selinux
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
parent directory.. | ||||
This directory contains a selinux policy crafted to cover the sudo and
ssh scripts for the redmine_git_hosting plugin. In it, we define a new
httpd-compatible type, "httpd_redmine_git_script_exec_t" which can be
placed on the redmine_git_hosting/bin directory to allow sudo access
from redmine code. The basic assumption is that scripts placed into
this directory will be called from context "httpd_script_t" (i.e
redmine).
Once this plugin is placed under selinux control, three of the
redmine_git_hosting settings can no longer be modified from the
settings page. They are: 'gitUser', 'gitoliteIdentityFile', and
'gitoliteIdentityPublicKeyFile'. The plugin settings page will make
this clear. The simplest way to modify these options is to
temporarily place your system into permissive mode, refresh the
setting page, change options, then place your system back into
enforcing mode. Alternatively, you can alter the init.rb file and
reinstall the plugin. Under normal operation, you will get one
selinux complaint about /bin/touch in your log each time that you
visit the plugin settings page.
******************* INSTALLATION AND SETUP *************************
Note that the redmine_git_hosting/bin directory must be constructed
statically so that it can be labeled. You can do this with a series
of rake tasks at the top-level of the redmine directory (after fixing
up the defaults in the redmine_git_hosting init.rb file):
# Build bin directory with customized scripts for redmine_git_hosting,
# install new selinux policy, and install complete selinux context for
# redmine+this plugin:
rake selinux:install RAILS_ENV=production
Since redmine doesn't currently have a selinux install option, this
installation command is only available for this plugin. What this
will do is label the whole redmine site with "public_content_rw_t",
with the exception of the "dispatch*" files in public (set to
"httpd_script_exec_t") and the scripts in redmine_git_hosting/bin (set
to "httpd_redmine_git_script_exec_t").
If you happen to have multiple redmine installations, you can use a
regular expression to describe the redmine root directories (this will
translate into file context descriptions). For instance, if you have
multiple redmine installations in directories whose paths start with
"/source" and end with "redmine" you can use (notice the use of
double-quotes!):
rake selinux:install RAILS_ENV=production ROOT_PATTERN="/source/.*/redmine"
Somewhat less far-reaching options include:
# Build bin directory with customized scripts for redmine_git_hosting,
# install new selinux policy, and install selinux context for
# the redmine_git_hosting plugin
rake selinux:redmine_git_hosting:install RAILS_ENV=production
For those who are hand-crafting their own file context:
# Build bin directory with customized scripts for redmine_git_hosting
# and install new selinux policy. No file contexts will be
# installed (so that you must do customization afterwards).
rake selinux:redmine_git_hosting:install_scripts_and_policy RAILS_ENV=production
Finally, to rebuild the policy file (redmine_git.pp) from source (redmine_git.te),
you can type:
# Rebuild redmine_git_hosting selinux policy from source
rake selinux:redmine_git_hosting:build_policy RAILS_ENV=production