From: david x callaway <dxc@pobox.com>
To: selinux@tycho.nsa.gov
Subject: policy for subversion post-commit hook on fc6 targeted
Date: Thu, 15 Mar 2007 14:51:25 -0400 [thread overview]
Message-ID: <45F995AD.6040204@pobox.com> (raw)
problem: allow the subversion post-commit hook to dump svn after each
commit. due to a recent disk death I wanted this to produce two dumps,
one on each of two physical disks. I'm accessing subversion through
apache, and I didn't want to turn selinux off.
note: some of the paths below are specific to my setup, e.g. my repos
are in /usr/local/svn/<repo> directories, but YMMV depending upon how
you set up svn and apache. obviously my backup dirs will probably not
match yours either, and their exact location has some bearing on other
parts of the policy.
note: the regex for the hook itself *should* mean a new repository will
just work with no further intervention, but I didn't test this.
the dump script is simple, basically it does an svnadmin dump into a
directory under /tmp and then copies the dump elsewhere. it takes
advantage of the standard hook script arguments, the repos and the rev,
to produce a file named ${REPONAME}.dump.${REV}, where REPONAME is the
basename of the path to the repo. the copies end up under
/data/svn-bkup and /opt/data/svn-bkup.
to make a long story short, dan walsh helped me out here
http://danwalsh.livejournal.com/8707.html, and asked me to post the
result, which follows. my email client is providing some line breaks
that should be removed.
dan said most of the policy was generated by a new tool, and I went
through a few of the usual audit2allow/add rules cycles before getting
it to work, but thanks to dan it was pretty simple.
dxc
---------- svnpostcommit.fc ----------
/usr/local/svn/[^/]+/hooks/post-commit --
gen_context(system_u:object_r:httpd_svnpostcommit_script_exec_t,s0)
/opt/data/svn-bkup(/.*)?
gen_context(system_u:object_r:httpd_svnpostcommit_script_rw_t,s0)
/data/svn-bkup(/.*)?
gen_context(system_u:object_r:httpd_svnpostcommit_script_rw_t,s0)
---------- svnpostcommit.if ----------
## policy for httpd_svnpostcommit_script
########################################
##
## Execute a domain transition to run httpd_svnpostcommit_script.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`httpd_svnpostcommit_script_domtrans',`
gen_require(`
type httpd_svnpostcommit_script_t, httpd_svnpostcommit_script_exec_t;
')
domain_auto_trans($1,httpd_svnpostcommit_script_exec_t,httpd_svnpostcommit_script_t)
allow httpd_svnpostcommit_script_t $1:fd use;
allow httpd_svnpostcommit_script_t $1:fifo_file rw_file_perms;
allow httpd_svnpostcommit_script_t $1:process sigchld;
')
########################################
##
## Search httpd_svnpostcommit_script rw directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`httpd_svnpostcommit_script_search_rw_dir',`
gen_require(`
type httpd_svnpostcommit_script_rw_t;
')
allow $1 httpd_svnpostcommit_script_rw_t:dir search_dir_perms;
files_search_rw($1)
')
########################################
##
## Read httpd_svnpostcommit_script rw files.
##
##
##
## Domain allowed access.
##
##
#
interface(`httpd_svnpostcommit_script_read_rw_files',`
gen_require(`
type httpd_svnpostcommit_script_rw_t;
')
allow $1 httpd_svnpostcommit_script_rw_t:file r_file_perms;
allow $1 httpd_svnpostcommit_script_rw_t:dir list_dir_perms;
files_search_rw($1)
')
########################################
##
## Create, read, write, and delete
## httpd_svnpostcommit_script rw files.
##
##
##
## Domain allowed access.
##
##
#
interface(`httpd_svnpostcommit_script_manage_rw_files',`
gen_require(`
type httpd_svnpostcommit_script_rw_t;
')
allow $1 httpd_svnpostcommit_script_rw_t:file manage_file_perms;
allow $1 httpd_svnpostcommit_script_rw_t:dir rw_dir_perms;
')
---------- svnpostcommit.te ----------
policy_module(svnpostcommit,1.0.0)
########################################
#
# Declarations
#
require {
type httpd_t;
# dxc adds
type httpd_tmp_t;
type default_t;
}
apache_content_template(svnpostcommit)
# tmp files
allow httpd_svnpostcommit_script_t httpd_svnpostcommit_script_rw_t:file
manage_file_perms;
allow httpd_svnpostcommit_script_t httpd_svnpostcommit_script_rw_t:dir
create_dir_perms;
files_pid_filetrans(httpd_svnpostcommit_script_t,httpd_svnpostcommit_script_rw_t,
{ file dir })
allow httpd_t httpd_svnpostcommit_script_rw_t:dir create_dir_perms;
allow httpd_t httpd_svnpostcommit_script_rw_t:file manage_file_perms;
# dxc adds
allow httpd_svnpostcommit_script_t default_t:dir { search };
allow httpd_svnpostcommit_script_t httpd_tmp_t:dir {
add_name getattr search write
};
allow httpd_svnpostcommit_script_t httpd_tmp_t:file {
create getattr read write
};
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
reply other threads:[~2007-03-20 16:52 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45F995AD.6040204@pobox.com \
--to=dxc@pobox.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.