Open maddymeows opened 1 month ago
zpytela
commented
2 weeks ago @maddymeows It is not expected to run a service with ExecStart=/usr/bin/git daemon. Can you show complete configuration needed to run the shipped git service and/or gather all data with full auditing enabled?
https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing
maddymeows
commented
2 weeks ago On a fresh vm installed via
passfile="$(mktemp)"
echo meow > "$passfile"
sudo virt-install \
--name git-daemon-selinux-issue \
--memory 4096 \
--vcpus 4 \
--unattended profile=jeos,admin-password-file="$passfile",user-login=ansible,user-password-file="$passfile" \
--install fedora40 \
--boot uefi \
;Run the ansible playbook found at https://gist.github.com/maddymeows/1e518fcccb94436b77bc3215050b4641
Audits on enforcing and permissive are found at https://gist.github.com/maddymeows/ce3806c06282f5a4da6089b6139e9dc6
Interestingly I get a different denial now (it can't even bind to the port now), but permissive still shows the original audit I ran into. Perhaps a boolean I enabled on my production system.
Replacing the unit file to launch with ExecStart=/usr/bin/git daemon [...] produces no audits at all.
Given the following systemd unit:
The following denial gets logged upon running
git clone git://localhost/whatever.git:Only when using
ExecStart=/usr/bin/git daemon [...], the git daemon is allowed to function.Fedora's git-daemon package ships with a socket-activated systemd unit that does call
/usr/libexec/git-core/git-daemon, which runs fine. However I'm running as a regular daemon and can't use the same binary and must use/usr/bin/git daemoninstead.I would have expected the opposite, if anything.