I've got a CentOS 6 machine that's slated to go into production
providing some web and development-repository services.
Part of the environment is gitweb, which works as expected with one
glitch: SELinux doesn't allow gitweb.cgi to query sssd to display who
owns the repositories.
The audit log entries are pretty straightforward, e.g.,
type=AVC msg=audit(XXXXXXXXXXXX): avc: denied { search } for
pid=XXXX comm="gitweb.cgi" name="sss" dev=XXX
ino=XXXXXXXXXXX
scontext=unconfined_u:system_r:httpd_git_script_t:s0
tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
I'll use audit2allow to build a custom policy if need be, but what I'd
really like to hear is that there's an SELinux boolean that can be
tweaked or a file context that can be altered to make things work as
expected.
--
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
I can't think of any booleans off-hand, but you might try moving the location of the gitweb.cgi to a folder where SELinux expects cgi executables to be, such as /var/www. Then if you relabel, it might put it in the correct security context to fix the error. This is how I solve about 90% of my SELinux problems... just moving the files to the right location. ____________________________________________ Adam Wead Systems and Digital Collections Librarian Rock and Roll Hall of Fame and Museum 216.515.1960 (t) 215.515.1964 (f) On Wed, Aug 10, 2011 at 12:32 PM, Paul Heinlein <heinlein at madboa.com> wrote:> I've got a CentOS 6 machine that's slated to go into production > providing some web and development-repository services. > > Part of the environment is gitweb, which works as expected with one > glitch: SELinux doesn't allow gitweb.cgi to query sssd to display who > owns the repositories. > > The audit log entries are pretty straightforward, e.g., > > type=AVC msg=audit(XXXXXXXXXXXX): avc: denied { search } for > pid=XXXX comm="gitweb.cgi" name="sss" dev=XXX ino=XXXXXXXXXXX > scontext=unconfined_u:system_r:httpd_git_script_t:s0 > tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir > > I'll use audit2allow to build a custom policy if need be, but what I'd > really like to hear is that there's an SELinux boolean that can be > tweaked or a file context that can be altered to make things work as > expected. > > -- > Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/ > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20110810/107e446b/attachment-0003.html>
At 09:32 AM 8/10/2011, you wrote:>I've got a CentOS 6 machine that's slated to go into production >providing some web and development-repository services. > >Part of the environment is gitweb, which works as expected with one >glitch: SELinux doesn't allow gitweb.cgi to query sssd to display who >owns the repositories. > >The audit log entries are pretty straightforward, e.g., > >type=AVC msg=audit(XXXXXXXXXXXX): avc: denied { search } for >pid=XXXX comm="gitweb.cgi" name="sss" dev=XXX ino=XXXXXXXXXXX >scontext=unconfined_u:system_r:httpd_git_script_t:s0 >tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir > >I'll use audit2allow to build a custom policy if need be, but what I'd >really like to hear is that there's an SELinux boolean that can be >tweaked or a file context that can be altered to make things work as >expected. > >-- >Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/ >_________Paul I've just spent three days trying to figure out why SSH worked sometimes, sometimes not. Just minutes before your note arrived, I figured I had to disable SELINUX, and now it works just fine. Your note confirmed that there's a link there. David Kurn
On Wed, 10 Aug 2011, Adam Wead wrote:> I can't think of any booleans off-hand, but you might try moving the > location of the gitweb.cgi to a folder where SELinux expects cgi > executables to be, such as /var/www. Then if you relabel, it might > put it in the correct security context to fix the error. This is > how I solve about 90% of my SELinux problems... just moving the > files to the right location.There's a whole httpd_git_* slew of labels in CentOS 6 -- and I'm using the stock gitweb RPM -- so I'd rather fix it as-is so package updates have fewer special instructions down the road.> Systems and Digital Collections Librarian > Rock and Roll Hall of Fame and MuseumHands-down, the coolest job title I've seen on the centos mailing list! -- Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/