RocketGit

catalinux / rocketgit (public) (License: Affero GPLv3) (since 2015-03-19) (hash sha1)

Main RocketGit repo

Clone URLs: https://rocketgit.com/user/catalinux/rocketgit ssh://rocketgit@ssh.rocketgit.com/user/catalinux/rocketgit git://git.rocketgit.com/user/catalinux/rocketgit

List of commits:

Subject	Hash	Author	Date (UTC)
SELinux policy; php-fpm pids, logs and sockets	cf7770b2233a216c697e3f340f95960ccfe843cf	Catalin(ux) M. BOIE	2017-02-24 21:57:12
Improved testing; add a fetch over git for a private repo	8241de314aff22da494bbd0ed5b1ee2017674c6f	Catalin(ux) M. BOIE	2017-02-24 21:52:02
Change caps for some error message; no code changes.	aab9ce336362beda61a4470cbd63ccc06778eeb1	Catalin(ux) M. BOIE	2017-02-24 21:48:13
Some clients, for exampple JGit sends the request gzipped. Deal with it. Thanks Gabi for the report!	ea9023af24a172724ec22313c8c0c15cc88f90df	Catalin(ux) M. BOIE	2017-02-24 19:47:29
Switch to quotes to be able to use commas; small corrections	ab27969287d666d0fb526f7b24b04f65ab7d54f7	Catalin(ux) M. BOIE	2017-02-14 18:28:13
Added more info to comparison and added baloons (Stig suggestion)	07c13312204980b85229acf7f0ab1e3a66aa6677	Catalin(ux) M. BOIE	2017-02-13 18:31:41
Comparison updated based on Stig's help! Thanks!	d45c87235c003153b0579d9d875b62a0f6e0f209	Catalin(ux) M. BOIE	2017-02-13 17:54:00
Corrected a ORDER before WHERE affecting the listing of the users in admin section	ee889bb3e9fb175af625cc5dab26c079fe6a6108	Catalin(ux) M. BOIE	2017-01-31 18:08:47
Bump version to v0.65	23209e409cae8a83b33b53b3cb3109a63be7bd8c	Catalin(ux) M. BOIE	2017-01-30 18:52:26
Updates SELinux policy file	fa9d4acd0c6ee730ee45c3e3ab57b55665e74666	Catalin(ux) M. BOIE	2017-01-30 18:51:52
Added credits for TLS setup about perfect forward secrecy	63ff4cf11961421d6f187d2597354d12eff9a810	Catalin(ux) M. BOIE	2017-01-30 18:51:31
Make more clear the text about Enterprise Edition	20a621f3de637975d93cbb260213c2d833a0acab	Catalin(ux) M. BOIE	2017-01-30 18:50:50
TODO updates	29e7ddcea2ed6add27a13dfef09c8660d4b3520e	Catalin(ux) M. BOIE	2017-01-30 18:49:28
Use IdentitiesOnly when setup SSH config for RocketGit	fbd5d71c0341f9187cfd677d2d620749d09c61d6	Catalin(ux) M. BOIE	2017-01-30 18:49:10
Fixed push by HTTP; fixing some tests	af00ea421d6eec2877cab0c37f9c492fff3860ec	Catalin(ux) M. BOIE	2017-01-30 18:48:19
If user is suspended or deleted, show an error	c308a9b435c9e5baa39ac3529c794df227ab9196	Catalin(ux) M. BOIE	2017-01-06 07:12:32
Allow users to delete their account	2a2338aca850737f16febc056c1d248daf935736	Catalin(ux) M. BOIE	2016-12-30 12:49:48
Improved TLS cyphers list for better security	00f1ad9bffc47d0cd786e6caa6f9777fae27b2ff	Catalin(ux) M. BOIE	2016-12-30 12:47:54
Corrected the api key mail	3ac431ae8e880ceebc18507383771b23ce5d9b6a	Catalin(ux) M. BOIE	2016-12-08 04:20:30
Big Amazon fixes	f185636cf44652a2da9779ab21979807b91cf48f	Catalin(ux) M. BOIE	2016-12-07 20:38:54

Commit cf7770b2233a216c697e3f340f95960ccfe843cf - SELinux policy; php-fpm pids, logs and sockets
Author: Catalin(ux) M. BOIE
Author date (UTC): 2017-02-24 21:57
Committer name: Catalin(ux) M. BOIE
Committer date (UTC): 2017-02-24 21:57
Parent(s): 8241de314aff22da494bbd0ed5b1ee2017674c6f
Signer:
Signing key:
Signing status: N
Tree: e67f5688cf9b72f5c6f78d95d0a8f653c23b07e6

File	Lines added	Lines deleted
rocketgit.spec.in	1	0
samples/php-fpm.conf	1	1
samples/pool.conf	1	1
samples/rg.conf	4	0
samples/rocketgit-fpm.service	1	1
selinux/rocketgit.fc	4	3
selinux/rocketgit.te.tmpl	40	37

File rocketgit.spec.in changed (mode: 100644) (index 9bd6ba1..d71949b)
...	...	rm -rf ${RPM_BUILD_ROOT}
105	105	%attr(0700,rocketgit,rocketgit) %dir @VAR_LIB@/@PRJ@/tmp	%attr(0700,rocketgit,rocketgit) %dir @VAR_LIB@/@PRJ@/tmp
106	106	%attr(0700,root,root) %dir @VAR_LIB@/@PRJ@/worker	%attr(0700,root,root) %dir @VAR_LIB@/@PRJ@/worker
107	107	%attr(0700,root,root) @USR_SBIN@/*	%attr(0700,root,root) @USR_SBIN@/*
	108		%attr(0700,root,root) @USR_LIB@/*
108	109	@USR_SHARE@/@PRJ@/*	@USR_SHARE@/@PRJ@/*
109	110	@USR_SHARE@/selinux/*/@PRJ@.pp	@USR_SHARE@/selinux/*/@PRJ@.pp
110	111	%{_unitdir}/*.service	%{_unitdir}/*.service

File samples/php-fpm.conf changed (mode: 100644) (index 9b95e2e..d10ccea)
...	...	pid = /run/php-fpm/rocketgit.pid
23	23	; If it's set to "syslog", log is sent to syslogd instead of being written	; If it's set to "syslog", log is sent to syslogd instead of being written
24	24	; in a local file.	; in a local file.
25	25	; Default Value: /var/log/php-fpm.log	; Default Value: /var/log/php-fpm.log
26		error_log = /var/log/php-fpm/rocketgit.log
	26		error_log = /var/log/php-fpm/rocketgit-error.log
27	27
28	28	; syslog_facility is used to specify what type of program is logging the	; syslog_facility is used to specify what type of program is logging the
29	29	; message. This lets syslogd specify that messages from different facilities	; message. This lets syslogd specify that messages from different facilities

File samples/pool.conf changed (mode: 100644) (index fff4ea9..5cb76c3)
...	...	request_slowlog_timeout = 2s
409	409	; specified at startup with the -d argument	; specified at startup with the -d argument
410	410	;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com	;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
411	411	;php_flag[display_errors] = off	;php_flag[display_errors] = off
412		php_admin_value[error_log] = /var/log/rocketgit/pool-error.log
	412		php_admin_value[error_log] = /var/log/php-fpm/rocketgit-error.log
413	413	php_admin_flag[log_errors] = on	php_admin_flag[log_errors] = on
414	414	php_admin_value[memory_limit] = 128M	php_admin_value[memory_limit] = 128M

File samples/rg.conf changed (mode: 100644) (index 864af17..3ceadf0)
62	62	# Compress	# Compress
63	63	AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/x-javascript	AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/x-javascript
64	64	DeflateBufferSize 81920	DeflateBufferSize 81920
	65
	66		<FilesMatch "\.php$">
	67		SetHandler "proxy:unix:/run/php-fpm/rocketgit.sock\|fcgi://localhost"
	68		</FilesMatch>
65	69	</VirtualHost>	</VirtualHost>
66	70
67	71	<VirtualHost *:443>	<VirtualHost *:443>

File samples/rocketgit-fpm.service changed (mode: 100644) (index 9f7c5c9..fd285d9)
...	...	After=syslog.target network.target
12	12
13	13	[Service]	[Service]
14	14	Type=notify	Type=notify
15		PIDFile=/run/php-fpm/rocketgit-fpm.pid
	15		PIDFile=/run/php-fpm/rocketgit.pid
16	16	ExecStart=/usr/sbin/php-fpm --fpm-config /etc/rocketgit/php-fpm.conf	ExecStart=/usr/sbin/php-fpm --fpm-config /etc/rocketgit/php-fpm.conf
17	17	ExecReload=/bin/kill -USR2 $MAINPID	ExecReload=/bin/kill -USR2 $MAINPID
18	18	PrivateTmp=true	PrivateTmp=true

File selinux/rocketgit.fc changed (mode: 100644) (index 6bbf7df..7222934)
13	13
14	14	/usr/share/rocketgit(/.*)? gen_context(system_u:object_r:rocketgit_usr_t,s0)	/usr/share/rocketgit(/.*)? gen_context(system_u:object_r:rocketgit_usr_t,s0)
15	15
16		/usr/share/rocketgit/scripts/worker.* gen_context(system_u:object_r:rocketgit_worker_exec_t,s0)
	16		/usr/share/rocketgit/scripts/worker.(sh\|php) gen_context(system_u:object_r:rocketgit_worker_exec_t,s0)
17	17	/usr/share/rocketgit/scripts(/.*)? -- gen_context(system_u:object_r:rocketgit_exec_t,s0)	/usr/share/rocketgit/scripts(/.*)? -- gen_context(system_u:object_r:rocketgit_exec_t,s0)
	18		/usr/share/rocketgit/hooks(/.*)? -- gen_context(system_u:object_r:rocketgit_exec_t,s0)
18	19
19		/usr/lib/systemd/system/rocketgit-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
	20		/usr/lib/systemd/system/rocketgit-fpm.service gen_context(system_u:object_r:rocketgit_unit_file_t,s0)
20	21
21		/usr/sbin/rg_authorize gen_context(system_u:object_r:rocketgit_worker_exec_t,s0)
	22		/usr/sbin/rg_authorize -- gen_context(system_u:object_r:rocketgit_exec_t,s0)

File selinux/rocketgit.te.tmpl changed (mode: 100644) (index 303d90a..b479288)
1		policy_module(rocketgit,1.0.119)
2
3		########################################
4		#
5		# Declarations
6		#
	1		policy_module(rocketgit,1.0.154)
7	2
8	3	gen_require(`	gen_require(`
9		# really needed httpd_log_t?
10	4	type httpd_t;	type httpd_t;
11		type httpd_log_t;
12		type httpd_unit_file_t;
13		type system_mail_t;
	5		type httpd_exec_t;
14	6	type unconfined_t;	type unconfined_t;
15	7	role unconfined_r;	role unconfined_r;
16	8	type fs_t;	type fs_t;
17	9	type sshd_t;	type sshd_t;
18		# next are for worker.sh
19		#class dir mounton;
20		#class filesystem { getattr mount unmount };
21		#class capability { setgid setuid sys_admin };
22	10
23	11	@@EXTRA_GEN_REQUIRE@@	@@EXTRA_GEN_REQUIRE@@
24	12	')	')

...	...	corenet_tcp_bind_all_nodes(rocketgit_t)
81	69	###allow rocketgit_t node_t:tcp_socket node_bind;	###allow rocketgit_t node_t:tcp_socket node_bind;
82	70	sysnet_dns_name_resolve(rocketgit_t)	sysnet_dns_name_resolve(rocketgit_t)
83	71
84		# builder.php:
85		#type=AVC msg=audit(1467841975.578:232307): avc: denied { listen } for pid=21318 comm="php" lport=65000 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tclass=tcp_socket permissive=1
86		#type=AVC msg=audit(1467841975.808:232308): avc: denied { dac_override } for pid=21319 comm="php" capability=1 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tclass=capability permissive=1
87		#type=AVC msg=audit(1467841975.809:232309): avc: denied { fowner } for pid=21319 comm="php" capability=3 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tclass=capability permissive=1
88		#type=AVC msg=audit(1467841975.809:232310): avc: denied { fsetid } for pid=21319 comm="php" capability=4 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tclass=capability permissive=1
89		#type=AVC msg=audit(1467841975.949:232311): avc: denied { accept } for pid=21318 comm="php" lport=65000 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tclass=tcp_socket permissive=1
90		allow rocketgit_t self:capability { dac_override fowner fsetid };
91		allow rocketgit_t self:tcp_socket { accept listen };
	72
	73		# Allow contacting systemd
	74		# type=AVC msg=audit(1485816659.452:676453): avc: denied { sendto } for pid=26711 comm="php-fpm" path="/run/systemd/notify" scontext=system_u:system_r:rocketgit_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
	75		###kernel_dgram_send(rocketgit_t)
	76
	77		# Allow php-fpm to write its pid
	78		###init_write_pid_socket(rocketgit_t)
92	79
93	80	# Allow basic access to net	# Allow basic access to net
94	81	sysnet_read_config(rocketgit_t)	sysnet_read_config(rocketgit_t)

...	...	files_type(rocketgit_usr_t)
104	91	read_files_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t)	read_files_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t)
105	92	exec_files_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t)	exec_files_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t)
106	93	list_dirs_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t)	list_dirs_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t)
107		read_files_pattern(httpd_t, rocketgit_usr_t, rocketgit_usr_t)
108	94
109	95
110	96	# log files	# log files
111	97	type rocketgit_log_t;	type rocketgit_log_t;
112	98	files_type(rocketgit_log_t)	files_type(rocketgit_log_t)
113	99	manage_files_pattern(rocketgit_t, rocketgit_log_t, rocketgit_log_t)	manage_files_pattern(rocketgit_t, rocketgit_log_t, rocketgit_log_t)
114		# Allow httpd(php-fpm) to create log files - note that it will run as
115		# 'rocketgit' user.
116		manage_files_pattern(httpd_t, rocketgit_log_t, rocketgit_log_t)
117	100	logging_log_filetrans(rocketgit_t, rocketgit_log_t, file)	logging_log_filetrans(rocketgit_t, rocketgit_log_t, file)
118	101
119	102

...	...	type rocketgit_var_t;
122	105	files_type(rocketgit_var_t)	files_type(rocketgit_var_t)
123	106	admin_pattern(rocketgit_t, rocketgit_var_t, rocketgit_var_t)	admin_pattern(rocketgit_t, rocketgit_var_t, rocketgit_var_t)
124	107	filetrans_pattern(rocketgit_t, rocketgit_var_t, rocketgit_var_t, { file dir })	filetrans_pattern(rocketgit_t, rocketgit_var_t, rocketgit_var_t, { file dir })
125		read_files_pattern(httpd_t, rocketgit_var_t, rocketgit_var_t)
126		list_dirs_pattern(httpd_t, rocketgit_var_t, rocketgit_var_t)
127	108
128	109
129	110	# sockets	# sockets

...	...	type rocketgit_socket_t;
131	112	files_type(rocketgit_socket_t)	files_type(rocketgit_socket_t)
132	113	manage_sock_files_pattern(rocketgit_t, rocketgit_socket_t, rocketgit_socket_t)	manage_sock_files_pattern(rocketgit_t, rocketgit_socket_t, rocketgit_socket_t)
133	114	filetrans_pattern(rocketgit_t, rocketgit_socket_t, rocketgit_socket_t, file)	filetrans_pattern(rocketgit_t, rocketgit_socket_t, rocketgit_socket_t, file)
134		rw_sock_files_pattern(httpd_t, rocketgit_socket_t, rocketgit_socket_t)
135		# Allow httpd to connect to _domain_ rocketgit_t for event.sock
136		allow httpd_t rocketgit_t:unix_stream_socket connectto;
137	115
138	116
139	117	# locks	# locks

...	...	type rocketgit_lock_t;
141	119	files_lock_file(rocketgit_lock_t)	files_lock_file(rocketgit_lock_t)
142	120	manage_files_pattern(rocketgit_t, rocketgit_lock_t, rocketgit_lock_t)	manage_files_pattern(rocketgit_t, rocketgit_lock_t, rocketgit_lock_t)
143	121	filetrans_pattern(rocketgit_t, rocketgit_lock_t, rocketgit_lock_t, file)	filetrans_pattern(rocketgit_t, rocketgit_lock_t, rocketgit_lock_t, file)
144		# we need php-fpm to be able to take locks
145		manage_files_pattern(httpd_t, rocketgit_lock_t, rocketgit_lock_t)
146		filetrans_pattern(httpd_t, rocketgit_lock_t, rocketgit_lock_t, file)
147	122
148	123
149	124	# conf	# conf

...	...	type rocketgit_conf_t;
151	126	files_type(rocketgit_conf_t)	files_type(rocketgit_conf_t)
152	127	read_files_pattern(rocketgit_t, rocketgit_conf_t, rocketgit_conf_t)	read_files_pattern(rocketgit_t, rocketgit_conf_t, rocketgit_conf_t)
153	128	filetrans_pattern(rocketgit_t, rocketgit_conf_t, rocketgit_conf_t, file)	filetrans_pattern(rocketgit_t, rocketgit_conf_t, rocketgit_conf_t, file)
154		read_files_pattern(httpd_t, rocketgit_conf_t, rocketgit_conf_t)
155	129
156	130
157	131	# Permit PHP to use nscd socket	# Permit PHP to use nscd socket

...	...	miscfiles_read_localization(rocketgit_t)
189	163	files_list_tmp(rocketgit_t)	files_list_tmp(rocketgit_t)
190	164
191	165	# Hugetlbfs (for opcache):	# Hugetlbfs (for opcache):
192		# type=AVC msg=audit(1482069602.067:865): avc: denied { read write } for pid=2157 comm="php" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev="hugetlbfs" ino=26965 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=file permissive=0
193	166	fs_rw_hugetlbfs_files(rocketgit_t)	fs_rw_hugetlbfs_files(rocketgit_t)
194	167	fs_exec_hugetlbfs_files(rocketgit_t)	fs_exec_hugetlbfs_files(rocketgit_t)
195		allow rocketgit_t self:process execmem;
196	168
197	169	# worker.sh needs some rights	# worker.sh needs some rights
198	170	type rocketgit_worker_t;	type rocketgit_worker_t;

...	...	cron_system_entry(rocketgit_worker_t, rocketgit_worker_exec_t)
222	194	#files_manage_isid_type_symlinks(rocketgit_t)	#files_manage_isid_type_symlinks(rocketgit_t)
223	195	#userdom_read_admin_home_files(rocketgit_t)	#userdom_read_admin_home_files(rocketgit_t)
224	196	#miscfiles_read_hwdata(rocketgit_t)	#miscfiles_read_hwdata(rocketgit_t)
	197
	198		# Unit file
	199		type rocketgit_unit_file_t;
	200		systemd_unit_file(rocketgit_unit_file_t)
	201
	202
	203		# php-fpm stuff
	204		# allow writing to log files
	205		allow httpd_t rocketgit_log_t:file { append create getattr open setattr };
	206		# allow using the cache.sock etc.
	207		allow httpd_t rocketgit_socket_t:sock_file write;
	208		# allow reading /etc/rocketgit/php-fpm.conf
	209		allow httpd_t rocketgit_conf_t:file { getattr open read };
	210		# allow dealing with repos
	211		allow httpd_t rocketgit_var_t:dir { add_name create read remove_name rmdir write };
	212		allow httpd_t rocketgit_var_t:file { append create getattr link open read rename setattr unlink write };
	213		allow httpd_t rocketgit_var_t:lnk_file { getattr read };
	214		# allow git-receive-pack to execute hooks
	215		allow httpd_t rocketgit_exec_t:file { getattr ioctl open read };
	216		# allow reading /usr/share/rocketgit/{inc,root} files
	217		allow httpd_t rocketgit_usr_t:file { getattr open read };
	218		# allow connecting to rocketgit_t domain
	219		allow httpd_t rocketgit_t:unix_stream_socket connectto;
	220
	221
	222		# Do not polute the logs!
	223		dontaudit rocketgit_t self:process { execmem };
	224
	225
	226		# builder
	227		allow rocketgit_t self:tcp_socket { accept listen };

Hints:
Before first commit, do not forget to setup your git environment:

git config --global user.name "your_name_here"
git config --global user.email "your@email_here"

Clone this repository using HTTP(S):

git clone https://rocketgit.com/user/catalinux/rocketgit

Clone this repository using ssh (do not forget to upload a key first):

git clone ssh://rocketgit@ssh.rocketgit.com/user/catalinux/rocketgit

Clone this repository using git:

git clone git://git.rocketgit.com/user/catalinux/rocketgit

You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a merge request:

... clone the repository ...
... make some changes and some commits ...
git push origin main