Merge pull request #1845 from bviktor/selinux

Fork: 0

johnpearcey / gitbucket_jkp

Browse code Merge pull request #1845 from bviktor/selinux SELinux policy module, deploy script and instructions master
commit 2ee70dc1b215c785fe2f154a9583ea8919e4c073 2 parents ad054d2 + 3400b9a Naoki Takezoe authored on 18 Jan 2018 GitHub committed on 18 Jan 2018

Patch

Unified Split

Showing 3 changed files

                Ignore Space
               Show notes
              View
            
          
          22 ■■■■■
          contrib/linux/redhat/selinux/gitbucket.te
        
        
        
          0 → 100644
               module gitbucket 1.0;
 
require {
	type smtp_port_t;
	type tomcat_t;
	type tomcat_var_lib_t;
	type unreserved_port_t;
 
	class file { execute };
	class tcp_socket { name_bind };
	class tcp_socket { name_connect };
}
 
# allow tomcat to send emails
allow tomcat_t smtp_port_t:tcp_socket { name_connect };
 
# allow file executes, required during repo creation
allow tomcat_t tomcat_var_lib_t:file { execute };
 
# allow tomcat to serve repositories via SSH
allow tomcat_t unreserved_port_t:tcp_socket { name_bind };
+module gitbucket 1.0;
+require {
+	type smtp_port_t;
+	type tomcat_t;
+	type tomcat_var_lib_t;
+	type unreserved_port_t;
+	class file { execute };
+	class tcp_socket { name_bind };
+	class tcp_socket { name_connect };
+}
+# allow tomcat to send emails
+allow tomcat_t smtp_port_t:tcp_socket { name_connect };
+# allow file executes, required during repo creation
+allow tomcat_t tomcat_var_lib_t:file { execute };
+# allow tomcat to serve repositories via SSH
+allow tomcat_t unreserved_port_t:tcp_socket { name_bind };

                Ignore Space
               Show notes
              View
            
          
          33 ■■■■■
          contrib/linux/redhat/selinux/readme.md
        
        
        
          0 → 100644
               # Red Hat Enterprise Linux / CentOS SELinux policy module for GitBucket
 
One way to run GitBucket on Enterprise Linux is under Tomcat. Since EL 7.4, Tomcat is no longer unconfined.
Thus since 7.4, Enterprise Linux blocks certain operations that are required for GitBucket to work properly:
 
* Tomcat is not allowed to connect to SMTP ports, which is required to send email notifications.
* Tomcat is not allowed to execute files, which is required for creating repositories.
* Tomcat is not allowed to act as a server on unreserved ports, which is required for serving repositories via SSH.
 
To mitigate this, you can use the SELinux policy module provided as `gitbucket.te`. You can deploy the module with the
attached script, e.g.:
 
~~~
./sedeploy.sh gitbucket
~~~
 
You most likely also need to fix file contexts on your system. Assuming a new, default Tomcat installation on 7.4, you
can do so by issuing the following commands:
 
~~~
GITBUCKET_HOME='/usr/share/tomcat/.gitbucket'
mkdir -p ${GITBUCKET_HOME}
chown tomcat.tomcat ${GITBUCKET_HOME}
semanage fcontext -a -t tomcat_var_lib_t "${GITBUCKET_HOME}(/.*)?"
restorecon -rv ${GITBUCKET_HOME}
 
JAVA_CONF='/usr/share/tomcat/.java'
mkdir -p ${JAVA_CONF}
chown tomcat.tomcat ${JAVA_CONF}
semanage fcontext -a -t tomcat_cache_t "${JAVA_CONF}(/.*)?"
restorecon -rv ${JAVA_CONF}
~~~
+# Red Hat Enterprise Linux / CentOS SELinux policy module for GitBucket
+One way to run GitBucket on Enterprise Linux is under Tomcat. Since EL 7.4, Tomcat is no longer unconfined.
+Thus since 7.4, Enterprise Linux blocks certain operations that are required for GitBucket to work properly:
+* Tomcat is not allowed to connect to SMTP ports, which is required to send email notifications.
+* Tomcat is not allowed to execute files, which is required for creating repositories.
+* Tomcat is not allowed to act as a server on unreserved ports, which is required for serving repositories via SSH.
+To mitigate this, you can use the SELinux policy module provided as `gitbucket.te`. You can deploy the module with the
+attached script, e.g.:
+~~~
+./sedeploy.sh gitbucket
+~~~
+You most likely also need to fix file contexts on your system. Assuming a new, default Tomcat installation on 7.4, you
+can do so by issuing the following commands:
+~~~
+GITBUCKET_HOME='/usr/share/tomcat/.gitbucket'
+mkdir -p ${GITBUCKET_HOME}
+chown tomcat.tomcat ${GITBUCKET_HOME}
+semanage fcontext -a -t tomcat_var_lib_t "${GITBUCKET_HOME}(/.*)?"
+restorecon -rv ${GITBUCKET_HOME}
+JAVA_CONF='/usr/share/tomcat/.java'
+mkdir -p ${JAVA_CONF}
+chown tomcat.tomcat ${JAVA_CONF}
+semanage fcontext -a -t tomcat_cache_t "${JAVA_CONF}(/.*)?"
+restorecon -rv ${JAVA_CONF}
+~~~

Ignore Space Show notes View contrib/linux/redhat/selinux/sedeploy.sh 0 → 100755

Show line notes below