Create basic hg policy #2132
Create basic hg policy #2132
Conversation
policy/modules/contrib/hg.te
Outdated
|
|
||
| dev_read_sysfs(hg_script_t) | ||
|
|
||
| kernel_dgram_send(hg_script_t) |
There was a problem hiding this comment.
The recommended order of calling interfaces is 1. kernel 2. others from base 3. modules, alphabetical inside
There was a problem hiding this comment.
I don't quite understand this comment, for this block using 3 templates all seem to be in that order.
policy/modules/contrib/hg.te
Outdated
| gen_tunable(hg_cgi_use_nfs, false) | ||
|
|
||
| apache_content_template(hg) | ||
| apache_content_alias_template(hg, hg) |
There was a problem hiding this comment.
Are you sure you need also this template?
There was a problem hiding this comment.
Every other policy that uses apache_content_template followed with it, and it wasn't happy without it at the time I created the policy
I am using it on my server, though via selinux-policy-devel package. But after disabling it now I can't reproduce any of the errors I got when initially deploying it. So I'm unsure if it's still worth creating a policy for this. I addressed most of the complaints anyhow |
|
Cockpit tests failed for commit 29404e5. @martinpitt, @jelly, @mvollmer please check. |
|
Cockpit tests failed for commit b47fafa. @martinpitt, @jelly, @mvollmer please check. |
|
The Cockpit tests started to fail due to a tricky udisks2 regression in rawhide. We are investigating in cockpit-project/cockpit#20520 ASAP. In the meantime, please ignore the TestStorageAnaconda failures. Sorry for the noise! |
Experimenting with hg I found out hgweb did not work ootb, so I tried to write a policy. First time I ever actually wrote a policy, please tell me if there's anything wrong.
This makes hgweb work for anonymous viewing. Writing generally isn't done over http (opposed to ssh) thus not implemented. Very very very loosely based on the git policy.
Validated with CGI and WSGI on Apache.
dev_read_sysfs is required as it reads /sys/devices/system/cpu/possible.
When running as CGI, it also tried reading through httpd config and cgi-bin for whatever reason, so added those permissions as well. WSGI seems fine without it but I think it's running in the incorrect context (read on for why).
When browsing hgweb, I also get this denial, which I don't know what to do about:
scontext changes to be hg_script_t when running as CGI instead of WSGI. The server runs completely fine without it and I don't see any errors in the app logs, but I would prefer to get rid of this denial somehow.
That denial also made me question if the WSGI script is running correctly, as it's showing as httpd_t. Adding fs_getattr_nsfs_files(httpd_t) seems inappropriate.
How logging is handled feels dodgy, but I couldn't find a better way myself. When hgweb throws an uncaught exception it goes up several chains of logging which just ended up confusing me.
Repos by default would have to be placed in /var/lib/hg or /var/www/hg which is unusual. To push/pull/etc there you'd need to clone from ssh://host//var/lib/hg/reponame, with the double slash for an absolute path.
There's no real established convention on public content in the home directory like with public_html and public_git so I refrained from adding a default file context in home dir. But after adding a custom fcontext via semanage browsing user content works fine without the need for any other modifications.
Please let me know how I can improve this.