then if you send me the new policy and the audit.log, I can update
> fedora policy.

Done.  There weren't many additional AVCs in my testing (which I'm
sure could miss some odd use case that someone else will find).
Attached is an updated git.te and the raw audit messages (broken down
by which tool caused the AVC).

Is the search on var_lib_t something that we would want to limit?  I
don't think cgit, git-daemon, or gitweb should need more than
/var/lib/git (and /var/cache/cgit in cgit's case).  It _seemed_ that
they ran fine even when this was denied, but perhaps I just didn't
notice some subtle breakage.

Thanks for all the help.

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
He may look like an idiot and talk like an idiot but don't let that
fool you. He really is an idiot.
    -- Groucho Marx

-------------- next part --------------
policy_module(git, 1.0)

apache_content_template(git)
permissive httpd_git_script_t;

require {
	type httpd_git_script_t;
	type var_lib_t;
	class dir search;
}

#============= httpd_git_script_t ==============
allow httpd_git_script_t var_lib_t:dir search;
apache_search_sys_content(httpd_git_script_t)
files_getattr_tmp_dirs(httpd_git_script_t)
-------------- next part --------------
# git-daemon
# ==========

# cgit
# ====

type=AVC msg=audit(1234854556.271:77): avc:  denied  { search } for  pid=3810 comm="cgit" name="lib" dev=dm-0 ino=8197 scontext=system_u:system_r:httpd_git_script_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1234854556.271:77): arch=40000003 syscall=195 success=no exit=-2 a0=80c2e40 a1=bfb60bcc a2=3a5ff4 a3=bfb60bcc items=0 ppid=2684 pid=3810 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="cgit" exe="/var/www/cgi-bin/cgit" subj=system_u:system_r:httpd_git_script_t:s0 key=(null)

# gitweb
# ======

type=AVC msg=audit(1234854963.599:82): avc:  denied  { search } for  pid=3908 comm="gitweb.cgi" name="www" dev=dm-0 ino=8372 scontext=system_u:system_r:httpd_git_script_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1234854963.599:82): arch=40000003 syscall=5 success=yes exit=3 a0=83b6e24 a1=8000 a2=0 a3=8000 items=0 ppid=2680 pid=3908 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="gitweb.cgi" exe="/usr/bin/perl" subj=system_u:system_r:httpd_git_script_t:s0 key=(null)
type=AVC msg=audit(1234854963.763:83): avc:  denied  { getattr } for  pid=3908 comm="gitweb.cgi" path="/var/tmp" dev=tmpfs ino=9223 scontext=system_u:system_r:httpd_git_script_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1234854963.763:83): arch=40000003 syscall=195 success=yes exit=0 a0=84a2914 a1=839f0c0 a2=6ebff4 a3=84a2914 items=0 ppid=2680 pid=3908 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="gitweb.cgi" exe="/usr/bin/perl" subj=system_u:system_r:httpd_git_script_t:s0 key=(null)
type=AVC msg=audit(1234854964.229:84): avc:  denied  { getattr } for  pid=3909 comm="sh" path="/var/www/git" dev=dm-0 ino=82509 scontext=system_u:system_r:httpd_git_script_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1234854964.229:84): arch=40000003 syscall=195 success=yes exit=0 a0=80e65ab a1=bfc70448 a2=fd9ff4 a3=0 items=0 ppid=3908 pid=3909 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:httpd_git_script_t:s0 key=(null)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090217/986e3ab8/attachment.sig>

More information about the fedora-selinux-list mailing list