Discussion:
question about selinux context when creating a directory
Anthony LaTorre
2021-06-08 02:47:05 UTC
Permalink
Hi all,

I was recently setting up a webserver with cgit and apache on a fresh
Fedora 34 installation and ran into one issue that I still don't quite
understand. After installing both apache and cgit, I created the
default location expected for git repositories in /var/lib/git via:

# mkdir /var/lib/git

and then added a few bare repositories and pushed to them.

I wasn't able to view the cgit page though and was getting the
following errors in audit.log:

type=AVC msg=audit(1622927247.335:77187): avc: denied { getattr }
for pid=281294 comm="cgit" path="/var/lib/git/chroma.git/HEAD"
dev="sda" ino=134922 scontext=system_u:system_r:git_script_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0

I eventually found out that I needed to run:

# restorecon -vR /var/lib/git/

which fixed the issue, but I thought it was supposed to happen
automatically since there was already a rule which was supposed to set
these as type git_content_t (I think that's it).

I emailed the cgit package maintainer and he was suprised too, and has
since updated the README to include instructions to run restorecon,
but I was curious as to whether this should be necessary. Why doesn't
the /var/lib/git directory get the correct context?

Thanks,

Tony
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it
James Ralston
2021-06-08 04:29:40 UTC
Permalink
Post by Anthony LaTorre
# restorecon -vR /var/lib/git/
which fixed the issue, but I thought it was supposed to happen
automatically since there was already a rule which was supposed to
set these as type git_content_t (I think that's it).
I emailed the cgit package maintainer and he was suprised too, and
has since updated the README to include instructions to run
restorecon, but I was curious as to whether this should be
necessary. Why doesn't the /var/lib/git directory get the correct
context?
Performance.

Calculating the correct SELinux file context for an arbitrary path in
the filesystem can be nontrivial (e.g., requiring parsing regular
expressions). If the kernel did this by default for every object
created in the filesystem, performance would be terrible.

Since the vast majority of the time the correct context for a new
file/directory is the same as the parent directory, in order to
prevent SELinux from tanking performance, new files/directories
inherit the file context of the parent directory unless either 1) the
application is SELinux-aware and requests a specific context, or 2)
there is a type transition that specifies a specific context.

Modern versions of mkdir are SELinux-aware and support the -Z option
to atomically create a directory with the correct SELinux file
context:

$ mkdir -Z /var/lib/git

But running restorecon after the fact also works.
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastr
Anthony LaTorre
2021-06-08 04:42:35 UTC
Permalink
Ah ok, that makes sense. Thanks!

Tony
Post by James Ralston
Post by Anthony LaTorre
# restorecon -vR /var/lib/git/
which fixed the issue, but I thought it was supposed to happen
automatically since there was already a rule which was supposed to
set these as type git_content_t (I think that's it).
I emailed the cgit package maintainer and he was suprised too, and
has since updated the README to include instructions to run
restorecon, but I was curious as to whether this should be
necessary. Why doesn't the /var/lib/git directory get the correct
context?
Performance.
Calculating the correct SELinux file context for an arbitrary path in
the filesystem can be nontrivial (e.g., requiring parsing regular
expressions). If the kernel did this by default for every object
created in the filesystem, performance would be terrible.
Since the vast majority of the time the correct context for a new
file/directory is the same as the parent directory, in order to
prevent SELinux from tanking performance, new files/directories
inherit the file context of the parent directory unless either 1) the
application is SELinux-aware and requests a specific context, or 2)
there is a type transition that specifies a specific context.
Modern versions of mkdir are SELinux-aware and support the -Z option
to atomically create a directory with the correct SELinux file
$ mkdir -Z /var/lib/git
But running restorecon after the fact also works.
_______________________________________________
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it:

Loading...