Knowledge Base (Posts about hook)https://bgstack15.ddns.net/blog/enContents © 2022 <a href="mailto:bgstack15@gmail.com">bgstack15</a> <a rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/"> <img alt="Creative Commons License BY-SA" style="border-width:0; margin-bottom:12px;" src="https://bgstack15.ddns.net/.images/l_by-sa_4.0_88x31.png"></a>Tue, 17 May 2022 12:45:35 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rssGit hook post-receive run restoreconhttps://bgstack15.ddns.net/blog/posts/2022/05/17/git-hoook-post-receive-run-restorecon/bgstack15<p>I use <a href="https://git.zx2c4.com/cgit/about/">cgit</a> for myself, which is available at <a href="https://bgstack15.ddns.net/cgit/">/cgit</a>. I wrote about it previously about a year ago:</p> <ul> <li><a href="https://bgstack15.ddns.net/blog/posts/2021/04/21/cgit-solution-for-my-network/">2021/04/21/Cgit solution for my network</a></li> <li><a href="https://bgstack15.ddns.net/blog/posts/2021/04/25/populating-my-new-cgit-instance/">2021/04/25/Populating my new cgit instance</a></li> <li><a href="https://bgstack15.ddns.net/blog/posts/2021/04/29/adding-redirect-from-git-to-cgit-for-web-browsers/">2021/04/29/Adding redirect from /git to /cgit for web browsers</a></li> </ul> <p>And I have now improved my process with a post-receive hook. This task runs every time the server handles an upload. My hook does a few things:</p> <pre class="code literal-block"><span></span><code><span class="o">*</span><span class="w"> </span><span class="n">generates</span><span class="w"> </span><span class="n">metadata</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">store</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">most</span><span class="o">-</span><span class="n">recently</span><span class="o">-</span><span class="n">modified</span><span class="w"> </span><span class="kt">timestamp</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">repo</span><span class="p">,</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">sorting</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">cgit</span><span class="w"> </span><span class="n">web</span><span class="w"> </span><span class="k">view</span><span class="p">.</span><span class="w"></span> <span class="o">*</span><span class="w"> </span><span class="n">runs</span><span class="w"> </span><span class="n n-Quoted">`restorecon`</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">get</span><span class="w"> </span><span class="n">my</span><span class="w"> </span><span class="n">proper</span><span class="w"> </span><span class="k">context</span><span class="p">,</span><span class="w"> </span><span class="n">so</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">branches</span><span class="w"> </span><span class="n">are</span><span class="w"> </span><span class="k">visible</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="n">cgit</span><span class="w"> </span><span class="n">web</span><span class="w"> </span><span class="k">view</span><span class="p">.</span><span class="w"></span> </code></pre> <h3>Configure SELinux</h3> <p>Of course I use SELinux, so I need a custom policy for my git-hook to work. I used the standard mechanisms to troubleshoot SELinux.</p> <pre class="code literal-block"><span></span><code><span class="n">sudo</span><span class="w"> </span><span class="n">setenforce</span><span class="w"> </span><span class="mi">0</span><span class="w"></span> <span class="n">semodule</span><span class="w"> </span><span class="o">--</span><span class="n">disable_dontaudit</span><span class="w"> </span><span class="o">--</span><span class="n">build</span><span class="w"></span> <span class="n">echo</span><span class="w"> </span><span class="s2">""</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">sudo</span><span class="w"> </span><span class="n">tee</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">audit</span><span class="o">/</span><span class="n">audit</span><span class="o">.</span><span class="n">log</span><span class="w"> </span><span class="mi">1</span><span class="o">&gt;/</span><span class="n">dev</span><span class="o">/</span><span class="nb nb-Type">null</span><span class="w"></span> <span class="c1"># perform a large number of git and cgit operations</span><span class="w"></span> <span class="n">sudo</span><span class="w"> </span><span class="n">tail</span><span class="w"> </span><span class="o">-</span><span class="n">n15000</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">audit</span><span class="o">/</span><span class="n">audit</span><span class="o">.</span><span class="n">log</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">audit2allow</span><span class="w"> </span><span class="o">-</span><span class="n">M</span><span class="w"> </span><span class="n">foo</span><span class="w"></span> <span class="c1"># manually merge any new entries into cgitstackrpms.te</span><span class="w"></span> <span class="n">semodule</span><span class="w"> </span><span class="o">--</span><span class="n">build</span><span class="w"></span> <span class="n">_func</span><span class="p">()</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">sudo</span><span class="w"> </span><span class="n">checkmodule</span><span class="w"> </span><span class="o">-</span><span class="n">M</span><span class="w"> </span><span class="o">-</span><span class="n">m</span><span class="w"> </span><span class="o">-</span><span class="n">o</span><span class="w"> </span><span class="n">cgitstackrpms</span><span class="o">.</span><span class="n">mod</span><span class="w"> </span><span class="n">cgitstackrpms</span><span class="o">.</span><span class="n">te</span><span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span><span class="n">sudo</span><span class="w"> </span><span class="n">semodule_package</span><span class="w"> </span><span class="o">-</span><span class="n">o</span><span class="w"> </span><span class="n">cgitstackrpms</span><span class="o">.</span><span class="n">pp</span><span class="w"> </span><span class="o">-</span><span class="n">m</span><span class="w"> </span><span class="n">cgitstackrpms</span><span class="o">.</span><span class="n">mod</span><span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span><span class="n">sudo</span><span class="w"> </span><span class="n">semodule</span><span class="w"> </span><span class="o">-</span><span class="n">i</span><span class="w"> </span><span class="n">cgitstackrpms</span><span class="o">.</span><span class="n">pp</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="n">time</span><span class="w"> </span><span class="n">_func</span><span class="w"></span> </code></pre> <p>Final asset is <strong>cgitstackrpms.te</strong> which can be loaded and installed with the last line of the above command block. The most recent version includes the rules for the restorecon invocation from the post-receive git hook.</p> <pre class="code literal-block"><span></span><code><span class="n">module</span><span class="w"> </span><span class="n">cgitstackrpms</span><span class="w"> </span><span class="mf">1.2</span><span class="p">;</span><span class="w"></span> <span class="n">require</span><span class="w"> </span><span class="p">{</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">default_context_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">git_script_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">httpd_cache_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">httpd_sys_content_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">httpd_sys_rw_content_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">httpd_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">initrc_var_run_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">selinux_config_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">shadow_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">sssd_conf_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">systemd_logind_sessions_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">systemd_logind_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">var_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="k">class</span><span class="w"> </span><span class="n">capability</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">audit_write</span><span class="w"> </span><span class="n">fowner</span><span class="w"> </span><span class="n">net_admin</span><span class="w"> </span><span class="n">sys_resource</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="w"> </span><span class="k">class</span><span class="w"> </span><span class="n">dbus</span><span class="w"> </span><span class="n">send_msg</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="k">class</span><span class="w"> </span><span class="n">dir</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">relabelfrom</span><span class="w"> </span><span class="n">relabelto</span><span class="w"> </span><span class="n">getattr</span><span class="w"> </span><span class="n">open</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="n">search</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="w"> </span><span class="k">class</span><span class="w"> </span><span class="n">fifo_file</span><span class="w"> </span><span class="n">write</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="k">class</span><span class="w"> </span><span class="n">file</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">getattr</span><span class="w"> </span><span class="n">map</span><span class="w"> </span><span class="n">lock</span><span class="w"> </span><span class="n">open</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="n">relabelfrom</span><span class="w"> </span><span class="n">relabelto</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="w"> </span><span class="k">class</span><span class="w"> </span><span class="n">netlink_audit_socket</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">create</span><span class="w"> </span><span class="n">nlmsg_relay</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="n">write</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="w"> </span><span class="k">class</span><span class="w"> </span><span class="n">process</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">setrlimit</span><span class="w"> </span><span class="n">noatsecure</span><span class="w"> </span><span class="n">rlimitinh</span><span class="w"> </span><span class="n">siginh</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="p">}</span><span class="w"></span> <span class="c1">#============= git_script_t ==============</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">git_script_t</span><span class="w"> </span><span class="n">var_t</span><span class="p">:</span><span class="n">dir</span><span class="w"> </span><span class="n">read</span><span class="p">;</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">git_script_t</span><span class="w"> </span><span class="n">var_t</span><span class="p">:</span><span class="n">file</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="n">getattr</span><span class="w"> </span><span class="n">open</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">git_script_t</span><span class="w"> </span><span class="n">httpd_cache_t</span><span class="p">:</span><span class="n">dir</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">getattr</span><span class="w"> </span><span class="n">open</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="n">search</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">git_script_t</span><span class="w"> </span><span class="n">httpd_cache_t</span><span class="p">:</span><span class="n">file</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">map</span><span class="w"> </span><span class="n">getattr</span><span class="w"> </span><span class="n">open</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">git_script_t</span><span class="w"> </span><span class="n">httpd_sys_content_t</span><span class="p">:</span><span class="n">dir</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">getattr</span><span class="w"> </span><span class="n">open</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="n">search</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="c1">#============= httpd_t ==============</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="n">git_script_t</span><span class="p">:</span><span class="n">process</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">noatsecure</span><span class="w"> </span><span class="n">rlimitinh</span><span class="w"> </span><span class="n">siginh</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="n">default_context_t</span><span class="p">:</span><span class="n">file</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">getattr</span><span class="w"> </span><span class="n">open</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="n">httpd_sys_content_t</span><span class="p">:</span><span class="n">dir</span><span class="w"> </span><span class="n">relabelto</span><span class="p">;</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="n">httpd_sys_content_t</span><span class="p">:</span><span class="n">file</span><span class="w"> </span><span class="n">relabelto</span><span class="p">;</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="n">httpd_sys_rw_content_t</span><span class="p">:</span><span class="n">dir</span><span class="w"> </span><span class="n">relabelfrom</span><span class="p">;</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="n">httpd_sys_rw_content_t</span><span class="p">:</span><span class="n">file</span><span class="w"> </span><span class="n">relabelfrom</span><span class="p">;</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="n">initrc_var_run_t</span><span class="p">:</span><span class="n">file</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">lock</span><span class="w"> </span><span class="n">open</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="bp">self</span><span class="p">:</span><span class="n">capability</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">net_admin</span><span class="w"> </span><span class="n">audit_write</span><span class="w"> </span><span class="n">fowner</span><span class="w"> </span><span class="n">sys_resource</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="bp">self</span><span class="p">:</span><span class="n">netlink_audit_socket</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">create</span><span class="w"> </span><span class="n">nlmsg_relay</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="n">write</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="bp">self</span><span class="p">:</span><span class="n">process</span><span class="w"> </span><span class="n">setrlimit</span><span class="p">;</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="n">selinux_config_t</span><span class="p">:</span><span class="n">file</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">getattr</span><span class="w"> </span><span class="n">open</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="n">shadow_t</span><span class="p">:</span><span class="n">file</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">getattr</span><span class="w"> </span><span class="n">open</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="n">sssd_conf_t</span><span class="p">:</span><span class="n">file</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">getattr</span><span class="w"> </span><span class="n">open</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="n">systemd_logind_sessions_t</span><span class="p">:</span><span class="n">fifo_file</span><span class="w"> </span><span class="n">write</span><span class="p">;</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="n">systemd_logind_t</span><span class="p">:</span><span class="n">dbus</span><span class="w"> </span><span class="n">send_msg</span><span class="p">;</span><span class="w"></span> <span class="c1">#============= systemd_logind_t ==============</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">systemd_logind_t</span><span class="w"> </span><span class="n">httpd_t</span><span class="p">:</span><span class="n">dbus</span><span class="w"> </span><span class="n">send_msg</span><span class="p">;</span><span class="w"></span> </code></pre> <p>I already had a file context for my entire www directory.</p> <pre class="code literal-block"><span></span><code><span class="n">semanage</span><span class="w"> </span><span class="n">fcontext</span><span class="w"> </span><span class="o">-</span><span class="n">a</span><span class="w"> </span><span class="o">-</span><span class="n">t</span><span class="w"> </span><span class="n">httpd_sys_content_t</span><span class="w"> </span><span class="s1">'/var/server1/shares/public/www(/.*)?'</span><span class="w"></span> </code></pre> <h5>Running restorecon after each push</h5> <p>The git hook for post-receive runs after every push to this cgit instance. Sometimes new files are buitl with incorrect selinux file contexts, but a restorecon will fix the contexts. Special permissions are needed, in the selinux policy above, and also for sudo.</p> <p>My environment uses FreeIPA, so I can make a rule in the domain for this. Even though of course <code>apache</code> is a local user, I want to make a domain user so I can make a sudoers rule for it. Sudo reads usernames from sudoers entries, and not uids, so this will work for a local user <code>apache</code> on the target host.</p> <pre class="code literal-block"><span></span><code><span class="c1"># gid 960600013 is my preexisting service-accounts group</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">user</span><span class="o">-</span><span class="n">add</span><span class="w"> </span><span class="o">--</span><span class="n">homedir</span><span class="o">=/</span><span class="n">usr</span><span class="o">/</span><span class="n">share</span><span class="o">/</span><span class="n">httpd</span><span class="w"> </span><span class="o">--</span><span class="n">shell</span><span class="w"> </span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">nologin</span><span class="w"> </span><span class="n">apache</span><span class="w"> </span><span class="o">--</span><span class="n">first</span><span class="o">=</span><span class="n">apache</span><span class="w"> </span><span class="o">--</span><span class="n">last</span><span class="o">=</span><span class="s2">"domain user"</span><span class="w"> </span><span class="o">--</span><span class="n">gidnumber</span><span class="o">=</span><span class="mi">960600013</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">group</span><span class="o">-</span><span class="n">add</span><span class="o">-</span><span class="n">member</span><span class="w"> </span><span class="n">service</span><span class="o">-</span><span class="n">accounts</span><span class="w"> </span><span class="o">--</span><span class="n">users</span><span class="w"> </span><span class="n">apache</span><span class="w"> </span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudocmd</span><span class="o">-</span><span class="n">add</span><span class="w"> </span><span class="s1">'/sbin/restorecon -R /var/www/git'</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudocmd</span><span class="o">-</span><span class="n">add</span><span class="w"> </span><span class="s1">'/sbin/restorecon -Rv /var/www/git'</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudocmd</span><span class="o">-</span><span class="n">add</span><span class="w"> </span><span class="s1">'/sbin/restorecon -Rvn /var/www/git'</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudorule</span><span class="o">-</span><span class="n">add</span><span class="w"> </span><span class="n">apache</span><span class="o">-</span><span class="n">restorecon</span><span class="o">-</span><span class="n">cgit</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudorule</span><span class="o">-</span><span class="n">add</span><span class="o">-</span><span class="n">host</span><span class="w"> </span><span class="n">apache</span><span class="o">-</span><span class="n">restorecon</span><span class="o">-</span><span class="n">cgit</span><span class="w"> </span><span class="o">--</span><span class="n">hosts</span><span class="w"> </span><span class="n">server1</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudorule</span><span class="o">-</span><span class="n">add</span><span class="o">-</span><span class="n">allow</span><span class="o">-</span><span class="n">command</span><span class="w"> </span><span class="n">apache</span><span class="o">-</span><span class="n">restorecon</span><span class="o">-</span><span class="n">cgit</span><span class="w"> </span><span class="o">--</span><span class="n">sudocmds</span><span class="w"> </span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">restorecon</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudorule</span><span class="o">-</span><span class="n">add</span><span class="o">-</span><span class="n">allow</span><span class="o">-</span><span class="n">command</span><span class="w"> </span><span class="n">apache</span><span class="o">-</span><span class="n">restorecon</span><span class="o">-</span><span class="n">cgit</span><span class="w"> </span><span class="o">--</span><span class="n">sudocmds</span><span class="w"> </span><span class="s1">'/sbin/restorecon -R /var/www/git'</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudorule</span><span class="o">-</span><span class="n">add</span><span class="o">-</span><span class="n">allow</span><span class="o">-</span><span class="n">command</span><span class="w"> </span><span class="n">apache</span><span class="o">-</span><span class="n">restorecon</span><span class="o">-</span><span class="n">cgit</span><span class="w"> </span><span class="o">--</span><span class="n">sudocmds</span><span class="w"> </span><span class="s1">'/sbin/restorecon -Rv /var/www/git'</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudorule</span><span class="o">-</span><span class="n">add</span><span class="o">-</span><span class="n">allow</span><span class="o">-</span><span class="n">command</span><span class="w"> </span><span class="n">apache</span><span class="o">-</span><span class="n">restorecon</span><span class="o">-</span><span class="n">cgit</span><span class="w"> </span><span class="o">--</span><span class="n">sudocmds</span><span class="w"> </span><span class="s1">'/sbin/restorecon -Rvn /var/www/git'</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudorule</span><span class="o">-</span><span class="n">add</span><span class="o">-</span><span class="n">option</span><span class="w"> </span><span class="n">apache</span><span class="o">-</span><span class="n">restorecon</span><span class="o">-</span><span class="n">cgit</span><span class="w"> </span><span class="o">--</span><span class="n">sudooption</span><span class="w"> </span><span class="s1">'!requiretty'</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudorule</span><span class="o">-</span><span class="n">add</span><span class="o">-</span><span class="n">option</span><span class="w"> </span><span class="n">apache</span><span class="o">-</span><span class="n">restorecon</span><span class="o">-</span><span class="n">cgit</span><span class="w"> </span><span class="o">--</span><span class="n">sudooption</span><span class="w"> </span><span class="s1">'!authenticate'</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudorule</span><span class="o">-</span><span class="n">add</span><span class="o">-</span><span class="n">user</span><span class="w"> </span><span class="n">apache</span><span class="o">-</span><span class="n">restorecon</span><span class="o">-</span><span class="n">cgit</span><span class="w"> </span><span class="o">--</span><span class="n">users</span><span class="w"> </span><span class="n">apache</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudorule</span><span class="o">-</span><span class="n">mod</span><span class="w"> </span><span class="n">apache</span><span class="o">-</span><span class="n">restorecon</span><span class="o">-</span><span class="n">cgit</span><span class="w"> </span><span class="o">--</span><span class="n">desc</span><span class="o">=</span><span class="s2">"Apache can run restorecon /var/www/git on server1"</span><span class="w"></span> </code></pre> <p>If you are using plain sudo, use these contents.</p> <pre class="code literal-block"><span></span><code><span class="c1"># File /etc/sudoers.d/60_git-hook_post-receive_sudo</span><span class="w"></span> <span class="n">Defaults</span><span class="o">&gt;</span><span class="n">apache</span><span class="w"> </span><span class="o">!</span><span class="n">requiretty</span><span class="w"></span> <span class="n">apache</span><span class="w"> </span><span class="n">server1</span><span class="o">=</span><span class="p">(</span><span class="n">root</span><span class="p">)</span><span class="w"> </span><span class="n">NOPASSWD</span><span class="p">:</span><span class="w"> </span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">restorecon</span><span class="w"> </span><span class="o">-</span><span class="n">R</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">www</span><span class="o">/</span><span class="n">git</span><span class="p">,</span><span class="w"> </span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">restorecon</span><span class="w"> </span><span class="o">-</span><span class="n">Rv</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">www</span><span class="o">/</span><span class="n">git</span><span class="p">,</span><span class="w"> </span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">restorecon</span><span class="w"> </span><span class="o">-</span><span class="n">Rvn</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">www</span><span class="o">/</span><span class="n">git</span><span class="w"></span> </code></pre> <p>With all of these steps, the user apache can now run restorecon on that directory as part of the git-hook for <code>post-receive</code>.</p> <p>All of that, to explain one line in the following git hook file, <code>/usr/local/bin/git-hooks/post-receive</code>.</p> <table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal"> 1</span> <span class="normal"> 2</span> <span class="normal"> 3</span> <span class="normal"> 4</span> <span class="normal"> 5</span> <span class="normal"> 6</span> <span class="normal"> 7</span> <span class="normal"> 8</span> <span class="normal"> 9</span> <span class="normal">10</span> <span class="normal">11</span> <span class="normal">12</span> <span class="normal">13</span> <span class="normal">14</span> <span class="normal">15</span> <span class="normal">16</span> <span class="normal">17</span> <span class="normal">18</span> <span class="normal">19</span> <span class="normal">20</span> <span class="normal">21</span> <span class="normal">22</span> <span class="normal">23</span> <span class="normal">24</span></pre></div></td><td class="code"><pre class="code literal-block"><span></span><code><span class="ch">#!/bin/sh</span> <span class="c1"># File: post-receive</span> <span class="c1"># Project: cgit-Internal</span> <span class="c1"># Startdate: 2022-01-27</span> <span class="c1"># History:</span> <span class="c1"># 2022-05-11 added restorecon</span> <span class="c1"># Ripped directly from https://landchad.net/cgit</span> <span class="c1"># Dependencies:</span> <span class="c1"># sudoers rule in freeipa</span> <span class="c1">#exec 1&gt;&gt;/tmp/asdf2</span> <span class="c1">#exec 2&gt;&amp;1</span> <span class="c1">#exec 3&gt;&amp;1</span> <span class="nb">set</span> -x <span class="nv">agefile</span><span class="o">=</span><span class="s2">"</span><span class="k">$(</span>git rev-parse --git-dir<span class="k">)</span><span class="s2">"</span>/info/web/last-modified date <span class="s2">"+%FT%T used post-receive"</span> &gt;&gt; /tmp/asdf2 mkdir -p <span class="s2">"</span><span class="k">$(</span>dirname <span class="s2">"</span><span class="nv">$agefile</span><span class="s2">"</span><span class="k">)</span><span class="s2">"</span> <span class="o">&amp;&amp;</span> git <span class="k">for</span>-each-ref <span class="se">\</span> --sort<span class="o">=</span>-authordate --count<span class="o">=</span><span class="m">1</span> <span class="se">\</span> --format<span class="o">=</span><span class="s1">'%(authordate:iso8601)'</span> <span class="se">\</span> &gt;<span class="s2">"</span><span class="nv">$agefile</span><span class="s2">"</span> sudo --non-interactive /usr/sbin/restorecon -R /var/www/git <span class="m">1</span>&gt;/dev/null <span class="m">2</span>&gt;<span class="p">&amp;</span><span class="m">1</span> <span class="p">&amp;</span> </code></pre> </td></tr></table> <p>This git hook can be established for all future git repositories established as part of my documented solution, by modifying the skeleton git hooks directory to store it:</p> <pre class="code literal-block"><span></span><code>sudo ln -sf /usr/local/bin/git-hooks/post-receive /usr/share/git-core/templates/hooks/post-receive </code></pre> <h2>Operations</h2> <p>An additional operation is available for the cgit-Internal solution.</p> <h4>Refreshing last-modified date for all repos</h4> <p>If for some reason the the repositories should get refreshed <code>info/web/last-modified</code> contents, you can run the hook manually. This command will switch to user apache so the permissions are preserved on the info/web/last-modified files.</p> <p>On server1:</p> <pre class="code literal-block"><span></span><code><span class="n">sudo</span><span class="w"> </span><span class="n">chown</span><span class="w"> </span><span class="o">-</span><span class="n">R</span><span class="w"> </span><span class="n">apache</span><span class="o">.</span><span class="n">admins</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">www</span><span class="o">/</span><span class="n">git</span><span class="o">/</span><span class="p">{</span><span class="o">*</span><span class="p">,</span><span class="o">*/*</span><span class="p">}</span><span class="o">/</span><span class="n">info</span><span class="o">/</span><span class="n">web</span><span class="w"></span> <span class="n">su</span><span class="w"> </span><span class="n">apache</span><span class="w"> </span><span class="o">-</span><span class="n">s</span><span class="w"> </span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">bash</span><span class="w"> </span><span class="o">-</span><span class="n">c</span><span class="w"> </span><span class="s1">'cd /var/www/git ; for word in {*,*/*}/hooks/post-receive ; do ( cd "$( dirname "${word}" )" ; sh "./$( basename "${word}" )" ; ) ; done'</span><span class="w"></span> </code></pre>githookselinuxhttps://bgstack15.ddns.net/blog/posts/2022/05/17/git-hoook-post-receive-run-restorecon/Tue, 17 May 2022 12:36:48 GMT