On Wed, 2015-09-30 at 10:34 +0200, Miroslav Grepl wrote:
On 09/28/2015 05:48 PM, Matthew Saltzman wrote:
On Wed, 2015-09-23 at 09:13 +0200, Miroslav Grepl wrote:
On 09/22/2015 08:37 PM, Matthew Saltzman wrote:
On Tue, 2015-09-22 at 19:21 +0100, Trevor Hemsley wrote:
On 22/09/15 18:50, Matthew Saltzman wrote:
for pid file '/var/www/svn/FlopC++/subgit/daemon.pid
Probably not the best location for a pid file. I'd suspect that write access to anything under /var/www is disallowed. Can you not move it to /var/run?
*I* can't. It's hard-coded in a compiled executable. I could make that recommendation to the Subgit folks. I suspect they may do that because they know for sure where the directory they are executing from is, but they may not feel they have a guarantee that /var/run is available in every *nix distribution.
We can label /var/www/svn/FlopC++/subgit for example if it is owned by a package.
The main gole is we need to get AVCs. Try to re-test it and run
#ausearch -m avc,user_avc -ts recent
On the other hand, the Subversion repositories themselves are in /var/www/svn and interacting with them works fine (including writes), modulo this issue.
Trevor
OK Here's a list of AVCs. I tried to cull the ones that seemed obviously not related (because they referred to an unrelated file or command) but there may be some extraneous ones left. These are from two commits. Interestingly, even though SELInux is in permissive mode, the commits failed with the same timeout message.
[AVCs deleted]
Ok some of these AVCs can be allowed by booleans.
httpd_use_execmem and httpd_can_network_connect.
You can check it using audit2allow on these AVCs.
For
[more AVCs deleted]
I would open a new bug against selinux-policy component. It looks like something what we could allow by a boolean.
I think I got it working with
module subgit-policy 1.0;
require { type httpd_sys_script_t; type httpd_sys_rw_content_t; type proc_net_t; class process execmem; class tcp_socket { accept listen }; class file { read execute open getattr }; }
#============= httpd_sys_script_t ============== allow httpd_sys_script_t httpd_sys_rw_content_t:file execute; allow httpd_sys_script_t proc_net_t:file { read getattr open };
#!!!! This avc can be allowed using the boolean 'httpd_execmem' allow httpd_sys_script_t self:process execmem;
#!!!! This avc can be allowed using one of the these booleans: # nis_enabled, httpd_can_network_connect allow httpd_sys_script_t self:tcp_socket { accept listen };
and
module pre-commit-policy 1.0;
require { type ephemeral_port_t; type httpd_t; type httpd_sys_script_t; class process { siginh noatsecure rlimitinh }; class tcp_socket name_connect; }
#============= httpd_sys_script_t ==============
#!!!! This avc can be allowed using one of the these booleans: # nis_enabled, httpd_can_network_connect allow httpd_sys_script_t ephemeral_port_t:tcp_socket name_connect;
#============= httpd_t ============== allow httpd_t httpd_sys_script_t:process { siginh rlimitinh noatsecure };
This is a CentOS system. Where is the best place to file the bug?
Thanks.