tag:blogger.com,1999:blog-8955013673251245731.post459585490494284553..comments2023-07-25T13:07:50.450+01:00Comments on bits and pieces: cgit unter FedoraFabianhttp://www.blogger.com/profile/05114938088670147739noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-8955013673251245731.post-79416644174765605152010-06-21T09:52:39.332+01:002010-06-21T09:52:39.332+01:00There is a small error in my previous reply:
http...There is a small error in my previous reply:<br /><br />httpd_git_script_t domain has read access to *all" repositories, so not just shared repositories but also personal repositories in the user home (public_git by default)<br /><br />So instead of labelling /path/to/repository type httpd_sys_content_t, one should use type git_system_content_t or git_session_content_t depending on the nature of the repository.<br /><br />If you use any other type like httpd_sys_content_t, then the git_daemon can no longer read it, and git_shell (git_shell_u) users can no longer manage git system content.Dominick "domg472" Grifthttps://www.blogger.com/profile/11819170833190325982noreply@blogger.comtag:blogger.com,1999:blog-8955013673251245731.post-33805050127482762682010-06-20T16:51:04.897+01:002010-06-20T16:51:04.897+01:00With regard to cgit and SELinux in Fedora (13)
Th...With regard to cgit and SELinux in Fedora (13)<br /><br />There should be no need to do anything:<br /><br />1. By default "/var/www/cgi-bin/cgit" is labelled type "httpd_git_script_exec_t"<br /><br />2. By default "/var/cache/cgit" is labelled type "httpd_git_rw_content_t"<br /><br />3. By default "/etc/cgitrc" is labelled type "etc_t"<br /><br />When booleans:<br /><br />httpd_enable_cgi -> on Allow httpd cgi support<br />httpd_builtin_scripting -> on Allow httpd to use built in scripting (usually php)<br /><br />Are toggled to on (should be on by default i believe), then the "httpd_t" domain (apache) will domain transition to the "httpd_git_script_t" domain when it runs "/var/www/cgi-bin/cgit"<br /><br />The "httpd_git_script_t" domain has permission to read "all" Git system content (shared repositories in "/var/lib/git"<br /><br />So in theory, things should just work. Please test this and provide feedback so that if it does not work, that we can fix it.<br /><br />Side note: The git-daemon is now also confined by SELinux in Fedora. This policy allows, amongst other things, that you can seperate various git-shell SELinux users.<br /><br />That means you can use SELinux to govern what user (groups) can access the different shared repositories.<br /><br />This is, in my view, a nice feature for mass hosters of git repositories. Because it does not rely on DAC for access to the various content.<br /><br />Feedback with regard to git-daemon is also very much appreciated.Dominick "domg472" Grifthttps://www.blogger.com/profile/11819170833190325982noreply@blogger.com