• 1

fc files

(Anonymous)
I've been working on getting subversion to work using apache with selinux (targeted) enforcing on fc6. the basic function of svn is there out of the box, i.e. version control works with no change, however the fun started when I tried to get a post-commit script that dumps the repository after each commit working. I first tried the audit2allow -M route, but it seemed to me I ended up granting overly broad powers to httpd, so I tried the policygentool route. now it works, but I still have some questions.

you mentioned that the first field in the fc file is a regular expression. one of the issues for the svn hooks is the path is different for every repository, which the regex could conveniently solve, at least for the obvious case. would this work, i.e. does the syntax support the regex shown?

/usr/local/svn/[^/]+/hooks/post-commit -- gen_context(system_u:object_r:svnpostcommit_exec_t,s0)

below is what I ended up with, I'd appreciate your comments. the goal was to permit the post-commit hook to dump the repository and copy the dump onto two different disks, hence the usr_t and default_t entries. I apologize for the long post, but I didn't want to oversimplify the problem or edit something out that is important, so I left it all.

eventually I'd like to post something to the svn mailing list, but not without a blessing from someone who actually knows what they are doing ;-).

thx
dxc

---------- svnpostcommit.fc ----------

# svnpostcommit executable will have:
# label: system_u:object_r:svnpostcommit_exec_t
# MLS sensitivity: s0
# MCS categories:

/usr/local/svn/dxc/hooks/post-commit -- gen_context(system_u:object_r:svnpostcommit_exec_t,s0)

---------- svnpostcommit.if ----------

## policy for svnpostcommit

########################################
##
## Execute a domain transition to run svnpostcommit.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`svnpostcommit_domtrans',`
gen_require(`
type svnpostcommit_t, svnpostcommit_exec_t;
')

domain_auto_trans($1,svnpostcommit_exec_t,svnpostcommit_t)
')

---------- svnpostcommit.te ----------

policy_module(svnpostcommit,1.0.0)

# this policy works for a post-commit script that writes files into
# /data1/svn-bkup and /opt/data/svn-bkup. the security contexts are
# different, which is why both usr_t and default_t are required.

# ls -Zd /data1
# drwxrwxr-x root apache system_u:object_r:default_t /data1
# ls -Zd /opt/data
# drwxrwxr-x root apache system_u:object_r:usr_t /opt/data

require {
type httpd_t;
type usr_t;
type default_t;
type restorecon_t;
}

# declarations

type svnpostcommit_t;
type svnpostcommit_exec_t;
domain_type(svnpostcommit_t)

# svnpostcommit local policy

allow httpd_t svnpostcommit_exec_t:file {
execute execute_no_trans getattr ioctl read
};

allow httpd_t default_t:dir { add_name getattr search write };
allow httpd_t default_t:file { create getattr write };

allow httpd_t usr_t:dir { add_name create write };
allow httpd_t usr_t:file { create write };

# allow restorecon to change the script context
allow restorecon_t svnpostcommit_exec_t:file getattr;
# allow root to ls and edit the script
allow unconfined_t svnpostcommit_exec_t:file { getattr read write };


/usr/local/svn/[^/]+/hooks/post-commit -- gen_context(system_u:object_r:svnpostcommit_exec_t,s0)

This is fine.

As far as the policy...

Any time you need a domain to be able to write to a file/directory and it currently does not have access, it is better to create a new type. So I would have created type svnpostcommit_rw_t; and setup file context for
/data1/svn-bkup and /opt/data/svn-bkup

Finally since this is an executable that is started by apache, I would build the app as a cgi using apache_content_template.


My te file looks like this.

cat svnpostcommit.te
policy_module(svnpostcommit,1.0.0)

########################################
#
# Declarations
#
require {
type httpd_t;
}

apache_content_template(svnpostcommit)

# tmp files
allow httpd_svnpostcommit_script_t httpd_svnpostcommit_script_rw_t:file manage_file_perms;
allow httpd_svnpostcommit_script_t httpd_svnpostcommit_script_rw_t:dir create_dir_perms;
files_pid_filetrans(httpd_svnpostcommit_script_t,httpd_svnpostcommit_script_rw_t, { file dir })

allow httpd_t httpd_svnpostcommit_script_rw_t:dir create_dir_perms;
allow httpd_t httpd_svnpostcommit_script_rw_t:file manage_file_perms;

My fc file looks like:

cat svnpostcommit.fc

/usr/local/svn/[^/]+/hooks/post-commit -- gen_context(system_u:object_r:httpd_svnpostcommit_script_exec_t,s0)

/opt/data1/svn-bkup(/.*)? gen_context(system_u:object_r:httpd_svnpostcommit_script_rw_t,s0)

/data1/svn-bkup(/.*)? gen_context(system_u:object_r:httpd_svnpostcommit_script_rw_t,s0)

My interface files looks like

cat svnpostcommit.if

## policy for httpd_svnpostcommit_script

########################################
##
## Execute a domain transition to run httpd_svnpostcommit_script.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`httpd_svnpostcommit_script_domtrans',`
gen_require(`
type httpd_svnpostcommit_script_t, httpd_svnpostcommit_script_exec_t;
')

domain_auto_trans($1,httpd_svnpostcommit_script_exec_t,httpd_svnpostcommit_script_t)

allow httpd_svnpostcommit_script_t $1:fd use;
allow httpd_svnpostcommit_script_t $1:fifo_file rw_file_perms;
allow httpd_svnpostcommit_script_t $1:process sigchld;
')

########################################
##
## Search httpd_svnpostcommit_script rw directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`httpd_svnpostcommit_script_search_rw_dir',`
gen_require(`
type httpd_svnpostcommit_script_rw_t;
')

allow $1 httpd_svnpostcommit_script_rw_t:dir search_dir_perms;
files_search_rw($1)
')

########################################
##
## Read httpd_svnpostcommit_script rw files.
##
##
##
## Domain allowed access.
##
##
#
interface(`httpd_svnpostcommit_script_read_rw_files',`
gen_require(`
type httpd_svnpostcommit_script_rw_t;
')

allow $1 httpd_svnpostcommit_script_rw_t:file r_file_perms;
allow $1 httpd_svnpostcommit_script_rw_t:dir list_dir_perms;
files_search_rw($1)
')

########################################
##
## Create, read, write, and delete
## httpd_svnpostcommit_script rw files.
##
##
##
## Domain allowed access.
##
##
#
interface(`httpd_svnpostcommit_script_manage_rw_files',`
gen_require(`
type httpd_svnpostcommit_script_rw_t;
')

allow $1 httpd_svnpostcommit_script_rw_t:file manage_file_perms;
allow $1 httpd_svnpostcommit_script_rw_t:dir rw_dir_perms;
')


BTW Most of this was autogenerated by a new tool I am about to realease, which is the next version of policygentool.

Re: svnpostcommit

(Anonymous)
thank you very much for the fast response, looks as if I was correct to ask the expert ;-). I'll copy that here and try it out a little later, maybe tomorrow. for my future reference, where do I look to find out about things like apache_content_template? (btw, I *do* have "selinux by example", but it seems a lot of things have evolved)

meanwhile, did you consider posting something to the svn mailing list? I can tell from searching it that people are clueless, but the hook scripts are generally useful, not just for a dump as I did. the typical response when faced by an selinux issue is to just turn it off, but I don't think that's the right approach, especially with servers like httpd that face the web.

Re: svnpostcommit

(Anonymous)
ok, I cut/paste sections from your post into the appropriate files, compiled and installed the .pp and ran restorecon -v -R on the directories. I had to add a few things (from the usual test, audit2allow, compile, retest cycle), shown below, but now it works, and I didn't have to do anything fancy to allow root to edit the script or restorecon to work.

thanks!

any further comments?

---------- svnpostcommit.te ----------
require {
type httpd_t;
# dxc additions
type httpd_tmp_t;
type default_t;
}

...

# dxc additions
allow httpd_svnpostcommit_script_t default_t:dir { search };
allow httpd_svnpostcommit_script_t httpd_tmp_t:dir {
add_name getattr search write
};
allow httpd_svnpostcommit_script_t httpd_tmp_t:file {
create getattr read write
};


Re: svnpostcommit

(Anonymous)
Could you post the policy to upstream at

selinux@tycho.nsa.gov

Thanks.

Dan

adult girl japanese pic school

(Anonymous)
MESSAGE

Some links for you - testing

(Anonymous)
MESSAGE

Paxil shmaxil and butalbital

(Anonymous)
MESSAGE

Diflucan, carisoprodol

(Anonymous)
MESSAGE

picture of cigarette smoking girl

(Anonymous)
MESSAGE

Aciphex adipex magic

(Anonymous)
MESSAGE

Lorazepam and friends

(Anonymous)
MESSAGE

All sportsmen use drugs.

(Anonymous)
MESSAGE

Where'd you gone, I missed you so...

(Anonymous)
MESSAGE

Halle Berry in anal teen

(Anonymous)
http://www.amole.info/Halle-Berry-anal-teen/index.php

Infrormation about diet pills

(Anonymous)
MESSAGE

Tablets for menshealth

(Anonymous)
MESSAGE

Do you know where I can get this?

(Anonymous)
MESSAGE

Cheapest pharmacy - dont miss it!

(Anonymous)
MESSAGE

Hi look at sites

(Anonymous)

"I Mother looking the and are on it pieces these Mr. planted you your garden," answered. "Oh, "That handkerchief turned have into many lemon. us. laughed potatoes," Blake. make is plant as disappear And magical trick beans Nature the for plant vine you potatoes, piece potato, change 'eyes' We completely, a or is we a and with springs a for on she they roots when of it, more or turns the the or, if a eye a into it the on more a Nature bean--disappears bean, does your a with many the eye wonderful." is into it. seed--that is just seed, potato to potato which the of magician made up stage in pretends plant very Mother was

free sex search engine

(Anonymous)
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

free celebrity sex

(Anonymous)
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz

  • 1
?

Log in