Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   User role and transitioning (http://www.linux-archive.org/fedora-selinux-support/631368-user-role-transitioning.html)

Dominick Grift 02-10-2012 06:31 PM

User role and transitioning
 
To be honest though i never understood what value gitolite adds to
git-shell, git-daemon and a few good git hooks.

https://www.youtube.com/watch?v=vgm89P5nbBQ
https://www.youtube.com/watch?v=XHEPj80217o


On Fri, 2012-02-10 at 20:18 +0100, Dominick Grift wrote:
> On Fri, 2012-02-10 at 14:06 -0500, Konstantin Ryabitsev wrote:
> > Hi, all:
> >
> > I'm trying to lock down the gitolite user by creating a user role that
> > would be pretty much "guest_u" plus pemission to transition to
> > gitosis_t.
> >
>
> This might work:
>
> mkdir ~/mygito; cd ~/mygito;
>
> echo "policy_module(mygito, 1.0.0)" > mygito.te;
> echo "role mygito_r;" >> mygito.te;
> echo "userdom_restricted_user_template(mygito)" >> mygito.te;
> echo "gitosis_run(mygito_t, mygito_r)" >> mygito.te;
> echo "gen_user(mygito_u, user, mygito_r, s0, s0)" >> mygito.te;
>
> make -f /usr/share/selinux/devel/Makefile mygito.pp
> sudo semodule -i mygito.pp
>
> useradd -Z mygito_u mygito
> passwd mygito
>
>
> > I've not yet written a user role policy, so I'm not sure where I should
> > start.
> >
> > Best,
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Konstantin Ryabitsev 02-10-2012 07:16 PM

User role and transitioning
 
On Fri, 2012-02-10 at 20:18 +0100, Dominick Grift wrote:
> This might work:
>
> mkdir ~/mygito; cd ~/mygito;
>
> echo "policy_module(mygito, 1.0.0)" > mygito.te;
> echo "role mygito_r;" >> mygito.te;
> echo "userdom_restricted_user_template(mygito)" >> mygito.te;
> echo "gitosis_run(mygito_t, mygito_r)" >> mygito.te;
> echo "gen_user(mygito_u, user, mygito_r, s0, s0)" >> mygito.te;
>
> make -f /usr/share/selinux/devel/Makefile mygito.pp
> sudo semodule -i mygito.pp

It does, in fact, work. And is simpler than I thought it would be.

Thanks very much!

Best,
--
Konstantin Ryabitsev
Systems Administrator
The Linux Foundation
Montréal, Québec
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Konstantin Ryabitsev 02-10-2012 09:00 PM

User role and transitioning
 
On Fri, 2012-02-10 at 20:18 +0100, Dominick Grift wrote:
> This might work:
>
> mkdir ~/mygito; cd ~/mygito;
>
> echo "policy_module(mygito, 1.0.0)" > mygito.te;
> echo "role mygito_r;" >> mygito.te;
> echo "userdom_restricted_user_template(mygito)" >> mygito.te;
> echo "gitosis_run(mygito_t, mygito_r)" >> mygito.te;
> echo "gen_user(mygito_u, user, mygito_r, s0, s0)" >> mygito.te;
>
> make -f /usr/share/selinux/devel/Makefile mygito.pp
> sudo semodule -i mygito.pp
>
> useradd -Z mygito_u mygito
> passwd mygito

Ok, one small addition:

cd /etc/selinux/targeted/contexts/users
sed 's/guest_/mygito_/g' guest_u > mygito_u

Best,
--
Konstantin Ryabitsev
Systems Administrator, Kernel.org
Montréal, Québec
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 02-13-2012 03:41 PM

User role and transitioning
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/10/2012 02:31 PM, Dominick Grift wrote:
> To be honest though i never understood what value gitolite adds to
> git-shell, git-daemon and a few good git hooks.
>
> https://www.youtube.com/watch?v=vgm89P5nbBQ
> https://www.youtube.com/watch?v=XHEPj80217o
>
>
> On Fri, 2012-02-10 at 20:18 +0100, Dominick Grift wrote:
>> On Fri, 2012-02-10 at 14:06 -0500, Konstantin Ryabitsev wrote:
>>> Hi, all:
>>>
>>> I'm trying to lock down the gitolite user by creating a user
>>> role that would be pretty much "guest_u" plus pemission to
>>> transition to gitosis_t.
>>>
>>
>> This might work:
>>
>> mkdir ~/mygito; cd ~/mygito;
>>
>> echo "policy_module(mygito, 1.0.0)" > mygito.te; echo "role
>> mygito_r;" >> mygito.te; echo
>> "userdom_restricted_user_template(mygito)" >> mygito.te; echo
>> "gitosis_run(mygito_t, mygito_r)" >> mygito.te; echo
>> "gen_user(mygito_u, user, mygito_r, s0, s0)" >> mygito.te;
>>
>> make -f /usr/share/selinux/devel/Makefile mygito.pp sudo semodule
>> -i mygito.pp
>>
>> useradd -Z mygito_u mygito passwd mygito
>>
>>
>>> I've not yet written a user role policy, so I'm not sure where
>>> I should start.
>>>
>>> Best, -- selinux mailing list selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


Looks like a good subject for a blog...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk85PTcACgkQrlYvE4MpobNEGACg6ZBGAddU9t o3L2FWgeJo/0/q
Og0AoObpGgHHKNjzYCRh4fxtYNDt+3sc
=ZJ3X
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 02:45 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.