Top Menu

Jump to content
Home
    Modules
      • Projects
      • Activity
      • Work packages
      • Gantt charts
      • Calendars
      • Team planners
      • Boards
      • News
    • Getting started
    • Introduction video
      Welcome to OpenProject Community
      Get a quick overview of project management and team collaboration with OpenProject. You can restart this video from the help menu.
    • Help and support
    • User guides
    • Videos
    • Shortcuts
    • Community forum
    • Enterprise support
    • Additional resources
    • Data privacy and security policy
    • Digital accessibility (DE)
    • OpenProject website
    • Security alerts / Newsletter
    • OpenProject blog
    • Release notes
    • Report a bug
    • Development roadmap
    • Add and edit translations
    • API documentation
  • Sign in
      Forgot your password?

      or sign in with your existing account

      Google

Side Menu

  • Overview
  • Activity
    Activity
  • Roadmap
  • Work packages
    Work packages
  • Gantt charts
    Gantt charts
  • Calendars
    Calendars
  • Team planners
    Team planners
  • Boards
    Boards
  • News
  • Forums

Content

You are here:
  1. Messages
Support Installation & Updates
  1. OpenProject
  2. Forums
  3. Support Installation & Updates
  4. Openproject 5.0.x and git

Openproject 5.0.x and git

Added by Bernhard Jilka almost 9 years ago

Hello,
im am not quite sure if this is a bug or not so i am posting that here.

I installed Openproject 5.0.17 (packaged installation) on a fresh CentOS 7.2 with all updates done.
Everything went smoothly up to the time i tried to check out the git repository from a project.

It turned out that SE Linux was hindering the git-http-backend script from accessing /var/db/openproject/git folder
with the message that the folder is not a valid git repository (svn worked fine).

I then changed the security context of the file /usr/libexec/git-core/git-http-backend from the default bin_t to httpd_exec_t
and now everything works as expected. As i am not a security expert so i dont know if this is correct but i think it is better than
turning selinux off. I also think that the httpd process is quite limited with privileges so it should not be a big concern
to do it that way.

So my question is this an error in the installationscript (i think you do change some of the contexts in there) or have i done
something wrong?

regards
Bernhard


Replies (4)

RE: Openproject 5.0.x and git - Added by Oliver Günther almost 9 years ago

Hi Bernhard,

sorry for the late reply.

The installer does set the correct context for SELinux, however appears to only do so on RH Linux.
The installer sets the following contexts:

/usr/libexec/git-core/git-httpbackend: httpd_git_script_exec_t
/var/db/openproject/git: httpd_git_rw_content_t, httpd_sys_content_t, httpd_sys_rw_content_t

For more information on the httpd_git context see http://linux.die.net/man/8/httpd_git_script_selinux.

I’m not the most experienced user of SELinux, but I believe httpd_exec_t should only be used for transitioning into executables, so that may be too coarse for our use case.

Can you try to apply the above contexts and check the functionality?

Best,
Oliver

RE: Openproject 5.0.x and git - Added by Bernhard Jilka almost 9 years ago

Hi Oliver,

When i set the context httpd_git_script_exec_t to the git-http-backend then it cannot access the files anymore.

The folder /var/db/openproject/git is labeled with httpd_sys_rw_content_t

When i try to set the httpd_git_rw_content_t context with chcon to /var/db/openproject/git i get an error.
“chcon: failed to change context of ‘git’ to ‘unconfined_u:object_r:httpd_git_rw_content_t:s0’: Invalid argument”

It is also interesting that i cannot find the httpd_git_rw_content_t type on the machine (with seinfo and sesearch) ….
I expected that it would be set when i installed git.
I need to read up further details on how those are “installed” generated or whatever.

I also do not understand what you mean with the multiple contexts on the folder /var/db/openproject/git
As far as i understood there can only be one context per file/folder.

Something is quite wired here. Either CentOS behaves different from RHEL with SELinux or i am doing something wrong.

As i think i can remember that there were some errors with setting the contexts when installing openproject.
I will check that on the weekend.

regards
Bernhard

RE: Openproject 5.0.x and git - Added by Bernhard Jilka over 8 years ago

Finally i found the time to investigate the Problem again!

Context Type renames

But first things first:
In CentOS 7.2 (1511) they renamed the whole git part of the default selinux policy (policy version 28).
As far as i could determine they removed the “httpd_” part of the context types and added aliases so that the old names “should” still work.

If you want to check that yourself do the following:
Install seinfo (setools-console)
seinfo -tgit_script_exec_t -x

What happens now when you try to checkout a git repo?

You get an error that the folder is not found!
And you get an error in the /var/log/audit/audit.log
type=AVC msg=audit(1471115084.887:411): avc: denied { search } for pid=6195 comm="git-http-backen" name="git" dev="dm-0" ino=136456753 scontext=system_u:system_r:git_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir

What does that mean?
The first thing is that the file git-http-backend (i dont know why it truncates the last char?!?) is labled with git_script_exec_t
# ll -Z /usr/libexec/git-core/git-http-backend -rwxr-xr-x. root root system_u:object_r:git_script_exec_t:s0 /usr/libexec/git-core/git-http-backend

When you do some research (it was 1:00 in the morning …) you get the following:
# sesearch --all -t git_script_exec_t Found 2 semantic te rules: type_transition httpd_suexec_t git_script_exec_t : process git_script_t; type_transition httpd_t git_script_exec_t : process git_script_t;

The meaning of that is defined under http://selinuxproject.org/page/NB_Domain_and_Object_Transitions .
To make it shorter it means the following:
A process labled with httpd_t or httpd_suexec_t that starts a new process from a file with git_script_exec_t gets the type git_script_t !
Does that sound familiar?
If we go back to the Error message in the audit.log we find the part:
scontext=system_u:system_r:git_script_t:s0
this is exactly what happend. The cgi-script “git-http-backend” get transitioned to git_script_t.

So what to do now?

After some more research with sesearch i found that a process with git_script_t CANNOT access httpd_sys_rw_content_t as there is no allow rule for that.
But what can we do then? We can label the folder /var/db/openproject/git with the git_rw_content_t type.
There is a rule for that:
sesearch -A -s git_script_t | grep "git_script_t git_rw_content_t" allow git_script_t git_rw_content_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow git_script_t git_rw_content_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; allow git_script_t git_rw_content_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; allow git_script_t git_rw_content_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow git_script_t git_rw_content_t : fifo_file { ioctl read write create getattr setattr lock append unlink link rename open } ;

TLDR

So this is the solution i found:
chcon -R -v -t git_rw_content_t /var/db/openproject/git/

My suggestion is that you change to that type in the configure script for the git folder in stead of “httpd_sys_rw_content_t”.

PS:
There is a good overview for SELinux at the gentoo project:
https://wiki.gentoo.org/wiki/SELinux/Quick_introduction

In the hope that this is usefull for someone,
Bernhard

RE: Openproject 5.0.x and git - Added by Marcus Floyd over 8 years ago

You are the man Berhard! Saved me so much time after racking my brain all night. I owe you a beer or something.

  • (1 - 4/4)
Loading...