|
![](https://seccdn.libravatar.org/avatar/0ad6185a6acbd9fd4210c6d874b857b118e6373ea6e5fd3b56af40662c3a000b?s=16&d=retro) |
d082d58 |
If you use SELinux, you need to ensure that the httpd_enable_cgi boolean is
|
|
![](https://seccdn.libravatar.org/avatar/0ad6185a6acbd9fd4210c6d874b857b118e6373ea6e5fd3b56af40662c3a000b?s=16&d=retro) |
d082d58 |
set properly. This can be done via the command line, e.g.:
|
|
![](https://seccdn.libravatar.org/avatar/0ad6185a6acbd9fd4210c6d874b857b118e6373ea6e5fd3b56af40662c3a000b?s=16&d=retro) |
9c9db9d |
|
|
![](https://seccdn.libravatar.org/avatar/0ad6185a6acbd9fd4210c6d874b857b118e6373ea6e5fd3b56af40662c3a000b?s=16&d=retro) |
d082d58 |
# setsebool -P httpd_enable_cgi 1
|
|
![](https://seccdn.libravatar.org/avatar/0ad6185a6acbd9fd4210c6d874b857b118e6373ea6e5fd3b56af40662c3a000b?s=16&d=retro) |
9c9db9d |
|
|
![](https://seccdn.libravatar.org/avatar/0ad6185a6acbd9fd4210c6d874b857b118e6373ea6e5fd3b56af40662c3a000b?s=16&d=retro) |
d082d58 |
Or you can use the graphical tool system-config-selinux, via System ->
|
|
![](https://seccdn.libravatar.org/avatar/0ad6185a6acbd9fd4210c6d874b857b118e6373ea6e5fd3b56af40662c3a000b?s=16&d=retro) |
d082d58 |
Administration -> SELinux Management on the Gnome menu.
|
|
![](https://seccdn.libravatar.org/avatar/0ad6185a6acbd9fd4210c6d874b857b118e6373ea6e5fd3b56af40662c3a000b?s=16&d=retro) |
9c9db9d |
|
|
![](https://seccdn.libravatar.org/avatar/0ad6185a6acbd9fd4210c6d874b857b118e6373ea6e5fd3b56af40662c3a000b?s=16&d=retro) |
d082d58 |
Additionally, the git repositories need to be readable by the cgi. This is
|
|
![](https://seccdn.libravatar.org/avatar/0ad6185a6acbd9fd4210c6d874b857b118e6373ea6e5fd3b56af40662c3a000b?s=16&d=retro) |
d082d58 |
handled automatically for repositories in the default path, /var/lib/git. If
|
|
![](https://seccdn.libravatar.org/avatar/0ad6185a6acbd9fd4210c6d874b857b118e6373ea6e5fd3b56af40662c3a000b?s=16&d=retro) |
d082d58 |
your repositories are in a different path, /srv/git, for example, you can set
|
|
![](https://seccdn.libravatar.org/avatar/0ad6185a6acbd9fd4210c6d874b857b118e6373ea6e5fd3b56af40662c3a000b?s=16&d=retro) |
d082d58 |
the proper context using semanage:
|
|
![](https://seccdn.libravatar.org/avatar/0ad6185a6acbd9fd4210c6d874b857b118e6373ea6e5fd3b56af40662c3a000b?s=16&d=retro) |
9c9db9d |
|
|
![](https://seccdn.libravatar.org/avatar/0ad6185a6acbd9fd4210c6d874b857b118e6373ea6e5fd3b56af40662c3a000b?s=16&d=retro) |
9eedf28 |
# semanage fcontext -a -t git_sys_content_t "/srv/git(/.*)?"
|
|
![](https://seccdn.libravatar.org/avatar/0ad6185a6acbd9fd4210c6d874b857b118e6373ea6e5fd3b56af40662c3a000b?s=16&d=retro) |
9c9db9d |
|
|
![](https://seccdn.libravatar.org/avatar/0ad6185a6acbd9fd4210c6d874b857b118e6373ea6e5fd3b56af40662c3a000b?s=16&d=retro) |
d082d58 |
If you have other confined daemons that need to access the git repositories,
|
|
![](https://seccdn.libravatar.org/avatar/219f9bf30f9ca27aa762cba0a6e978dee6e8a75de544b477b9c7a1d1b67e5178?s=16&d=retro) |
a9267ec |
you may want to use public_content_t, or public_content_rw_t instead.
|
|
![](https://seccdn.libravatar.org/avatar/0ad6185a6acbd9fd4210c6d874b857b118e6373ea6e5fd3b56af40662c3a000b?s=16&d=retro) |
9c9db9d |
|
|
![](https://seccdn.libravatar.org/avatar/0ad6185a6acbd9fd4210c6d874b857b118e6373ea6e5fd3b56af40662c3a000b?s=16&d=retro) |
d082d58 |
Then use restorecon to update the contexts:
|
|
![](https://seccdn.libravatar.org/avatar/0ad6185a6acbd9fd4210c6d874b857b118e6373ea6e5fd3b56af40662c3a000b?s=16&d=retro) |
d082d58 |
|
|
![](https://seccdn.libravatar.org/avatar/0ad6185a6acbd9fd4210c6d874b857b118e6373ea6e5fd3b56af40662c3a000b?s=16&d=retro) |
d082d58 |
# restorecon -RF /srv/git
|