selinux magic for gitweb

The last remaining problem for the F7 upgrade was a conflict between getweb cgi and selinux. I fixed it by allowing the transgression that was reported in the log. There is quite a bit of conflicting information on the web for how to make a local policy change. First I found out what would allow the action that was being defeated using audit2allow

# echo "avc:  denied  { read } for  pid=3736 comm="gitweb.cgi" name="cgi-bin" dev=md7 ino=5079272 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_sys_script_exec_t:s0 tclass=dir" | audit2allow
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t httpd_sys_script_exec_t:dir read;

Basically the gitweb cgi calls some perl that does the equivalent of getcwd(), and this was being disallowed. The advice that was correct for setting local policy on F7 was found here. In short I did

# mkdir /root/tmp; cd /root/tmp
# touch local.te local.if local.fc
# yum install selinux-policy-devel
# vi local.te
policy_module(local, 1.0)

require {
        attribute httpdcontent;
        type httpd_sys_script_t;
        type httpd_sys_script_exec_t;
}
allow httpd_sys_script_t httpd_sys_script_exec_t:dir read;
# make -f /usr/share/selinux/devel/Makefile
# semodule -i local.pp

Immediately after doing this gitweb was back working normally again.