selinux settings for script run by apache to pull git repo

iblamefish asked:

I have a web server running apache under CentOS which as selinux enabled. I have a separate server which has gitlab running.

I’m trying to create a workflow using gitlab’s web hooks so that when code is pushed to git, gitlab will request a page on my production server which will then pull the latest version of the code.

The script is all running fine, but selinux is not allowing git pull to run from the script. It fails with exit code 128.

Simplified PHP script

$data = json_decode(file_get_contents("php://input"));
exec('./.hooks/ ' . $data->repository->url);

Simplified bash script

if [ "$#" -ne 1]; then
  echo "Repo URL must be provided"

cd $TMP
$GIT clone $1 || echo "git clone failed with exit code $?"

I have already discovered that httpd_can_network_connect was set to off, so I’ve turned that on. If I disable selinux, everything works fine, so I know that there is something getting in the way here. The script works fine when run manually.

Looking at audit.log, I see this line appear when git clone is run (put in multiple lines here for readability)

type=AVC msg=audit(1420243675.063:1041): avc:  denied  { search } for  pid=4376 comm="ssh" name="apache" dev=dm-2 ino=133906 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1420243675.063:1041): arch=c000003e syscall=2 success=no exit=-13 a0=7fff9e4e4380 a1=0 a2=1b6 a3=0 items=0 ppid=4375 pid=4376 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="ssh" exe="/usr/bin/ssh" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)

Are there any other selinux booleans which I can set to allow httpd to use ssh? Can I modify the file tags to enable it to run ssh?

Thanks 🙂

My answer:

Running the AVC through audit2allow gives the following notice:

#!!!! This avc can be allowed using one of the these booleans:
#     httpd_read_user_content, httpd_enable_homedirs

In this case, httpd_read_user_content will be the appropriate one to use.

Note that it’s a good idea to set SELinux to permissive so that you can collect all of the AVCs at once. This way you generally need to go through one iteration of setting booleans and possibly a custom policy, rather than several iterations.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.