redmine_git_hosting icon indicating copy to clipboard operation
redmine_git_hosting copied to clipboard

Published 20 hours ago verified publisher icon ericpaulbishop

Here is a patch to allow this plugin to work with selinux

Open kubitron opened this issue 13 years ago • 1 comments

I realize that we got off on the wrong foot. You have a great plugin.

Attached is a patch for the 0.4.2 release that allows selinux support. I've given some pretty complete documentation, as well as a rakefile for setup. The bulk of the support is in a selinux subdirectory and in the tasks/selinux.rake file. The only substantive changes are that I've moved binaries to a bin directory in the plugin root and prevented modification of gitUser and ssh key directories in the settings page (but only when selinux operational). The lock file and other tmp file functionality is still in /tmp as before (although I've put them in /tmp/redmine_git_hosting/git_user subdirectory to handle case in which there are multiple redmine distributions with multiple gitolite repositories on the same machine, which is my use case).

I've updated the README.mkd file with a new selinux section.

Note that there is one new local string added to warn users that they cannot change those settings. It appears that all of the locals are in English except for the Portugese ones? At any rate, you might check my translation in pt.yml and pt-BR.yml, since I don't really know Portugese.

I hope that you will take this. It seems to work fine and might help users who are working in a selinux environment. Note that the rakefile will actually handle multiple, complete redmine + redmine_git_hosting installations simply by typing something like:

rake RAILS_ENV=production ROOT_PATTERN="/source/.*/redmine" selinux:install

p.s. I believe that I have all of the selinux use-cases covered, but just in case I left the redmine_git_hosting binaries running in a permissive environment for now (can be fixed by commenting out line near top of selinux/redmine_git.te.

Patch follows (actually -- turned this into a pull request as #103, feel free to close this issue after reading). Let me know if you want this in a different way:

diff --git a/vendor/plugins/redmine_git_hosting/.gitignore b/vendor/plugins/redmine_git_hosting/.gitignore
new file mode 100755
index 0000000..5412c5a
--- /dev/null
+++ b/vendor/plugins/redmine_git_hosting/.gitignore
@@ -0,0 +1,3 @@
+.*.swp
+bin/
+selinux/tmp/
diff --git a/vendor/plugins/redmine_git_hosting/README.mkd b/vendor/plugins/redmine_git_hosting/README.mkd
index 945b9cf..dfae035 100755
--- a/vendor/plugins/redmine_git_hosting/README.mkd
+++ b/vendor/plugins/redmine_git_hosting/README.mkd
@@ -246,6 +246,44 @@ This library allows you to quickly deploy ChiliProject, with this plugin to an u
 chili\_test.sh script, modifying the variables in those scripts as desired.  This library is still under development,
 so these instructions may need to be updated in the near future.

+## Selinux Configuration for redmine
+
+This plugin can be configured to run with selinux.  We have included a rakefile in tasks/selinux.rake to assist
+with installing with selinux.  You should start by editing init.rb and migrating as described above.  Then, you 
+can execute one of the selinux rake tasks (from the redmine root).  For instance, the simplest option installs 
+a selinux configuration for both redmine and the redmine_git_hosting plugin:   
+
+    rake selinux:install RAILS_ENV=production 
+
+This will generate the redmine_git_hosting binaries in ./bin, install a selinux policy for these binaries (called
+redmine_git.pp), then install a complete context for redmine as follows:
+
+**(1)** Most of redmine will be marked with "public_content_rw_t". 
+
+**(2)** The dispatch files in Rails.root/public/dispatch.* will be marked with "httpd_sys_script_exec_t"
+
+**(3)** The redmine_git_hosting binaries in Rails.root/vendor/plugins/redmine_git_hosting/bin will be labeled
+with "httpd_redmine_git_script_exec_t", which has been crafted to allow the sudo behavior required by these
+binaries.
+
+Note that this rake file has additional options.  For instance, you can specify redmine roots with regular 
+expressions (not globbed expessions!) as follows (notice the use of double quotes):
+
+    rake selinux:install RAILS_ENV=production ROOT_PATTERN="/source/.*/redmine"
+
+These additional options are documented in the selinux.rake file.
+
+Once this plugin is placed under selinux control, three of the redmine_git_hosting settings can 
+no longer be modified from the settings page.  They are: 'gitUser', 'gitoliteIdentityFile', and 
+'gitoliteIdentityPublicKeyFile'.  The plugin settings page will make this clear.  The simplest way to 
+modify these options is to temporarily place your system into permissive mode, refresh the setting page, 
+change options, then place your system back into enforcing mode.  Alternatively, you can alter the init.rb 
+file and reinstall the plugin.  Under normal operation, you will get one selinux complaint about /bin/touch 
+in your log each time that you visit the plugin settings page.
+
+This rakefile and selinux configuration has been primarily tested on Redhat Enterprise Linux version 6.x 
+with apache and fcgi. Other configurations may require slight tweaking.
+
 ## Tested Configurations

 This plugin has been primarily tested on Ubuntu Server 10.10 and 11.04 (32 and 64 bit) with ChiliProject v1.x,
diff --git a/vendor/plugins/redmine_git_hosting/app/models/git_hosting_settings_observer.rb b/vendor/plugins/redmine_git_hosting/app/models/git_hosting_settings_observer.rb
index fee8d8a..fcd16e9 100644
--- a/vendor/plugins/redmine_git_hosting/app/models/git_hosting_settings_observer.rb
+++ b/vendor/plugins/redmine_git_hosting/app/models/git_hosting_settings_observer.rb
@@ -5,6 +5,8 @@ class GitHostingSettingsObserver < ActiveRecord::Observer
    @@old_hook_asynch  = Setting.plugin_redmine_git_hosting['gitHooksAreAsynchronous']
    @@old_http_server  = Setting.plugin_redmine_git_hosting['httpServer']
    @@old_git_user     = Setting.plugin_redmine_git_hosting['gitUser']
+        @@old_gitolite_identity = Setting.plugin_redmine_git_hosting['gitoliteIdentityFile']
+   @@old_gitolite_publickey = Setting.plugin_redmine_git_hosting['gitoliteIdentityPublicKeyFile']
    @@old_repo_base    = Setting.plugin_redmine_git_hosting['gitRepositoryBasePath']


@@ -14,12 +16,25 @@ class GitHostingSettingsObserver < ActiveRecord::Observer
        end
    end

-
-
+        def before_save(object)
+           if object.name == "plugin_redmine_git_hosting" && !GitHosting.bin_dir_writeable?
+                   # If bin directory not alterable, don't alow changes to
+               # Git Username, or Gitolite public or private keys
+                   valuehash = object.value
+                   valuehash['gitUser'] = @@old_git_user
+                   valuehash['gitoliteIdentityFile'] = @@old_gitolite_identity
+                   valuehash['gitoliteIdentityPublicKeyFile'] = @@old_gitolite_publickey
+           object.value = valuehash
+                end
+        end
+                   
    def after_save(object)
        if object.name == "plugin_redmine_git_hosting"

-           %x[ rm -rf '#{ GitHosting.get_tmp_dir }' ]
+                   if GitHosting.bin_dir_writeable?
+               %x[ rm -rf '#{ GitHosting.get_tmp_dir }' ]
+               %x[ rm -rf '#{ GitHosting.get_bin_dir }' ] 
+                        end

            if @@old_repo_base != object.value['gitRepositoryBasePath']
                GitHostingObserver.set_update_active(false)
@@ -49,6 +64,8 @@ class GitHostingSettingsObserver < ActiveRecord::Observer
            @@old_hook_asynch  = object.value['gitHooksAreAsynchronous']
            @@old_http_server  = object.value['httpServer']
            @@old_git_user     = object.value['gitUser']
+                        @@old_gitolite_identity = object.value['gitoliteIdentityFile']
+                        @@old_gitolite_publickey = object.value['gitoliteIdentityPublicKeyFile']
            @@old_repo_base    = object.value['gitRepositoryBasePath']

        end
diff --git a/vendor/plugins/redmine_git_hosting/app/views/settings/_redmine_git_hosting.html.erb b/vendor/plugins/redmine_git_hosting/app/views/settings/_redmine_git_hosting.html.erb
index c6b1e77..3e226fa 100644
--- a/vendor/plugins/redmine_git_hosting/app/views/settings/_redmine_git_hosting.html.erb
+++ b/vendor/plugins/redmine_git_hosting/app/views/settings/_redmine_git_hosting.html.erb
@@ -26,19 +26,19 @@
        <br />
    </p>
    <p>
-       <label><%= l(:label_git_user)%></label>
+       <label><%= l(:label_git_user) %><%= "<em><br /> [ #{l(:label_cannot_change_selinux)} ]</br>" if !GitHosting.bin_dir_writeable? :reset %></label>
        <%= text_field_tag("settings[gitUser]", @settings['gitUser'].split(/[\r\n\t ,;]+/).join("\n"), :size => 60) %>
        <br />
    </p>

    <p>
-       <label><%= l(:label_gitolite_identity_file)%></label>
+       <label><%= l(:label_gitolite_identity_file) %><%= "<em><br /> [ #{l(:label_cannot_change_selinux)} ]</br>" if !GitHosting.bin_dir_writeable? %></label>
        <%= text_field_tag("settings[gitoliteIdentityFile]", @settings['gitoliteIdentityFile'], :size => 60) %>
        <br />
    </p>

    <p>
-       <label><%= l(:label_gitolite_identity_public_key_file)%></label>
+       <label><%= l(:label_gitolite_identity_public_key_file) %><%= "<em><br /> [ #{l(:label_cannot_change_selinux)} ]</br>" if !GitHosting.bin_dir_writeable? %></label>
        <%= text_field_tag("settings[gitoliteIdentityPublicKeyFile]", @settings['gitoliteIdentityPublicKeyFile'], :size => 60) %>
        <br />
    </p>
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/bg.yml b/vendor/plugins/redmine_git_hosting/config/locales/bg.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/bg.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/bg.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/bs.yml b/vendor/plugins/redmine_git_hosting/config/locales/bs.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/bs.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/bs.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/ca.yml b/vendor/plugins/redmine_git_hosting/config/locales/ca.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/ca.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/ca.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/cs.yml b/vendor/plugins/redmine_git_hosting/config/locales/cs.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/cs.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/cs.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/da.yml b/vendor/plugins/redmine_git_hosting/config/locales/da.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/da.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/da.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/de.yml b/vendor/plugins/redmine_git_hosting/config/locales/de.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/de.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/de.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/el.yml b/vendor/plugins/redmine_git_hosting/config/locales/el.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/el.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/el.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/en.yml b/vendor/plugins/redmine_git_hosting/config/locales/en.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/en.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/en.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/es.yml b/vendor/plugins/redmine_git_hosting/config/locales/es.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/es.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/es.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/fi.yml b/vendor/plugins/redmine_git_hosting/config/locales/fi.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/fi.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/fi.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/fr.yml b/vendor/plugins/redmine_git_hosting/config/locales/fr.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/fr.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/fr.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/gl.yml b/vendor/plugins/redmine_git_hosting/config/locales/gl.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/gl.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/gl.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/he.yml b/vendor/plugins/redmine_git_hosting/config/locales/he.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/he.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/he.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/hu.yml b/vendor/plugins/redmine_git_hosting/config/locales/hu.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/hu.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/hu.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/id.yml b/vendor/plugins/redmine_git_hosting/config/locales/id.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/id.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/id.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/it.yml b/vendor/plugins/redmine_git_hosting/config/locales/it.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/it.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/it.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/ja.yml b/vendor/plugins/redmine_git_hosting/config/locales/ja.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/ja.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/ja.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/ko.yml b/vendor/plugins/redmine_git_hosting/config/locales/ko.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/ko.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/ko.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/lt.yml b/vendor/plugins/redmine_git_hosting/config/locales/lt.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/lt.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/lt.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/nl.yml b/vendor/plugins/redmine_git_hosting/config/locales/nl.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/nl.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/nl.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/no.yml b/vendor/plugins/redmine_git_hosting/config/locales/no.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/no.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/no.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/pl.yml b/vendor/plugins/redmine_git_hosting/config/locales/pl.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/pl.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/pl.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/pt-BR.yml b/vendor/plugins/redmine_git_hosting/config/locales/pt-BR.yml
index 90c31bf..e9989cd 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/pt-BR.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/pt-BR.yml
@@ -7,6 +7,7 @@ pt-BR:
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Ficheiro de identidade SSH Gitolite (Chave Privada)
   label_git_repository_base_path: 'Directório Git base (Relativo à "home" do utilizador git)'
+  label_cannot_change_selinux: 'não pode ser mudada (selinux)'

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/pt.yml b/vendor/plugins/redmine_git_hosting/config/locales/pt.yml
index dc5f5f1..f6db9e3 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/pt.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/pt.yml
@@ -7,6 +7,7 @@ pt:
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Ficheiro de identidade SSH Gitolite (Chave Privada)
   label_git_repository_base_path: 'Directório Git base (Relativo à "home" do utilizador git)'
+  label_cannot_change_selinux: 'não pode ser mudada (selinux)'

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/ro.yml b/vendor/plugins/redmine_git_hosting/config/locales/ro.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/ro.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/ro.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/ru.yml b/vendor/plugins/redmine_git_hosting/config/locales/ru.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/ru.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/ru.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/sk.yml b/vendor/plugins/redmine_git_hosting/config/locales/sk.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/sk.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/sk.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/sl.yml b/vendor/plugins/redmine_git_hosting/config/locales/sl.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/sl.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/sl.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/sr.yml b/vendor/plugins/redmine_git_hosting/config/locales/sr.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/sr.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/sr.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/sv.yml b/vendor/plugins/redmine_git_hosting/config/locales/sv.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/sv.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/sv.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/th.yml b/vendor/plugins/redmine_git_hosting/config/locales/th.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/th.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/th.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/tr.yml b/vendor/plugins/redmine_git_hosting/config/locales/tr.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/tr.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/tr.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/uk.yml b/vendor/plugins/redmine_git_hosting/config/locales/uk.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/uk.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/uk.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/vi.yml b/vendor/plugins/redmine_git_hosting/config/locales/vi.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/vi.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/vi.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/zh-TW.yml b/vendor/plugins/redmine_git_hosting/config/locales/zh-TW.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/zh-TW.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/zh-TW.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/config/locales/zh.yml b/vendor/plugins/redmine_git_hosting/config/locales/zh.yml
index 2ce8a46..723401c 100644
--- a/vendor/plugins/redmine_git_hosting/config/locales/zh.yml
+++ b/vendor/plugins/redmine_git_hosting/config/locales/zh.yml
@@ -7,6 +7,7 @@
   label_gitolite_identity_public_key_file: Gitolite SSH Identity File (Public Key)
   label_gitolite_identity_file: Gitolite SSH Identity File (Private Key)
   label_git_repository_base_path: Git Repository Base Path (Relative to git user home)
+  label_cannot_change_selinux: Cannot be changed under selinux

   field_git_daemon: Git Daemon
   field_git_http: Git Smart HTTP
diff --git a/vendor/plugins/redmine_git_hosting/lib/git_hosting.rb b/vendor/plugins/redmine_git_hosting/lib/git_hosting.rb
index 8bcea34..07aa7e0 100755
--- a/vendor/plugins/redmine_git_hosting/lib/git_hosting.rb
+++ b/vendor/plugins/redmine_git_hosting/lib/git_hosting.rb
@@ -23,6 +23,10 @@ module GitHosting
        return @@web_user
    end

+        def self.web_user=(setuser)
+           @@web_user = setuser
+        end
+
    def self.git_user
        Setting.plugin_redmine_git_hosting['gitUser']
    end
@@ -92,7 +96,7 @@ module GitHosting
            @@sudo_web_to_git_user_stamp = Time.new
            return @@sudo_web_to_git_user_cached
        end
-       test = %x[sudo -nu #{git_user} echo "yes"]
+       test = %x[#{GitHosting.git_user_runner} echo "yes"]
        if test.match(/yes/)
            @@sudo_web_to_git_user_cached = true
            @@sudo_web_to_git_user_stamp = Time.new
@@ -146,7 +150,7 @@ module GitHosting
        end
    end
    def self.get_tmp_dir
-       @@git_hosting_tmp_dir ||= File.join(Dir.tmpdir, "redmine_git_hosting")
+                @@git_hosting_tmp_dir ||= File.join(Dir.tmpdir, "redmine_git_hosting", "#{git_user}")
        if !File.directory?(@@git_hosting_tmp_dir)
            %x[mkdir -p "#{@@git_hosting_tmp_dir}"]
            %x[chmod 700 "#{@@git_hosting_tmp_dir}"]
@@ -154,17 +158,51 @@ module GitHosting
        end
        return @@git_hosting_tmp_dir
    end
+   def self.get_bin_dir
+           @@git_hosting_bin_dir ||= 
+                   Rails.root.join("vendor/plugins/redmine_git_hosting/bin")
+       if !File.directory?(@@git_hosting_bin_dir)
+                   logger.error "Creating bin directory: #{@@git_hosting_bin_dir}, Owner #{web_user}"
+           %x[mkdir -p "#{@@git_hosting_bin_dir}"]
+           %x[chmod 750 "#{@@git_hosting_bin_dir}"]
+           %x[chown #{web_user} "#{@@git_hosting_bin_dir}"]
+       end
+                if !File.directory?(@@git_hosting_bin_dir)
+                   logger.error "Cannot create bin directory: #{@@git_hosting_bin_dir}"
+                end
+       return @@git_hosting_bin_dir
+   end

-
+   @@git_bin_dir_writeable = nil
+        def self.bin_dir_writeable?(*option)
+           @@git_bin_dir_writeable = nil if option.length > 0 && option[0] == :reset
+       if @@git_bin_dir_writeable == nil
+                   mybindir = get_bin_dir
+                   mytestfile = "#{mybindir}/writecheck"
+               if (!File.directory?(mybindir))
+                       @@git_bin_dir_writeable = false
+                   else
+                       %x[touch "#{mytestfile}"]
+                       if (!File.exists?("#{mytestfile}"))
+                                   @@git_bin_dir_writeable = false
+                           else
+                                   %x[rm "#{mytestfile}"]
+                               @@git_bin_dir_writeable = true
+                           end
+           end
+           end
+       @@git_bin_dir_writeable
+        end

    def self.git_exec_path
-       return File.join(get_tmp_dir(), "run_git_as_git_user")
+       return File.join(get_bin_dir(), "run_git_as_git_user")
    end
+
    def self.gitolite_ssh_path
-       return File.join(get_tmp_dir(), "gitolite_admin_ssh")
+       return File.join(get_bin_dir(), "gitolite_admin_ssh")
    end
    def self.git_user_runner_path
-       return File.join(get_tmp_dir(), "run_as_git_user")
+       return File.join(get_bin_dir(), "run_as_git_user")
    end


@@ -189,7 +227,7 @@ module GitHosting


    def self.update_git_exec
-       logger.info "Setting up #{get_tmp_dir()}"
+       logger.info "Setting up #{get_bin_dir()}"
        gitolite_key=Setting.plugin_redmine_git_hosting['gitoliteIdentityFile']

        File.open(gitolite_ssh_path(), "w") do |f|
@@ -211,8 +249,6 @@ module GitHosting
        sudo_version = 100*100*(split_version[0].to_i) + 100*(split_version[1].to_i) + split_version[2].to_i
        sudo_version_switch = (100*100*1) + (100 * 7) + 3

-
-
        File.open(git_exec_path(), "w") do |f|
            f.puts '#!/bin/sh'
            f.puts "if [ \"\$(whoami)\" = \"#{git_user}\" ] ; then"
@@ -251,14 +287,10 @@ module GitHosting
            f.puts '}'
        end if !File.exists?(git_user_runner_path())

-
-
        File.chmod(0550, git_exec_path())
        File.chmod(0550, gitolite_ssh_path())
        File.chmod(0550, git_user_runner_path())
-
-
-
+       %x[chown #{web_user} -R "#{@@git_hosting_bin_dir}"]
    end


@@ -291,7 +323,7 @@ module GitHosting
        # clone/pull from admin repo
        local_dir = get_tmp_dir()
        if File.exists? "#{local_dir}/gitolite-admin"
-           logger.info "Fethcing changes for #{local_dir}/gitolite-admin"
+           logger.info "Fetching changes for #{local_dir}/gitolite-admin"
            %x[env GIT_SSH=#{gitolite_ssh()} git --git-dir='#{local_dir}/gitolite-admin/.git' --work-tree='#{local_dir}/gitolite-admin' fetch]
            %x[env GIT_SSH=#{gitolite_ssh()} git --git-dir='#{local_dir}/gitolite-admin/.git' --work-tree='#{local_dir}/gitolite-admin' merge FETCH_HEAD]
        else
diff --git a/vendor/plugins/redmine_git_hosting/selinux/README b/vendor/plugins/redmine_git_hosting/selinux/README
new file mode 100644
index 0000000..a877fb2
--- /dev/null
+++ b/vendor/plugins/redmine_git_hosting/selinux/README
@@ -0,0 +1,67 @@
+This directory contains a selinux policy crafted to cover the sudo and
+ssh scripts for the redmine_git_hosting plugin. In it, we define a new
+httpd-compatible type, "httpd_redmine_git_script_exec_t" which can be
+placed on the redmine_git_hosting/bin directory to allow sudo access
+from redmine code.  The basic assumption is that scripts placed into
+this directory will be called from context "httpd_script_t" (i.e
+redmine). 
+
+Once this plugin is placed under selinux control, three of the
+redmine_git_hosting settings can no longer be modified from the
+settings page.  They are: 'gitUser', 'gitoliteIdentityFile', and
+'gitoliteIdentityPublicKeyFile'.  The plugin settings page will make
+this clear.  The simplest way to modify these options is to
+temporarily place your system into permissive mode, refresh the
+setting page, change options, then place your system back into
+enforcing mode.  Alternatively, you can alter the init.rb file and
+reinstall the plugin.  Under normal operation, you will get one
+selinux complaint about /bin/touch in your log each time that you
+visit the plugin settings page.
+
+******************* INSTALLATION AND SETUP *************************
+Note that the redmine_git_hosting/bin directory must be constructed
+statically so that it can be labeled.  You can do this with a series
+of rake tasks at the top-level of the redmine directory (after fixing
+up the defaults in the redmine_git_hosting init.rb file):
+
+    # Build bin directory with customized scripts for redmine_git_hosting, 
+    # install new selinux policy, and install complete selinux context for 
+    # redmine+this plugin:
+
+    rake selinux:install RAILS_ENV=production
+
+Since redmine doesn't currently have a selinux install option, this
+installation command is only available for this plugin.  What this
+will do is label the whole redmine site with "public_content_rw_t",
+with the exception of the "dispatch*" files in public (set to
+"httpd_script_exec_t") and the scripts in redmine_git_hosting/bin (set
+to "httpd_redmine_git_script_exec_t").
+
+If you happen to have multiple redmine installations, you can use a
+regular expression to describe the redmine root directories (this will
+translate into file context descriptions).  For instance, if you have
+multiple redmine installations in directories whose paths start with
+"/source" and end with "redmine" you can use (notice the use of
+double-quotes!):
+
+    rake selinux:install RAILS_ENV=production ROOT_PATTERN="/source/.*/redmine"
+
+Somewhat less far-reaching options include:
+
+    # Build bin directory with customized scripts for redmine_git_hosting,
+    # install new selinux policy, and install selinux context for 
+    # the redmine_git_hosting plugin
+   
+    rake selinux:redmine_git_hosting:install
+
+Finally, for those who are hand-crafting their own file context:
+
+    # Build bin directory with customized scripts for redmine_git_hosting
+    # and install new selinux policy.  No file contexts will be
+    # installed (so that you must do customization afterwards).
+
+    rake selinux:redmine_git_hosting:install_scripts_and_policy
+
+
+
+     
diff --git a/vendor/plugins/redmine_git_hosting/selinux/redmine_git.fc b/vendor/plugins/redmine_git_hosting/selinux/redmine_git.fc
new file mode 100644
index 0000000..7924d24
--- /dev/null
+++ b/vendor/plugins/redmine_git_hosting/selinux/redmine_git.fc
@@ -0,0 +1,9 @@
+# We do not install contexts as part of the policy, since it is likely
+# to be overridden by the local policy for parent directories.  The rakefile
+# ( ../tasks/selinux.rake) will install file contexts "manually".
+# 
+# If you really want to install a file context, uncomment the following
+# and rerun the install script or rake task
+#
+# /.*/redmine/vendor/plugins/redmine_git_hosting/bin(/.*)?  httpd_redmine_git_script_exec_t
+
diff --git a/vendor/plugins/redmine_git_hosting/selinux/redmine_git.if b/vendor/plugins/redmine_git_hosting/selinux/redmine_git.if
new file mode 100644
index 0000000..f5e66e4
--- /dev/null
+++ b/vendor/plugins/redmine_git_hosting/selinux/redmine_git.if
@@ -0,0 +1,131 @@
+
+## <summary>policy for httpd_redmine_git_script</summary>
+
+
+########################################
+## <summary>
+## Execute a domain transition to run httpd_redmine_git_script.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`httpd_redmine_git_script_domtrans',`
+   gen_require(`
+       type httpd_redmine_git_script_t, httpd_redmine_git_script_exec_t;
+   ')
+
+   domtrans_pattern($1, httpd_redmine_git_script_exec_t, httpd_redmine_git_script_t)
+')
+
+
+########################################
+## <summary>
+## Search httpd_redmine_git_script rw directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`httpd_redmine_git_script_search_rw_dir',`
+   gen_require(`
+       type httpd_redmine_git_script_rw_t;
+   ')
+
+   allow $1 httpd_redmine_git_script_rw_t:dir search_dir_perms;
+   files_search_rw($1)
+')
+
+########################################
+## <summary>
+## Read httpd_redmine_git_script rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`httpd_redmine_git_script_read_rw_files',`
+   gen_require(`
+       type httpd_redmine_git_script_rw_t;
+   ')
+
+   allow $1 httpd_redmine_git_script_rw_t:file r_file_perms;
+   allow $1 httpd_redmine_git_script_rw_t:dir list_dir_perms;
+   files_search_rw($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## httpd_redmine_git_script rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`httpd_redmine_git_script_manage_rw_files',`
+   gen_require(`
+       type httpd_redmine_git_script_rw_t;
+   ')
+
+         manage_files_pattern($1, httpd_redmine_git_script_rw_t, httpd_redmine_git_script_rw_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## httpd_redmine_git_script rw dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`httpd_redmine_git_script_manage_rw_dirs',`
+   gen_require(`
+       type httpd_redmine_git_script_rw_t;
+   ')
+
+         manage_dirs_pattern($1, httpd_redmine_git_script_rw_t, httpd_redmine_git_script_rw_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an httpd_redmine_git_script environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`httpd_redmine_git_script_admin',`
+   gen_require(`
+       type httpd_redmine_git_script_t;
+                type httpd_redmine_git_script_rw_t;
+   ')
+
+   allow $1 httpd_redmine_git_script_t:process { ptrace signal_perms };
+   ps_process_pattern($1, httpd_redmine_git_script_t)
+
+   files_search_etc($1)
+   admin_pattern($1, httpd_redmine_git_script_rw_t)
+
+')
diff --git a/vendor/plugins/redmine_git_hosting/selinux/redmine_git.pp b/vendor/plugins/redmine_git_hosting/selinux/redmine_git.pp
new file mode 100644
index 0000000..bfe21e6
Binary files /dev/null and b/vendor/plugins/redmine_git_hosting/selinux/redmine_git.pp differ
diff --git a/vendor/plugins/redmine_git_hosting/selinux/redmine_git.sh b/vendor/plugins/redmine_git_hosting/selinux/redmine_git.sh
new file mode 100755
index 0000000..0a6beae
--- /dev/null
+++ b/vendor/plugins/redmine_git_hosting/selinux/redmine_git.sh
@@ -0,0 +1,44 @@
+#!/bin/sh -e
+
+DIRNAME=`dirname $0`
+cd $DIRNAME
+USAGE="$0 [ --update ]"
+if [ `id -u` != 0 ]; then
+echo 'You must be root to run this script'
+exit 1
+fi
+
+if [ $# -eq 1 ]; then
+   if [ "$1" = "--update" ] ; then
+       time=`ls -l --time-style="+%x %X" redmine_git.te | awk '{ printf "%s %s", $6, $7 }'`
+       rules=`ausearch --start $time -m avc --raw -se redmine_git`
+       if [ x"$rules" != "x" ] ; then
+           echo "Found avc's to update policy with"
+           echo -e "$rules" | audit2allow -R
+           echo "Do you want these changes added to policy [y/n]?"
+           read ANS
+           if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then
+               echo "Updating policy"
+               echo -e "$rules" | audit2allow -R >> redmine_git.te
+               # Fall though and rebuild policy
+           else
+               exit 0
+           fi
+       else
+           echo "No new avcs found"
+           exit 0
+       fi
+   else
+       echo -e $USAGE
+       exit 1
+   fi
+elif [ $# -ge 2 ] ; then
+   echo -e $USAGE
+   exit 1
+fi
+
+echo "Building and Loading Policy"
+set -x
+make -f /usr/share/selinux/devel/Makefile
+/usr/sbin/semodule -i redmine_git.pp
+
diff --git a/vendor/plugins/redmine_git_hosting/selinux/redmine_git.te b/vendor/plugins/redmine_git_hosting/selinux/redmine_git.te
new file mode 100644
index 0000000..54b0a7a
--- /dev/null
+++ b/vendor/plugins/redmine_git_hosting/selinux/redmine_git.te
@@ -0,0 +1,69 @@
+policy_module(redmine_git,1.0.0)
+
+########################################
+#
+# Declarations
+#
+require {
+       type httpd_t, httpd_sys_script_t, httpd_sys_script_exec_t;
+       type sudo_db_t;
+       type httpd_redmine_git_script_t;
+       class process { setrlimit setfscreate };
+       class netlink_route_socket { write getattr read bind create nlmsg_read };
+       class capability { setuid sys_resource setgid };
+       class dir { getattr search write};
+}
+
+apache_content_template(redmine_git)
+
+permissive httpd_redmine_git_script_t;
+
+########################################
+#
+# httpd_redmine_git_script local policy
+#
+########################################
+
+manage_dirs_pattern(httpd_redmine_git_script_t, httpd_redmine_git_script_rw_t, httpd_redmine_git_script_rw_t)
+manage_files_pattern(httpd_redmine_git_script_t, httpd_redmine_git_script_rw_t, httpd_redmine_git_script_rw_t)
+
+domain_use_interactive_fds(httpd_redmine_git_script_t)
+
+files_read_etc_files(httpd_redmine_git_script_t)
+
+miscfiles_read_localization(httpd_redmine_git_script_t)
+
+# Allow our scripts to be called by redmine/apache
+httpd_redmine_git_script_domtrans(httpd_sys_script_t)
+
+# Allow us to access to rest of redmine site
+miscfiles_read_public_files(httpd_redmine_git_script_t)
+miscfiles_manage_public_files(httpd_redmine_git_script_t)
+
+#============= httpd_redmine_git_script_t ==============
+#Specific capabilities identified by audit2allow
+
+allow httpd_redmine_git_script_t self:capability audit_write;
+allow httpd_redmine_git_script_t self:capability { setuid sys_resource setgid };
+allow httpd_redmine_git_script_t self:key write;
+allow httpd_redmine_git_script_t self:netlink_audit_socket { write nlmsg_relay create read };
+allow httpd_redmine_git_script_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow httpd_redmine_git_script_t self:process setrlimit;
+allow httpd_redmine_git_script_t sudo_db_t:dir { getattr search };
+
+gitosis_read_lib_files(httpd_redmine_git_script_t)
+gitosis_manage_lib_files(httpd_redmine_git_script_t)
+
+httpd_rw_stream_sockets(httpd_redmine_git_script_t)
+kernel_read_kernel_sysctls(httpd_redmine_git_script_t)
+logging_send_syslog_msg(httpd_redmine_git_script_t)
+
+# These seem to be needed for ssh....  Not sure why ssh needs
+# to read and/or validate contexts...
+allow httpd_redmine_git_script_t self:process setfscreate;
+miscfiles_manage_cert_dirs(httpd_redmine_git_script_t)
+miscfiles_manage_cert_files(httpd_redmine_git_script_t)
+selinux_load_policy(httpd_redmine_git_script_t)
+selinux_validate_context(httpd_redmine_git_script_t)
+seutil_read_file_contexts(httpd_redmine_git_script_t)
+seutil_search_default_contexts(httpd_redmine_git_script_t)
diff --git a/vendor/plugins/redmine_git_hosting/tasks/selinux.rake b/vendor/plugins/redmine_git_hosting/tasks/selinux.rake
new file mode 100644
index 0000000..92e1e4c
--- /dev/null
+++ b/vendor/plugins/redmine_git_hosting/tasks/selinux.rake
@@ -0,0 +1,273 @@
+################################################################################
+# Rakefile for selinux installation for Redmine+Redmine_Git_Hosting Plugin     #
+#                                                                              #
+# This rakefile provides a variety of options for configuring the selinux      #
+# context for Redmine + Redmine_Git_Hosting Plugin.  In addition to the usual  #
+# environment variables (such as RAIL_ENV), this rakefile has one additional   #
+# variable, ROOT_PATTERN.  ROOT_PATTERN holds an optional regular expression   #
+# (not globbed filename) which describes the possible root locations for       #
+# redmine installations; note that such patterns must be quoted to avoid       #
+# attempts by the shell to expand them.  If undefined, the rakefile will use   #
+# the Rails.root for the local installation.                                   #
+#                                                                              #
+# TOP-LEVEL TARGETS:                                                           #
+#                                                                              #
+# These commands should be executed after altering the init.rb file as         #
+# described in the README.mkb file.  Each target type comes in both "install"  #
+# and "remove" versions. In the following, the environment variables are       #
+# optional (of course). Default for ROOT_PATTERN is Rails.root                 #
+#                                                                              #
+# 1) Build bin directory with customized scripts for redmine_git_hosting,      #
+#    install new selinux policy, and install complete selinux context for      #
+#    redmine+redmine_git_hosting plugin                                        #
+#                                                                              #
+# rake selinux:install RAILS_ENV=xxx ROOT_PATTERN="yyy"                        #
+# rake selinux:remove RAILS_ENV=xxx ROOT_PATTERN="yyy"                         #
+#                                                                              #
+# 2) Build bin directory with customized scripts for redmine_git_hosting,      #
+#    install new selinux policy, and install selinux context for               #
+#    redmine_git_hosting plugin (not for complete redmine installation). This  #
+#    option assumes that the redmine installation (and plugin) code are        #
+#    already labeled as "public_content_rw_t" except for dispatch.* files      #
+#    which should be labeled as "httpd_sys_script_exec_t".                     #
+#                                                                              #
+# rake selinux:redmine_git_hosting:install RAILS_ENV=xxx ROOT_PATTERN="yyy"    #
+# rake selinux:redmine_git_hosting:remove RAILS_ENV=xxx ROOT_PATTERN="yyy"     #
+#                                                                              #
+# 3) Build bin directory with customized scripts for redmine_git_hosting and   #
+#    install new selinux policy. Do not install file contexts of any sort.     #
+#    Proper labeling (done in some other way) should have all of redmine       #
+#    (including plugins) labeled as "public_content_rw_t", with the exception  #
+#    of public/dispatch.* (which should be labeled "httpd_sys_script_exec_t")  #
+#    and vendor/plugins/redmine_git_hosting/bin(/.*) which should be labeled   #
+#    with the new label "httpd_redmine_git_script_exec_t".                     #
+#                                                                              #
+# rake selinux:redmine_git_hosting:install_scripts_and_policy RAILS_ENV=xxx ROOT_PATTERN="yyy" 
+# rake selinux:redmine_git_hosting:remove_scripts_and_policy RAILS_ENV=xxx ROOT_PATTERN="yyy"  
+#                                                                              #
+################################################################################
+
+namespace :selinux do
+    desc "Configure selinux for Redmine and Redmine_Git_Hosting plugin"
+    task :install => [:environment,:install_contexts,"selinux:redmine_git_hosting:install"] do
+    end
+
+    desc "Unconfigure selinux for Redmine and Redmine_Git_Hosting plugin"
+    task :remove => [:environment,"selinux:redmine_git_hosting:remove",:remove_contexts] do
+    end
+
+    desc "Install selinux file contexts for redmine (without plugins)"
+    task :install_contexts => [:environment] do
+        roots = redmine_roots
+        root_pattern = redmine_root_pattern
+        puts "[Installing file contexts for redmine:"
+
+        sh "semanage fcontext -a -t public_content_rw_t \"#{root_pattern}(/.*)?\""
+        sh "semanage fcontext -a -t httpd_sys_script_exec_t \"#{root_pattern}/public/dispatch.*\""
+
+        roots.each do |path|
+            puts "Setting new context for redmine root instance at #{path}."
+            sh "restorecon -R -p #{path}"
+        end
+        puts "DONE.]"
+    end
+
+    desc "Remove selinux file contexts for redmine (without plugins)"
+    task :remove_contexts => [:environment] do
+        roots = redmine_roots
+        root_pattern = redmine_root_pattern
+        puts "[Removing file contexts for redmine (ignoring errors):"
+
+        sh "semanage fcontext -d \"#{root_pattern}(/.*)?\""
+        sh "semanage fcontext -d \"#{root_pattern}/public/dispatch.*\""
+
+        roots.each do |path|
+            puts "Setting new context for redmine root instance at #{path}."
+            sh "restorecon -R -p #{path}"
+        end
+        puts "DONE.]"
+    end
+
+    namespace :redmine_git_hosting do
+   desc "Install scripts, policy, and file context for redmine_git_hosting plugin."
+   task :install => [:environment,:install_scripts,:install_policy,:install_contexts] do
+   end
+       
+   desc "Remove scripts, policy, and file context for redmine_git_hosting plugin."
+        task :remove => [:environment,:remove_contexts,:remove_policy,:remove_scripts] do
+   end
+    
+   desc "Install scripts and policy for redmine_git_hosting plugin."
+   task :install_scripts_and_policy => [:environment,:install_scripts,:install_policy] do
+   end
+       
+   desc "Remove scripts and policy for redmine_git_hosting plugin."
+        task :remove_scripts_and_policy => [:environment,:remove_policy,:remove_scripts] do
+   end
+    
+        desc "Generate and install redmine_git_hosting shell scripts."
+        task :install_scripts => [:environment] do
+            puts "[Generating and installing redmine_git_hosting shell scripts:"
+
+            plugin_roots = redmine_roots("vendor/plugins/redmine_git_hosting")
+            plugin_roots.each do |path|
+       if path != "#{Rails.root}/vendor/plugins/redmine_git_hosting"
+           # Have to call another rails environment.  Keep default root in that environment
+           chdir File.expand_path("#{path}/../../..") do
+               print %x[rake selinux:redmine_git_hosting:install_scripts_helper]
+           end
+       else
+           Rake::Task["selinux:redmine_git_hosting:install_scripts_helper"].invoke
+       end
+            end
+            puts "DONE.]"
+   end
+
+        desc "Helper function for generating and installing redmine_git_hosting shell scripts."
+        task :install_scripts_helper => [:environment] do 
+            web_program = ENV['HTTPD'] || 'httpd'
+            web_user = ENV['WEB_USER'] || %x[ps aux | grep #{web_program} | sed "s/ .*$//" | sort -u | grep -v `whoami`].split("\n")[0]
+            GitHosting.web_user = web_user
+
+       # Helper only executed in local environment 
+       path = "#{Rails.root}/vendor/plugins/redmine_git_hosting"
+       print "Clearing out #{path}/bin directory..."
+       %x[rm -rf "#{path}/bin"]
+       puts "Success!"
+       print "Writing customized scripts to #{path}/bin directory..."
+       GitHosting.update_git_exec
+       puts "Success!"
+        end
+
+   desc "Remove redmine_git_hosting shell scripts."
+   task :remove_scripts => [:environment] do
+            puts "[Deleting redmine_git_hosting shell scripts:"
+            plugin_roots = redmine_roots("vendor/plugins/redmine_git_hosting")
+            plugin_roots.each do |path|
+           sh "rm -rf #{path}/bin"
+           puts "Success!"
+            end
+            puts "DONE.]"
+   end
+
+   desc "Install selinux tags and policy for redmine_git_hosting."
+   task :install_policy => [:environment] do
+       puts "[Installing selinux tags and policy for redmine_git_hosting:"
+            plugin_roots = redmine_roots("vendor/plugins/redmine_git_hosting")
+

kubitron avatar Oct 26 '11 19:10 kubitron

I've turned this into a pull request to make it easier.

kubitron avatar Oct 27 '11 01:10 kubitron