FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-10-2012, 06:31 PM
Dominick Grift
 
Default User role and transitioning

To be honest though i never understood what value gitolite adds to
git-shell, git-daemon and a few good git hooks.

https://www.youtube.com/watch?v=vgm89P5nbBQ
https://www.youtube.com/watch?v=XHEPj80217o


On Fri, 2012-02-10 at 20:18 +0100, Dominick Grift wrote:
> On Fri, 2012-02-10 at 14:06 -0500, Konstantin Ryabitsev wrote:
> > Hi, all:
> >
> > I'm trying to lock down the gitolite user by creating a user role that
> > would be pretty much "guest_u" plus pemission to transition to
> > gitosis_t.
> >
>
> This might work:
>
> mkdir ~/mygito; cd ~/mygito;
>
> echo "policy_module(mygito, 1.0.0)" > mygito.te;
> echo "role mygito_r;" >> mygito.te;
> echo "userdom_restricted_user_template(mygito)" >> mygito.te;
> echo "gitosis_run(mygito_t, mygito_r)" >> mygito.te;
> echo "gen_user(mygito_u, user, mygito_r, s0, s0)" >> mygito.te;
>
> make -f /usr/share/selinux/devel/Makefile mygito.pp
> sudo semodule -i mygito.pp
>
> useradd -Z mygito_u mygito
> passwd mygito
>
>
> > I've not yet written a user role policy, so I'm not sure where I should
> > start.
> >
> > Best,
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-10-2012, 07:16 PM
Konstantin Ryabitsev
 
Default User role and transitioning

On Fri, 2012-02-10 at 20:18 +0100, Dominick Grift wrote:
> This might work:
>
> mkdir ~/mygito; cd ~/mygito;
>
> echo "policy_module(mygito, 1.0.0)" > mygito.te;
> echo "role mygito_r;" >> mygito.te;
> echo "userdom_restricted_user_template(mygito)" >> mygito.te;
> echo "gitosis_run(mygito_t, mygito_r)" >> mygito.te;
> echo "gen_user(mygito_u, user, mygito_r, s0, s0)" >> mygito.te;
>
> make -f /usr/share/selinux/devel/Makefile mygito.pp
> sudo semodule -i mygito.pp

It does, in fact, work. And is simpler than I thought it would be.

Thanks very much!

Best,
--
Konstantin Ryabitsev
Systems Administrator
The Linux Foundation
Montréal, Québec
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-10-2012, 09:00 PM
Konstantin Ryabitsev
 
Default User role and transitioning

On Fri, 2012-02-10 at 20:18 +0100, Dominick Grift wrote:
> This might work:
>
> mkdir ~/mygito; cd ~/mygito;
>
> echo "policy_module(mygito, 1.0.0)" > mygito.te;
> echo "role mygito_r;" >> mygito.te;
> echo "userdom_restricted_user_template(mygito)" >> mygito.te;
> echo "gitosis_run(mygito_t, mygito_r)" >> mygito.te;
> echo "gen_user(mygito_u, user, mygito_r, s0, s0)" >> mygito.te;
>
> make -f /usr/share/selinux/devel/Makefile mygito.pp
> sudo semodule -i mygito.pp
>
> useradd -Z mygito_u mygito
> passwd mygito

Ok, one small addition:

cd /etc/selinux/targeted/contexts/users
sed 's/guest_/mygito_/g' guest_u > mygito_u

Best,
--
Konstantin Ryabitsev
Systems Administrator, Kernel.org
Montréal, Québec
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-13-2012, 03:41 PM
Daniel J Walsh
 
Default User role and transitioning

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/10/2012 02:31 PM, Dominick Grift wrote:
> To be honest though i never understood what value gitolite adds to
> git-shell, git-daemon and a few good git hooks.
>
> https://www.youtube.com/watch?v=vgm89P5nbBQ
> https://www.youtube.com/watch?v=XHEPj80217o
>
>
> On Fri, 2012-02-10 at 20:18 +0100, Dominick Grift wrote:
>> On Fri, 2012-02-10 at 14:06 -0500, Konstantin Ryabitsev wrote:
>>> Hi, all:
>>>
>>> I'm trying to lock down the gitolite user by creating a user
>>> role that would be pretty much "guest_u" plus pemission to
>>> transition to gitosis_t.
>>>
>>
>> This might work:
>>
>> mkdir ~/mygito; cd ~/mygito;
>>
>> echo "policy_module(mygito, 1.0.0)" > mygito.te; echo "role
>> mygito_r;" >> mygito.te; echo
>> "userdom_restricted_user_template(mygito)" >> mygito.te; echo
>> "gitosis_run(mygito_t, mygito_r)" >> mygito.te; echo
>> "gen_user(mygito_u, user, mygito_r, s0, s0)" >> mygito.te;
>>
>> make -f /usr/share/selinux/devel/Makefile mygito.pp sudo semodule
>> -i mygito.pp
>>
>> useradd -Z mygito_u mygito passwd mygito
>>
>>
>>> I've not yet written a user role policy, so I'm not sure where
>>> I should start.
>>>
>>> Best, -- selinux mailing list selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


Looks like a good subject for a blog...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk85PTcACgkQrlYvE4MpobNEGACg6ZBGAddU9t o3L2FWgeJo/0/q
Og0AoObpGgHHKNjzYCRh4fxtYNDt+3sc
=ZJ3X
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 03:51 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org