Code Vault

xaizek / rocketgit (License: AGPLv3+) (since 2018-12-09)

Light and fast Git hosting solution suitable to serve both as a hub or as a personal code storage with its tickets, pull requests, API and much more.

Clone URLs: https://code.reversed.top/user/xaizek/rocketgit ssh://rocketgit@code.reversed.top/user/xaizek/rocketgit

Commit d56c69368f304dca943a8050111666fd9ba34364

Fixes for deleting logs.

This includes SELinux fixes.

Author: Catalin(ux) M. BOIE
Author date (UTC): 2015-04-09 20:12
Committer name: Catalin(ux) M. BOIE
Committer date (UTC): 2015-04-09 20:12
Parent(s): cf9cc661bca7194dbb65acdcbb253552be7acf70
Signing key:
Tree: 77e823c4324af5124e72eed6e45d3d60b92e9e00

File	Lines added	Lines deleted
TODO	0	3
inc/admin.inc.php	2	2
inc/init.inc.php	1	1
scripts/cron.php	5	1
selinux/rocketgit.te	10	3

 	proiectului, e nevoie. Dar intr-un form, in textarea, nu e nevoie.
 	Apoi as putea elimina description_nice.
 [ ] Security: Link-uri + xss (Ionut)
-[ ] We need to be able to delete old log files! We cannot release the vm
-	without this!
-	Done, check if any SELinux AVC shows up.
 [ ] Upload kvm image to downloads.rocketgit.com. Sign it? sha256 it?
 [ ] Security: validate sparas!
 [ ] Menus - change color for selected items, not the background color.

File inc/admin.inc.php changed (mode: 100644) (index a398336..e533cc1)
...	...	function rg_clean_logs($dir)
337	337
338	338	foreach ($files as $file) {	foreach ($files as $file) {
339	339	$ymd = preg_replace('/.-([0-9])\.log/', '$1', $file);	$ymd = preg_replace('/.-([0-9])\.log/', '$1', $file);
340		rg_log("file=$file ymd=$ymd");
	340		//rg_log("file=$file ymd=$ymd");
341	341
342	342	if ($ymd >= $limit)	if ($ymd >= $limit)
343	343	continue;	continue;
344	344
345		rg_log("Deleting file $file");
	345		rg_log("Deleting old log file $file");
346	346	$r = unlink($file);	$r = unlink($file);
347	347	if ($r === FALSE)	if ($r === FALSE)
348	348	rg_log("Cannot delete file $file!");	rg_log("Cannot delete file $file!");

File inc/init.inc.php changed (mode: 100644) (index 4592ecb..3725801)
...	...	if (!isset($rg_scripts))
28	28	if (!isset($rg_theme_dir))	if (!isset($rg_theme_dir))
29	29	$rg_theme_dir = $rg_scripts . "/root/themes";	$rg_theme_dir = $rg_scripts . "/root/themes";
30	30
31		if (!isset($rg_logs_lifitime))
	31		if (!isset($rg_logs_lifetime))
32	32	$rg_logs_lifetime = 31;	$rg_logs_lifetime = 31;
33	33
34	34	?>	?>

File scripts/cron.php changed (mode: 100644) (index 31f2b68..b456fb2)
...	...	if (strcmp($user, "apache") == 0) {
25	25	rg_log_set_file($rg_web_log_dir . "/cron.log");	rg_log_set_file($rg_web_log_dir . "/cron.log");
26	26	rg_log_set_sid("000000"); // to spread the logs	rg_log_set_sid("000000"); // to spread the logs
27	27
28		rg_clean_logs('/var/log/rocketgit-web');
	28		if (gmdate("Hi") == "0310")
	29		rg_clean_logs('/var/log/rocketgit-web');
29	30
30	31	exit(0);	exit(0);
31	32	}	}

...	...	rg_lock_or_exit("cron.lock");
41	42
42	43	rg_log("Start (ver=$rocketgit_version)...");	rg_log("Start (ver=$rocketgit_version)...");
43	44
	45		if (gmdate("Hi") == "0305")
	46		rg_clean_logs('/var/log/rocketgit');
	47
44	48	rg_sql_app("rg-cron");	rg_sql_app("rg-cron");
45	49	$db = rg_sql_open($rg_sql);	$db = rg_sql_open($rg_sql);
46	50	if ($db === FALSE) {	if ($db === FALSE) {

File selinux/rocketgit.te changed (mode: 100644) (index d34f495..10dc867)
1		policy_module(rocketgit,1.0.77)
	1		policy_module(rocketgit,1.0.78)
2	2
3	3	########################################	########################################
4	4	#	#

...	...	gen_require(`
14	14	role unconfined_r;	role unconfined_r;
15	15	')	')
16	16
17		# Without this I get: type=SELINUX_ERR msg=audit(1422396984.627:349803): security_compute_sid: invalid context unconfined_u:unconfined_r:rocketgit_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rocketgit_exec_t:s0 tclass=process
	17		# Without this I get: type=SELINUX_ERR msg=audit(1422396984.627:349803): \
	18		# security_compute_sid: invalid context \
	19		# unconfined_u:unconfined_r:rocketgit_t:s0-s0:c0.c1023 for \
	20		# scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 \
	21		# tcontext=system_u:object_r:rocketgit_exec_t:s0 tclass=process
18	22	role unconfined_r types rocketgit_t;	role unconfined_r types rocketgit_t;
19	23
20	24	type rocketgit_t;	type rocketgit_t;

...	...	logging_log_filetrans(rocketgit_t, rocketgit_log_t, file)
83	87	# below line tries to allow httpd to create err-* files in /var/log/rocketgit-web	# below line tries to allow httpd to create err-* files in /var/log/rocketgit-web
84	88	#filetrans_pattern(httpd_t,dirtype?,rocketgit_log_t, file)	#filetrans_pattern(httpd_t,dirtype?,rocketgit_log_t, file)
85	89	# allow rocketgit_t access to /var/log/rocketgit-web. Why?	# allow rocketgit_t access to /var/log/rocketgit-web. Why?
86		allow rocketgit_t httpd_log_t:dir { read open };
	90		# Some of rights are needed because cron as apache is deleting log files in
	91		# /var/log/rocketgit-web.
	92		allow rocketgit_t httpd_log_t:dir { write add_name remove_name getattr read open };
	93		allow rocketgit_t httpd_log_t:file { getattr setattr create unlink open append };
87	94
88	95
89	96	# content (repos)	# content (repos)

Hints

Before first commit, do not forget to setup your git environment:

git config --global user.name "your_name_here"
git config --global user.email "your@email_here"

Clone this repository using HTTP(S):

git clone https://code.reversed.top/user/xaizek/rocketgit

Clone this repository using ssh (do not forget to upload a key first):

git clone ssh://rocketgit@code.reversed.top/user/xaizek/rocketgit

You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a pull request:

... clone the repository ...
... make some changes and some commits ...
git push origin master