Open maddymeows opened 1 month ago
maddymeows
commented
1 month ago I am quite surprised the policy is so brief, have you tried actually use it?
I am using it on my server, though via selinux-policy-devel package. But after disabling it now I can't reproduce any of the errors I got when initially deploying it. So I'm unsure if it's still worth creating a policy for this.
I addressed most of the complaints anyhow
packit-as-a-service[bot]
commented
1 month ago Cockpit tests failed for commit 29404e5deeb6e5cb35c55be34fac2bc26f5c59ec. @martinpitt, @jelly, @mvollmer please check.
packit-as-a-service[bot]
commented
1 month ago Cockpit tests failed for commit b47fafa04eb8e998b8fdf2953df62ead9a7b53ca. @martinpitt, @jelly, @mvollmer please check.
martinpitt
commented
1 month ago The Cockpit tests started to fail due to a tricky udisks2 regression in rawhide. We are investigating in https://github.com/cockpit-project/cockpit/issues/20520 ASAP. In the meantime, please ignore the TestStorageAnaconda failures. Sorry for the noise!
Experimenting with hg I found out hgweb did not work ootb, so I tried to write a policy. First time I ever actually wrote a policy, please tell me if there's anything wrong.
This makes hgweb work for anonymous viewing. Writing generally isn't done over http (opposed to ssh) thus not implemented. Very very very loosely based on the git policy.
Validated with CGI and WSGI on Apache.
dev_read_sysfs is required as it reads /sys/devices/system/cpu/possible. When running as CGI, it also tried reading through httpd config and cgi-bin for whatever reason, so added those permissions as well. WSGI seems fine without it but I think it's running in the incorrect context (read on for why).
When browsing hgweb, I also get this denial, which I don't know what to do about:
scontext changes to be hg_script_t when running as CGI instead of WSGI. The server runs completely fine without it and I don't see any errors in the app logs, but I would prefer to get rid of this denial somehow.
That denial also made me question if the WSGI script is running correctly, as it's showing as httpd_t. Adding fs_getattr_nsfs_files(httpd_t) seems inappropriate.
How logging is handled feels dodgy, but I couldn't find a better way myself. When hgweb throws an uncaught exception it goes up several chains of logging which just ended up confusing me.
Repos by default would have to be placed in /var/lib/hg or /var/www/hg which is unusual. To push/pull/etc there you'd need to clone from ssh://host//var/lib/hg/reponame, with the double slash for an absolute path.
There's no real established convention on public content in the home directory like with public_html and public_git so I refrained from adding a default file context in home dir. But after adding a custom fcontext via semanage browsing user content works fine without the need for any other modifications.
Please let me know how I can improve this.