I'm quite new to Fedora (and SELinux) but I've been using linux for
some time and one of the tools I use more or less daily is the
mercurial scm. I would like to share (read only) versions of some of
the repositories I work on to other members of my group. The
mercurial team provide a script to do this which (when configured via
a simple file) can read the configured repository directories
(scattered about my home directory) and from there generate the web
interface.
Currently this fails, because I have policies configured such that
lighttpd can only read from the public_html directory of home
directories and I would prefer not to have to change things so that it
can read all of my home directory. I would also prefer to avoid the
need to have 2 copies of the repository on the system, one in my home
directory and one somewhere else (say /var/hg ) that I can let
lighttpd read as it desires, since this brings about synchronisation
issues.
I thought a solution might be to write a policy for mercurial so that
all repos are created with a 'mercurial_repo_t' type or similar and
then allow the lighttpd_t context to read them (it can already search
home directories) but I am unsure of how to go about implementing such
a policy, or how it might be done better.
Any advice would be appreciated,
Jon
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
12-13-2007, 08:16 PM
Daniel J Walsh
Serving Mercurial Repositories
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jonathan Stott wrote:
> Hi
>
> I'm quite new to Fedora (and SELinux) but I've been using linux for
> some time and one of the tools I use more or less daily is the
> mercurial scm. I would like to share (read only) versions of some of
> the repositories I work on to other members of my group. The
> mercurial team provide a script to do this which (when configured via
> a simple file) can read the configured repository directories
> (scattered about my home directory) and from there generate the web
> interface.
>
> Currently this fails, because I have policies configured such that
> lighttpd can only read from the public_html directory of home
> directories and I would prefer not to have to change things so that it
> can read all of my home directory. I would also prefer to avoid the
> need to have 2 copies of the repository on the system, one in my home
> directory and one somewhere else (say /var/hg ) that I can let
> lighttpd read as it desires, since this brings about synchronisation
> issues.
>
> I thought a solution might be to write a policy for mercurial so that
> all repos are created with a 'mercurial_repo_t' type or similar and
> then allow the lighttpd_t context to read them (it can already search
> home directories) but I am unsure of how to go about implementing such
> a policy, or how it might be done better.
>
> Any advice would be appreciated,
> Jon
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Why not just label the directory where you want mercurial to be shared
http_*_content_t
Just like public_html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
Serving Mercurial Repositories
