FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-13-2007, 02:51 PM
"Jonathan Stott"
 
Default Serving Mercurial Repositories

Hi

I'm quite new to Fedora (and SELinux) but I've been using linux for
some time and one of the tools I use more or less daily is the
mercurial scm. I would like to share (read only) versions of some of
the repositories I work on to other members of my group. The
mercurial team provide a script to do this which (when configured via
a simple file) can read the configured repository directories
(scattered about my home directory) and from there generate the web
interface.

Currently this fails, because I have policies configured such that
lighttpd can only read from the public_html directory of home
directories and I would prefer not to have to change things so that it
can read all of my home directory. I would also prefer to avoid the
need to have 2 copies of the repository on the system, one in my home
directory and one somewhere else (say /var/hg ) that I can let
lighttpd read as it desires, since this brings about synchronisation
issues.

I thought a solution might be to write a policy for mercurial so that
all repos are created with a 'mercurial_repo_t' type or similar and
then allow the lighttpd_t context to read them (it can already search
home directories) but I am unsure of how to go about implementing such
a policy, or how it might be done better.

Any advice would be appreciated,
Jon

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-13-2007, 08:16 PM
Daniel J Walsh
 
Default Serving Mercurial Repositories

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jonathan Stott wrote:
> Hi
>
> I'm quite new to Fedora (and SELinux) but I've been using linux for
> some time and one of the tools I use more or less daily is the
> mercurial scm. I would like to share (read only) versions of some of
> the repositories I work on to other members of my group. The
> mercurial team provide a script to do this which (when configured via
> a simple file) can read the configured repository directories
> (scattered about my home directory) and from there generate the web
> interface.
>
> Currently this fails, because I have policies configured such that
> lighttpd can only read from the public_html directory of home
> directories and I would prefer not to have to change things so that it
> can read all of my home directory. I would also prefer to avoid the
> need to have 2 copies of the repository on the system, one in my home
> directory and one somewhere else (say /var/hg ) that I can let
> lighttpd read as it desires, since this brings about synchronisation
> issues.
>
> I thought a solution might be to write a policy for mercurial so that
> all repos are created with a 'mercurial_repo_t' type or similar and
> then allow the lighttpd_t context to read them (it can already search
> home directories) but I am unsure of how to go about implementing such
> a policy, or how it might be done better.
>
> Any advice would be appreciated,
> Jon
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Why not just label the directory where you want mercurial to be shared
http_*_content_t

Just like public_html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHYaFIrlYvE4MpobMRAijtAKCv6FARdJfSOTgCT7uAXt D+scKoGgCfZmYP
bmVBokULiPWedRovwCocpOM=
=NVAD
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-13-2007, 09:06 PM
"Jonathan Stott"
 
Default Serving Mercurial Repositories

... that would probably work well, yes.

And would also easily work should I switch to Apache (or something else) later.

If I am reading the docs correctly once I have set this on the
directory, any subsequent files created in there would gain the right
label?

Regards,
Jonathan

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 07:31 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org