• 1
/usr/local/svn/[^/]+/hooks/post-commit -- gen_context(system_u:object_r:svnpostcommit_exec_t,s0)

This is fine.

As far as the policy...

Any time you need a domain to be able to write to a file/directory and it currently does not have access, it is better to create a new type. So I would have created type svnpostcommit_rw_t; and setup file context for
/data1/svn-bkup and /opt/data/svn-bkup

Finally since this is an executable that is started by apache, I would build the app as a cgi using apache_content_template.


My te file looks like this.

cat svnpostcommit.te
policy_module(svnpostcommit,1.0.0)

########################################
#
# Declarations
#
require {
type httpd_t;
}

apache_content_template(svnpostcommit)

# tmp files
allow httpd_svnpostcommit_script_t httpd_svnpostcommit_script_rw_t:file manage_file_perms;
allow httpd_svnpostcommit_script_t httpd_svnpostcommit_script_rw_t:dir create_dir_perms;
files_pid_filetrans(httpd_svnpostcommit_script_t,httpd_svnpostcommit_script_rw_t, { file dir })

allow httpd_t httpd_svnpostcommit_script_rw_t:dir create_dir_perms;
allow httpd_t httpd_svnpostcommit_script_rw_t:file manage_file_perms;

My fc file looks like:

cat svnpostcommit.fc

/usr/local/svn/[^/]+/hooks/post-commit -- gen_context(system_u:object_r:httpd_svnpostcommit_script_exec_t,s0)

/opt/data1/svn-bkup(/.*)? gen_context(system_u:object_r:httpd_svnpostcommit_script_rw_t,s0)

/data1/svn-bkup(/.*)? gen_context(system_u:object_r:httpd_svnpostcommit_script_rw_t,s0)

My interface files looks like

cat svnpostcommit.if

## policy for httpd_svnpostcommit_script

########################################
##
## Execute a domain transition to run httpd_svnpostcommit_script.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`httpd_svnpostcommit_script_domtrans',`
gen_require(`
type httpd_svnpostcommit_script_t, httpd_svnpostcommit_script_exec_t;
')

domain_auto_trans($1,httpd_svnpostcommit_script_exec_t,httpd_svnpostcommit_script_t)

allow httpd_svnpostcommit_script_t $1:fd use;
allow httpd_svnpostcommit_script_t $1:fifo_file rw_file_perms;
allow httpd_svnpostcommit_script_t $1:process sigchld;
')

########################################
##
## Search httpd_svnpostcommit_script rw directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`httpd_svnpostcommit_script_search_rw_dir',`
gen_require(`
type httpd_svnpostcommit_script_rw_t;
')

allow $1 httpd_svnpostcommit_script_rw_t:dir search_dir_perms;
files_search_rw($1)
')

########################################
##
## Read httpd_svnpostcommit_script rw files.
##
##
##
## Domain allowed access.
##
##
#
interface(`httpd_svnpostcommit_script_read_rw_files',`
gen_require(`
type httpd_svnpostcommit_script_rw_t;
')

allow $1 httpd_svnpostcommit_script_rw_t:file r_file_perms;
allow $1 httpd_svnpostcommit_script_rw_t:dir list_dir_perms;
files_search_rw($1)
')

########################################
##
## Create, read, write, and delete
## httpd_svnpostcommit_script rw files.
##
##
##
## Domain allowed access.
##
##
#
interface(`httpd_svnpostcommit_script_manage_rw_files',`
gen_require(`
type httpd_svnpostcommit_script_rw_t;
')

allow $1 httpd_svnpostcommit_script_rw_t:file manage_file_perms;
allow $1 httpd_svnpostcommit_script_rw_t:dir rw_dir_perms;
')


BTW Most of this was autogenerated by a new tool I am about to realease, which is the next version of policygentool.

Re: svnpostcommit

(Anonymous)
thank you very much for the fast response, looks as if I was correct to ask the expert ;-). I'll copy that here and try it out a little later, maybe tomorrow. for my future reference, where do I look to find out about things like apache_content_template? (btw, I *do* have "selinux by example", but it seems a lot of things have evolved)

meanwhile, did you consider posting something to the svn mailing list? I can tell from searching it that people are clueless, but the hook scripts are generally useful, not just for a dump as I did. the typical response when faced by an selinux issue is to just turn it off, but I don't think that's the right approach, especially with servers like httpd that face the web.

Re: svnpostcommit

(Anonymous)
ok, I cut/paste sections from your post into the appropriate files, compiled and installed the .pp and ran restorecon -v -R on the directories. I had to add a few things (from the usual test, audit2allow, compile, retest cycle), shown below, but now it works, and I didn't have to do anything fancy to allow root to edit the script or restorecon to work.

thanks!

any further comments?

---------- svnpostcommit.te ----------
require {
type httpd_t;
# dxc additions
type httpd_tmp_t;
type default_t;
}

...

# dxc additions
allow httpd_svnpostcommit_script_t default_t:dir { search };
allow httpd_svnpostcommit_script_t httpd_tmp_t:dir {
add_name getattr search write
};
allow httpd_svnpostcommit_script_t httpd_tmp_t:file {
create getattr read write
};


Re: svnpostcommit

(Anonymous)
Could you post the policy to upstream at

selinux@tycho.nsa.gov

Thanks.

Dan

  • 1
?

Log in