Gitolite3 over http selinux permissions

Question

I'm trying to install gitolite3 on Centos6.4. It works, I can ssh and, after some trouble, I can also read, such as clone, through http and httpd. I am re-enabling selinux into permissive mode, that I disabled earlier for better testing, and the following errors appear in /etc/log/audit/audit.log.

I admit, I am a novice with selinux, and although I am very keen and started to seriously learn how selinux works, this is too much for me to interpret. Is there someone that can deduct from these messages which commands I have to run, permissions I have to somehow allow with best practice for online security in mind ?

..I will also mark answers as useful if you know and post of some amazing online selinux guides with security diagrams of how selinux ticks.

type=AVC msg=audit(1375647504.484:680): avc:  denied  { search } for  pid=12882 comm="gitolite-shell" name="gitolite3" dev=sdb2 ino=264170 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:gitosis_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1375647504.484:680): avc:  denied  { getattr } for  pid=12882 comm="gitolite-shell" path="/var/lib/gitolite3/.gitolite.rc" dev=sdb2 ino=262551 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:gitosis_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1375647504.484:680): arch=c000003e syscall=4 success=yes exit=0 a0=6d4d70 a1=6ab130 a2=6ab130 a3=18 items=0 ppid=4653 pid=12882 auid=4294967295 uid=650 gid=650 euid=650 suid=650 fsuid=650 egid=650 sgid=650 fsgid=650 tty=(none) ses=4294967295 comm="gitolite-shell" exe="/usr/bin/perl" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1375647504.484:681): avc:  denied  { read } for  pid=12882 comm="gitolite-shell" name=".gitolite.rc" dev=sdb2 ino=262551 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:gitosis_var_lib_t:s0 tclass=file
type=AVC msg=audit(1375647504.484:681): avc:  denied  { open } for  pid=12882 comm="gitolite-shell" name=".gitolite.rc" dev=sdb2 ino=262551 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:gitosis_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1375647504.484:681): arch=c000003e syscall=2 success=yes exit=5 a0=a365f0 a1=0 a2=1b6 a3=30ce11dd40 items=0 ppid=4653 pid=12882 auid=4294967295 uid=650 gid=650 euid=650 suid=650 fsuid=650 egid=650 sgid=650 fsgid=650 tty=(none) ses=4294967295 comm="gitolite-shell" exe="/usr/bin/perl" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1375647504.484:682): avc:  denied  { ioctl } for  pid=12882 comm="gitolite-shell" path="/var/lib/gitolite3/.gitolite.rc" dev=sdb2 ino=262551 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:gitosis_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1375647504.484:682): arch=c000003e syscall=16 success=no exit=-25 a0=5 a1=5401 a2=7fff4ea63d90 a3=48 items=0 ppid=4653 pid=12882 auid=4294967295 uid=650 gid=650 euid=650 suid=650 fsuid=650 egid=650 sgid=650 fsgid=650 tty=(none) ses=4294967295 comm="gitolite-shell" exe="/usr/bin/perl" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1375647504.498:683): avc:  denied  { search } for  pid=12882 comm="gitolite-shell" name=".gitolite" dev=sdb2 ino=264248 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:gitosis_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1375647504.498:683): arch=c000003e syscall=4 success=yes exit=0 a0=6d4d70 a1=6ab130 a2=6ab130 a3=706d6f63 items=0 ppid=4653 pid=12882 auid=4294967295 uid=650 gid=650 euid=650 suid=650 fsuid=650 egid=650 sgid=650 fsgid=650 tty=(none) ses=4294967295 comm="gitolite-shell" exe="/usr/bin/perl" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1375647504.498:684): avc:  denied  { getattr } for  pid=12882 comm="gitolite-shell" path="/var/lib/gitolite3/repositories/testing.git" dev=sdb2 ino=264285 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:gitosis_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1375647504.498:684): arch=c000003e syscall=4 success=yes exit=0 a0=6d4d70 a1=6ab130 a2=6ab130 a3=31 items=0 ppid=4653 pid=12882 auid=4294967295 uid=650 gid=650 euid=650 suid=650 fsuid=650 egid=650 sgid=650 fsgid=650 tty=(none) ses=4294967295 comm="gitolite-shell" exe="/usr/bin/perl" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1375647504.521:685): avc:  denied  { append } for  pid=12882 comm="gitolite-shell" name="gitolite-2013-08.log" dev=sdb2 ino=264307 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:gitosis_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1375647504.521:685): arch=c000003e syscall=2 success=yes exit=3 a0=a3af00 a1=441 a2=1b6 a3=30ce11dd40 items=0 ppid=4653 pid=12882 auid=4294967295 uid=650 gid=650 euid=650 suid=650 fsuid=650 egid=650 sgid=650 fsgid=650 tty=(none) ses=4294967295 comm="gitolite-shell" exe="/usr/bin/perl" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1375647504.651:686): avc:  denied  { read } for  pid=12886 comm="git-upload-pack" name="refs" dev=sdb2 ino=264308 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:gitosis_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1375647504.651:686): avc:  denied  { open } for  pid=12886 comm="git-upload-pack" name="refs" dev=sdb2 ino=264308 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:gitosis_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1375647504.651:686): arch=c000003e syscall=2 success=yes exit=3 a0=675482 a1=90800 a2=675486 a3=0 items=0 ppid=12885 pid=12886 auid=4294967295 uid=650 gid=650 euid=650 suid=650 fsuid=650 egid=650 sgid=650 fsgid=650 tty=(none) ses=4294967295 comm="git-upload-pack" exe="/usr/libexec/git-core/git-upload-pack" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)

I'd recommend to take a look at the Q/As under the [selinux] tag. — dawud, Aug 04 '13 at 20:33

score 3 · Accepted Answer · edited Jun 11 '20 at 10:02

First of all: congratulations for not disabling SELinux and trying instead to understand it and configure it properly.

Filtering the AVC denials you posted in your question makes much more clear what the problem could be:

# cat avc_denials | audit2allow

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t gitosis_var_lib_t:dir { read search open getattr };
allow httpd_sys_script_t gitosis_var_lib_t:file { read getattr open ioctl append };

The usual method to debug AVC denials, however, makes use of the ausearch(8) command:

# ausearch -m avc -ts recent | audit2allow

Check the manpage for further information on the switches you can use.

With this information, now you know what is happening: the process labeled httpd_sys_script_t, possibly the CGI code gitolite3 uses to publish its repos, is being denied access to files and directories labeled gitosis_var_lib_t (the repos) to execute different operations (read, search, open, ...).

Now you should determine whether to grant this access or not. Let's suppose you want to grant access. You would need to create a custom policy module describing the rules defining the access you want to grant. This is more or less simple depending on the complexity of the process:

# ausearch -m avc -ts 10:40:00 | audit2allow -m my_gitolite3 > my_gitolite3.te

This will produce a type enforcement description like this:

module my_gitolite3 1.0;

require {
        type httpd_sys_script_t;
        type gitosis_var_lib_t;
        class dir { read search open getattr };
        class file { read getattr open ioctl append };
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t gitosis_var_lib_t:dir { read search open getattr };
allow httpd_sys_script_t gitosis_var_lib_t:file { read getattr open ioctl append };

You should proceed to review the code to ensure its correctness (in this case, it's simple enough). The next step is to compile the type enforcement code into a module:

# checkmodule -M -m -o my_mygitolite3.mod my_gitolite3.te

The module must be packaged into a policy package for you to be able to load it and unload it at will:

# semodule_package -o my_gitolite3.pp -m my_gitolite3.mod

Now, you can load the policy using:

# semodule -i my_gitolite3.pp

Check it is correctly loaded:

# semodule -l | grep my_gitolite3

Then, try to trigger the denials again and see if there are more (different) alerts in the audit log regarding this same process.

Further editions of the type enforcement code will need the version (1.0) to be updated, or loading the package will fail. Updating the policy package will be done:

# semodule -u my_gitolite3.pp

There is a lot to learn when starting with SELinux. Some useful references:

The manpages of the commands
Check also the output of apropos selinux, both gitosis_selinux and httpd_selinux, will be of interest here

From the RHEL docs

A good introductory presentation by Dave Quigley:

Demystifying SELinux

this is a _very_ nice explanation. I don't know why you've written this out in such detail for this particular question, but I'm grateful. I hope many more people will find this answer. It has helped me a lot. Thank you. — Florian Mertens, Aug 06 '13 at 14:41
Excellent answer, this should be the definitive response to any SELinux problem. — Joel E Salas, Aug 09 '13 at 13:20

Gitolite3 over http selinux permissions

1 Answers1