Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can only run git daemon via /usr/bin/git daemon, not /usr/libexec/git-core/git-daemon #2130

Open
maddymeows opened this issue May 19, 2024 · 2 comments
Open

Can only run git daemon via /usr/bin/git daemon, not /usr/libexec/git-core/git-daemon #2130

maddymeows opened this issue May 19, 2024 · 2 comments

Comments

@maddymeows
Copy link

Given the following systemd unit:

[Unit]
Description=Git Daemon

[Service]
ExecStart=/usr/libexec/git-core/git-daemon --base-path=/var/lib/git --reuseaddr --export-all --verbose
Restart=always
User=git

[Install]
WantedBy=multi-user.target

The following denial gets logged upon running git clone git://localhost/whatever.git:

type=AVC msg=audit(1716141610.662:1855): avc:  denied  { execute_no_trans } for  pid=13923 comm="git-daemon" path="/usr/libexec/git-core/git-daemon" dev="dm-1" ino=201747140 scontext=system_u:system_r:git_system_t:s0 tcontext=system_u:object_r:gitd_exec_t:s0 tclass=file permissive=0

Only when using ExecStart=/usr/bin/git daemon [...], the git daemon is allowed to function.

Fedora's git-daemon package ships with a socket-activated systemd unit that does call /usr/libexec/git-core/git-daemon, which runs fine. However I'm running as a regular daemon and can't use the same binary and must use /usr/bin/git daemon instead.

I would have expected the opposite, if anything.
@zpytela
Copy link
Contributor

zpytela commented Jun 10, 2024

@maddymeows It is not expected to run a service with ExecStart=/usr/bin/git daemon. Can you show complete configuration needed to run the shipped git service and/or gather all data with full auditing enabled?

https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing

@maddymeows
Copy link
Author

On a fresh vm installed via

passfile="$(mktemp)"
echo meow > "$passfile"
sudo virt-install \
  --name git-daemon-selinux-issue \
  --memory 4096 \
  --vcpus 4 \
  --unattended profile=jeos,admin-password-file="$passfile",user-login=ansible,user-password-file="$passfile" \
  --install fedora40 \
  --boot uefi \
  ;

Run the ansible playbook found at https://gist.github.com/maddymeows/1e518fcccb94436b77bc3215050b4641

Audits on enforcing and permissive are found at https://gist.github.com/maddymeows/ce3806c06282f5a4da6089b6139e9dc6

Interestingly I get a different denial now (it can't even bind to the port now), but permissive still shows the original audit I ran into. Perhaps a boolean I enabled on my production system.

Replacing the unit file to launch with ExecStart=/usr/bin/git daemon [...] produces no audits at all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zpytela @maddymeows