[CentOS] Looking for input SELinux/Other & post-commit hooks.

Wed Sep 25 17:47:54 UTC 2013
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/25/2013 12:35 PM, James A. Peltier wrote:
> Hi All,
> 
> I'm looking for input as to how I may restrict some post commit hooks by
> way of SELinux or some other mechanism.  Here's a description of the
> problem that I need to solve.
> 
> I have a source code server that support SVN and soon git.  The server has
> no actual users on it and we use CAS with Apache basic authentication to
> authenticate and authorize users access to the repository.  This server
> mounts two NFS shares, one for the mirror environment for HTTP based
> installations and another NFS share for our Puppet environment.  There is a
> corresponding source repository and NFS share for each "user" of the system
> as well as corresponding NFS shares for mirror and puppet.  All the content
> is owned by the user Apache.
> 
> Each time a user commits scripts are run to check this code out of the
> source code server and into a respective
> 
> /mirror/<repotype>/<reponame> /puppet/<repotype>/<reponame>
> 
> But there are other bits of code that the end user would like to also be
> able to run, such as generating group information based on the content of a
> file that was committed manual pruning of some arbitrary data and other
> things that I don't want to account for in code.  Essentially allowing them
> to extend the system further for their needs.
> 
> This means that I need to ensure that a user isn't able to run code like rm
> -rf /etc/password or rm -rf /{mirror,puppet}/* which would essentially ruin
> everyone's data. What I essentially would like to do is ensure that if
> someone were to attempt to run any of the third party code that the
> permissions for that run would be within the context of their own areas so
> that the most damage they could do is wipe out the content of their
> /mirror/<repotype>/<reponame> & /puppet/<repotype>/<reponame> while not
> having to setup and destroy a (potentially) large chroot environment each
> time the script is run.
> 
You can do everything you want EXCEPT, NFS Does not yes support labels.  You
could prevent a user from touch any of the OS files but not from writing to
the nfs shares.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJDIcoACgkQrlYvE4MpobMSNACg4ZT0RnjlQLKEvrKIUy95ZWUO
SWYAn3t5ITDV18XCur7eHCYCti8iOpTh
=UjyT
-----END PGP SIGNATURE-----