• 1

fc files

(Anonymous)
I've been working on getting subversion to work using apache with selinux (targeted) enforcing on fc6. the basic function of svn is there out of the box, i.e. version control works with no change, however the fun started when I tried to get a post-commit script that dumps the repository after each commit working. I first tried the audit2allow -M route, but it seemed to me I ended up granting overly broad powers to httpd, so I tried the policygentool route. now it works, but I still have some questions.

you mentioned that the first field in the fc file is a regular expression. one of the issues for the svn hooks is the path is different for every repository, which the regex could conveniently solve, at least for the obvious case. would this work, i.e. does the syntax support the regex shown?

/usr/local/svn/[^/]+/hooks/post-commit -- gen_context(system_u:object_r:svnpostcommit_exec_t,s0)

below is what I ended up with, I'd appreciate your comments. the goal was to permit the post-commit hook to dump the repository and copy the dump onto two different disks, hence the usr_t and default_t entries. I apologize for the long post, but I didn't want to oversimplify the problem or edit something out that is important, so I left it all.

eventually I'd like to post something to the svn mailing list, but not without a blessing from someone who actually knows what they are doing ;-).

thx
dxc

---------- svnpostcommit.fc ----------

# svnpostcommit executable will have:
# label: system_u:object_r:svnpostcommit_exec_t
# MLS sensitivity: s0
# MCS categories:

/usr/local/svn/dxc/hooks/post-commit -- gen_context(system_u:object_r:svnpostcommit_exec_t,s0)

---------- svnpostcommit.if ----------

## policy for svnpostcommit

########################################
##
## Execute a domain transition to run svnpostcommit.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`svnpostcommit_domtrans',`
gen_require(`
type svnpostcommit_t, svnpostcommit_exec_t;
')

domain_auto_trans($1,svnpostcommit_exec_t,svnpostcommit_t)
')

---------- svnpostcommit.te ----------

policy_module(svnpostcommit,1.0.0)

# this policy works for a post-commit script that writes files into
# /data1/svn-bkup and /opt/data/svn-bkup. the security contexts are
# different, which is why both usr_t and default_t are required.

# ls -Zd /data1
# drwxrwxr-x root apache system_u:object_r:default_t /data1
# ls -Zd /opt/data
# drwxrwxr-x root apache system_u:object_r:usr_t /opt/data

require {
type httpd_t;
type usr_t;
type default_t;
type restorecon_t;
}

# declarations

type svnpostcommit_t;
type svnpostcommit_exec_t;
domain_type(svnpostcommit_t)

# svnpostcommit local policy

allow httpd_t svnpostcommit_exec_t:file {
execute execute_no_trans getattr ioctl read
};

allow httpd_t default_t:dir { add_name getattr search write };
allow httpd_t default_t:file { create getattr write };

allow httpd_t usr_t:dir { add_name create write };
allow httpd_t usr_t:file { create write };

# allow restorecon to change the script context
allow restorecon_t svnpostcommit_exec_t:file getattr;
# allow root to ls and edit the script
allow unconfined_t svnpostcommit_exec_t:file { getattr read write };


  • 1
?

Log in