1httpd_git_script_selinux(S8E)Linux Policy httpd_git_scrhitpttpd_git_script_selinux(8)
2
3
4

NAME

6       httpd_git_script_selinux  -  Security  Enhanced  Linux  Policy  for the
7       httpd_git_script processes
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  httpd_git_script  processes  via
11       flexible mandatory access control.
12
13       The  httpd_git_script  processes  execute  with  the httpd_git_script_t
14       SELinux type. You can check if you have these processes running by exe‐
15       cuting the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep httpd_git_script_t
20
21
22

ENTRYPOINTS

24       The   httpd_git_script_t   SELinux   type   can   be  entered  via  the
25       httpd_git_script_exec_t,  shell_exec_t,  httpd_git_script_exec_t   file
26       types.
27
28       The  default entrypoint paths for the httpd_git_script_t domain are the
29       following:
30
31       /var/www/git/gitweb.cgi,    /var/www/cgi-bin/cgit,     /var/www/gitweb-
32       caching/gitweb.cgi,   /bin/d?ash,  /bin/zsh.*,  /bin/ksh.*,  /bin/sash,
33       /bin/tcsh,  /bin/yash,  /bin/mksh,  /bin/fish,  /bin/bash,  /bin/bash2,
34       /usr/bin/fish,    /sbin/nologin,    /usr/sbin/sesh,    /usr/sbin/smrsh,
35       /usr/bin/scponly, /usr/libexec/sesh, /usr/sbin/scponlyc,  /usr/bin/git-
36       shell,     /usr/libexec/git-core/git-shell,    /var/www/git/gitweb.cgi,
37       /var/www/cgi-bin/cgit, /var/www/gitweb-caching/gitweb.cgi
38

PROCESS TYPES

40       SELinux defines process types (domains) for each process running on the
41       system
42
43       You can see the context of a process using the -Z option to ps
44
45       Policy  governs  the  access confined processes have to files.  SELinux
46       httpd_git_script policy is very flexible allowing users to setup  their
47       httpd_git_script processes in as secure a method as possible.
48
49       The following process types are defined for httpd_git_script:
50
51       httpd_git_script_t
52
53       Note: semanage permissive -a httpd_git_script_t can be used to make the
54       process type  httpd_git_script_t  permissive.  SELinux  does  not  deny
55       access  to permissive process types, but the AVC (SELinux denials) mes‐
56       sages are still generated.
57
58

BOOLEANS

60       SELinux  policy  is  customizable  based  on  least  access   required.
61       httpd_git_script  policy is extremely flexible and has several booleans
62       that allow you to manipulate the policy and run  httpd_git_script  with
63       the tightest access possible.
64
65
66
67       If you want to allow all domains to use other domains file descriptors,
68       you must turn on the allow_domain_fd_use boolean. Enabled by default.
69
70       setsebool -P allow_domain_fd_use 1
71
72
73
74       If you want to allow confined applications to run  with  kerberos,  you
75       must turn on the allow_kerberos boolean. Enabled by default.
76
77       setsebool -P allow_kerberos 1
78
79
80
81       If  you want to allow sysadm to debug or ptrace all processes, you must
82       turn on the allow_ptrace boolean. Disabled by default.
83
84       setsebool -P allow_ptrace 1
85
86
87
88       If you want to allow system to run with  NIS,  you  must  turn  on  the
89       allow_ypbind boolean. Disabled by default.
90
91       setsebool -P allow_ypbind 1
92
93
94
95       If  you  want to allow all domains to have the kernel load modules, you
96       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
97       default.
98
99       setsebool -P domain_kernel_load_modules 1
100
101
102
103       If you want to allow all domains to execute in fips_mode, you must turn
104       on the fips_mode boolean. Enabled by default.
105
106       setsebool -P fips_mode 1
107
108
109
110       If you want to determine whether Git CGI can search  home  directories,
111       you  must  turn  on  the  git_cgi_enable_homedirs  boolean. Disabled by
112       default.
113
114       setsebool -P git_cgi_enable_homedirs 1
115
116
117
118       If you want to determine whether Git CGI can access cifs file  systems,
119       you must turn on the git_cgi_use_cifs boolean. Disabled by default.
120
121       setsebool -P git_cgi_use_cifs 1
122
123
124
125       If  you  want to determine whether Git CGI can access nfs file systems,
126       you must turn on the git_cgi_use_nfs boolean. Disabled by default.
127
128       setsebool -P git_cgi_use_nfs 1
129
130
131
132       If you want to enable reading of urandom for all domains, you must turn
133       on the global_ssp boolean. Disabled by default.
134
135       setsebool -P global_ssp 1
136
137
138
139       If  you  want  to  allow  httpd  cgi  support,  you  must  turn  on the
140       httpd_enable_cgi boolean. Enabled by default.
141
142       setsebool -P httpd_enable_cgi 1
143
144
145
146       If you want to allow confined applications to use nscd  shared  memory,
147       you must turn on the nscd_use_shm boolean. Enabled by default.
148
149       setsebool -P nscd_use_shm 1
150
151
152
153       If  you  want to allow unprivileged users to execute DDL statement, you
154       must turn on the sepgsql_enable_users_ddl boolean. Enabled by default.
155
156       setsebool -P sepgsql_enable_users_ddl 1
157
158
159
160       If you want to support NFS home  directories,  you  must  turn  on  the
161       use_nfs_home_dirs boolean. Disabled by default.
162
163       setsebool -P use_nfs_home_dirs 1
164
165
166
167       If  you  want  to  support SAMBA home directories, you must turn on the
168       use_samba_home_dirs boolean. Disabled by default.
169
170       setsebool -P use_samba_home_dirs 1
171
172
173

MANAGED FILES

175       The SELinux process type httpd_git_script_t can  manage  files  labeled
176       with  the following file types.  The paths listed are the default paths
177       for these file types.  Note the processes UID still need  to  have  DAC
178       permissions.
179
180       httpd_git_rw_content_t
181
182            /var/cache/cgit(/.*)?
183            /var/cache/gitweb-caching(/.*)?
184
185       initrc_tmp_t
186
187
188       mnt_t
189
190            /mnt(/[^/]*)
191            /mnt(/[^/]*)?
192            /rhev(/[^/]*)?
193            /media(/[^/]*)
194            /media(/[^/]*)?
195            /etc/rhgb(/.*)?
196            /media/.hal-.*
197            /net
198            /afs
199            /rhev
200            /misc
201
202       tmp_t
203
204            /tmp
205            /usr/tmp
206            /var/tmp
207            /tmp-inst
208            /var/tmp-inst
209            /var/tmp/vi.recover
210
211

FILE CONTEXTS

213       SELinux requires files to have an extended attribute to define the file
214       type.
215
216       You can see the context of a file using the -Z option to ls
217
218       Policy governs the access  confined  processes  have  to  these  files.
219       SELinux httpd_git_script policy is very flexible allowing users to set‐
220       up their httpd_git_script processes in as secure a method as possible.
221
222       The following file types are defined for httpd_git_script:
223
224
225
226       httpd_git_script_exec_t
227
228       - Set files with the httpd_git_script_exec_t type, if you want to tran‐
229       sition an executable to the httpd_git_script_t domain.
230
231
232       Paths:
233            /var/www/git/gitweb.cgi,  /var/www/cgi-bin/cgit,  /var/www/gitweb-
234            caching/gitweb.cgi
235
236
237       Note: File context can be temporarily modified with the chcon  command.
238       If  you want to permanently change the file context you need to use the
239       semanage fcontext command.  This will modify the SELinux labeling data‐
240       base.  You will need to use restorecon to apply the labels.
241
242

COMMANDS

244       semanage  fcontext  can also be used to manipulate default file context
245       mappings.
246
247       semanage permissive can also be used to manipulate  whether  or  not  a
248       process type is permissive.
249
250       semanage  module can also be used to enable/disable/install/remove pol‐
251       icy modules.
252
253       semanage boolean can also be used to manipulate the booleans
254
255
256       system-config-selinux is a GUI tool available to customize SELinux pol‐
257       icy settings.
258
259

AUTHOR

261       This manual page was auto-generated using sepolicy manpage .
262
263

SEE ALSO

265       selinux(8), httpd_git_script(8), semanage(8), restorecon(8), chcon(1) ,
266       setsebool(8)
267
268
269
270httpd_git_script                   15-06-03        httpd_git_script_selinux(8)
Impressum