Blair Zajac wrote:
> david x callaway wrote:
>> with the aid of dan walsh at redhat, I have a policy that will allow
>> the post-commit hook to backup the repository(s) by dumping each time
>> without turning selinux off (I'm running targeted/enforcing).
>>
>> the post would be rather long, but if anyone is interested I will be
>> happy to post it, including the policy source and a bit of howto.
>
> Yes, please do, that would be great.
see below ;-)
>
> Regards,
> Blair
>
platform: fully updated fc6, x86, subversion-1.4.2, httpd-2.2.3.
problem: allow the subversion post-commit hook to dump svn after each
commit without disabling selinux. due to a recent disk death I wanted
this to produce two dumps, one on each of two physical disks.
the dump script is simple, basically it does an svnadmin dump into a
directory under /tmp and then copies the dump elsewhere. it takes
advantage of the standard hook script arguments, the repos and the
rev, to produce a file named ${REPONAME}.dump.${REV}, where REPONAME
is the basename of the path to the repo. the copies end up under
/data/svn-bkup and /opt/data/svn-bkup.
using the audit2allow technique described below, I eventually came up
with a policy that worked, but it wasn't terrific form. to make a
long story short, dan walsh helped me out, see
http://danwalsh.livejournal.com/8707.html for more examples.
dan generated most of the policy below using an unreleased tool, and I
went through a few of the usual audit2allow/add rules cycles before
getting it to work, but thanks to dan it was pretty simple.
dxc
---------- notes ----------
disclaimer: I am *not* an selinux expert; the setup below works for
me, but what happens to you depends upon details of your installation.
the details of the way the policy below works is up to you to figure
out (I bought the book, but it's far enough behind current reality
that I don't understand part of it, e.g. the macros).
the setup described pertains to the targeted policy in enforcing mode
only, I have not tried it under the strict policy.
to allow apache to access your repo, assuming the path to the toplevel
is /usr/local/svn (change to suit):
semanage fcontext -a -t http_sys_content_t /usr/local/svn(/.*)?
or
chcon -R -t httpd_sys_content_t /usr/local/svn
this one change was sufficient to allow svn to run via apache with
selinux turned on, i.e. a working no-selinux apache/svn worked for me
with selinux turned on after executing the above. before doing
anything with a new policy you should turn on selinux and see if your
repository still works the way you expect (I'm assuming no hooks
initially). if it doesn't, e.g. commit stops working, see below for
how to turn the log messages into something you can read.
some of the paths below are specific to my setup, e.g. my repos are in
/usr/local/svn/* directories, but YMMV depending upon how you set
up svn and apache. obviously my backup dirs will probably not match
yours either, and their exact location has some bearing on other parts
of the policy.
your email client may provide some line breaks in the policy source
that should be removed. I left the lines long because I don't know to
what extent the policy compiler cares (mostly? not).
to compile and install the policy put the three files in a directory
and execute (as root):
# make -f /usr/share/selinux/devel/Makefile
# semodule -i svnpostcommit.pp
reset the file contexts:
# restorecon -R -v /usr/local/svn/<repo>/hooks
# restorecon -R -v /data/svn-bkup
# restorecon -R -v /opt/data/svn-bkup
you may need to install some packages; these are what I have (some
may not be required):
# checkpolicy-1.33.1-2.fc6
# libselinux-devel-1.33.4-2.fc6
# libselinux-python-1.33.4-2.fc6
# libselinux-1.33.4-2.fc6
# policycoreutils-1.34.1-4.fc6
# selinux-doc-1.26-1.1
# selinux-policy-2.4.6-41.fc6
# selinux-policy-targeted-2.4.6-41.fc6
# selinux-policy-devel-2.4.6-41.fc6
# setools-3.0-2.fc6
# setools-gui-3.0-2.fc6
chances are, if your setup is different, the hook will silently fail.
look in /var/log/messages for entries like
type=AVC msg=audit(1164222416.269:22): avc: denied { use } for
pid=1940 comm="setsebool" name="0" dev=devpts ino=2
scontext=system_u:system_r:semanage_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=fd
"avc: denied" is the main point. copy the messages with time stamps
that match your commit into a text file and run
audit2allow < file.txt
or, just do the whole thing
audit2allow < /var/log/messages
this will generate rules that you can add to your svnpostcommit.te
file, for example I added this:
allow httpd_svnpostcommit_script_t default_t:dir { search };
recompile and install as above, try again.
---------- svnpostcommit.fc ----------
/usr/local/svn/[^/]+/hooks/post-commit --
gen_context(system_u:object_r:httpd_svnpostcommit_script_exec_t,s0)
/opt/data/svn-bkup(/.*)?
gen_context(system_u:object_r:httpd_svnpostcommit_script_rw_t,s0)
/data/svn-bkup(/.*)?
gen_context(system_u:object_r:httpd_svnpostcommit_script_rw_t,s0)
---------- svnpostcommit.if ----------
## policy for httpd_svnpostcommit_script
########################################
##
## Execute a domain transition to run httpd_svnpostcommit_script.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`httpd_svnpostcommit_script_domtrans',`
gen_require(`
type httpd_svnpostcommit_script_t, httpd_svnpostcommit_script_exec_t;
')
domain_auto_trans($1,httpd_svnpostcommit_script_exec_t,httpd_svnpostcommit_script_t)
allow httpd_svnpostcommit_script_t $1:fd use;
allow httpd_svnpostcommit_script_t $1:fifo_file rw_file_perms;
allow httpd_svnpostcommit_script_t $1:process sigchld;
')
########################################
##
## Search httpd_svnpostcommit_script rw directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`httpd_svnpostcommit_script_search_rw_dir',`
gen_require(`
type httpd_svnpostcommit_script_rw_t;
')
allow $1 httpd_svnpostcommit_script_rw_t:dir search_dir_perms;
files_search_rw($1)
')
########################################
##
## Read httpd_svnpostcommit_script rw files.
##
##
##
## Domain allowed access.
##
##
#
interface(`httpd_svnpostcommit_script_read_rw_files',`
gen_require(`
type httpd_svnpostcommit_script_rw_t;
')
allow $1 httpd_svnpostcommit_script_rw_t:file r_file_perms;
allow $1 httpd_svnpostcommit_script_rw_t:dir list_dir_perms;
files_search_rw($1)
')
########################################
##
## Create, read, write, and delete
## httpd_svnpostcommit_script rw files.
##
##
##
## Domain allowed access.
##
##
#
interface(`httpd_svnpostcommit_script_manage_rw_files',`
gen_require(`
type httpd_svnpostcommit_script_rw_t;
')
allow $1 httpd_svnpostcommit_script_rw_t:file manage_file_perms;
allow $1 httpd_svnpostcommit_script_rw_t:dir rw_dir_perms;
')
---------- svnpostcommit.te ----------
policy_module(svnpostcommit,1.0.0)
########################################
#
# Declarations
#
require {
type httpd_t;
# dxc adds
type httpd_tmp_t;
type default_t;
}
apache_content_template(svnpostcommit)
# tmp files
allow httpd_svnpostcommit_script_t httpd_svnpostcommit_script_rw_t:file
manage_file_perms;
allow httpd_svnpostcommit_script_t httpd_svnpostcommit_script_rw_t:dir
create_dir_perms;
files_pid_filetrans(httpd_svnpostcommit_script_t,httpd_svnpostcommit_script_rw_t,
{ file dir })
allow httpd_t httpd_svnpostcommit_script_rw_t:dir create_dir_perms;
allow httpd_t httpd_svnpostcommit_script_rw_t:file manage_file_perms;
# dxc adds
allow httpd_svnpostcommit_script_t default_t:dir { search };
allow httpd_svnpostcommit_script_t httpd_tmp_t:dir {
add_name getattr search write
};
allow httpd_svnpostcommit_script_t httpd_tmp_t:file {
create getattr read write
};
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sun Mar 18 21:09:23 2007