From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [ v3 PATCH 3/8] Git shell users
Date: Wed, 24 Aug 2011 14:35:41 +0200 [thread overview]
Message-ID: <1314189346-10866-4-git-send-email-domg472@gmail.com> (raw)
In-Reply-To: <1314189346-10866-1-git-send-email-domg472@gmail.com>
Did you know that there is a Git shell in /usr/bin/git-shell, and did you know that you can use that
together with OpenSSH to commit to shared repositories? Heck you can even commit to shared repositories
using OpenSSH with a plain bash shell, but the Git shell is much cooler. A user domain solely for the
purpose of commiting to shared repositories needs much less privileges that the least privilege
userdom_base_user_template provides.
Git shell users do not need pty's, execmem or many other privileges provided by the base_user_template.
Therefore we implement a template just for Git shell users, and we create a Git shell role, so that
administrators can easily map their Unix logins to the Git shell SELinux user.
This Git shell user domain is allowed to manage and execute (primary) shared repositories.
FIXED: the default context in config/appconfig-mls for git_shell_u was wrong.
git_shell.te: userdom_git_user_template was called by git_user but should be called by git_shell
Fix2: booleans git_system_use_cifs and git_system_use_nfs are currenlty named gitd_use_cifs and gitd_use_nfs respectively
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:000000 100644 0000000... 2d9c6bc... A config/appconfig-mcs/git_shell_u_default_contexts
:000000 100644 0000000... 2d9c6bc... A config/appconfig-mls/git_shell_u_default_contexts
:000000 100644 0000000... bfbd788... A config/appconfig-standard/git_shell_u_default_contexts
:000000 100644 0000000... 601a7b0... A policy/modules/roles/git_shell.fc
:000000 100644 0000000... c6d9896... A policy/modules/roles/git_shell.if
:000000 100644 0000000... f5aa6cb... A policy/modules/roles/git_shell.te
:100644 100644 4da6875... 6238d54... M policy/modules/services/git.if
:100644 100644 2dc8697... 5c30b4b... M policy/modules/system/userdomain.if
config/appconfig-mcs/git_shell_u_default_contexts | 2 +
config/appconfig-mls/git_shell_u_default_contexts | 2 +
.../git_shell_u_default_contexts | 2 +
policy/modules/roles/git_shell.fc | 1 +
policy/modules/roles/git_shell.if | 50 +++++++++++++++
policy/modules/roles/git_shell.te | 15 +++++
policy/modules/services/git.if | 67 ++++++++++++++++++++
policy/modules/system/userdomain.if | 63 ++++++++++++++++++
8 files changed, 202 insertions(+), 0 deletions(-)
diff --git a/config/appconfig-mcs/git_shell_u_default_contexts b/config/appconfig-mcs/git_shell_u_default_contexts
new file mode 100644
index 0000000..2d9c6bc
--- /dev/null
+++ b/config/appconfig-mcs/git_shell_u_default_contexts
@@ -0,0 +1,2 @@
+git_shell_r:git_shell_t:s0 git_shell_r:git_shell_t:s0
+system_r:sshd_t:s0 git_shell_r:git_shell_t:s0
diff --git a/config/appconfig-mls/git_shell_u_default_contexts b/config/appconfig-mls/git_shell_u_default_contexts
new file mode 100644
index 0000000..2d9c6bc
--- /dev/null
+++ b/config/appconfig-mls/git_shell_u_default_contexts
@@ -0,0 +1,2 @@
+git_shell_r:git_shell_t:s0 git_shell_r:git_shell_t:s0
+system_r:sshd_t:s0 git_shell_r:git_shell_t:s0
diff --git a/config/appconfig-standard/git_shell_u_default_contexts b/config/appconfig-standard/git_shell_u_default_contexts
new file mode 100644
index 0000000..bfbd788
--- /dev/null
+++ b/config/appconfig-standard/git_shell_u_default_contexts
@@ -0,0 +1,2 @@
+git_shell_r:git_shell_t git_shell_r:git_shell_t
+system_r:sshd_t git_shell_r:git_shell_t
diff --git a/policy/modules/roles/git_shell.fc b/policy/modules/roles/git_shell.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/git_shell.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/git_shell.if b/policy/modules/roles/git_shell.if
new file mode 100644
index 0000000..c6d9896
--- /dev/null
+++ b/policy/modules/roles/git_shell.if
@@ -0,0 +1,50 @@
+## <summary>Git shell user role.</summary>
+
+########################################
+## <summary>
+## Change to the git shell role.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`git_shell_role_change',`
+ gen_require(`
+ role git_shell_r;
+ ')
+
+ allow $1 git_shell_r;
+')
+
+########################################
+## <summary>
+## Change from the git shell role.
+## </summary>
+## <desc>
+## <p>
+## Change from the git shell role to
+## the specified role.
+## </p>
+## <p>
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`git_shell_role_change_to',`
+ gen_require(`
+ role git_shell_r;
+ ')
+
+ allow git_shell_r $1;
+')
diff --git a/policy/modules/roles/git_shell.te b/policy/modules/roles/git_shell.te
new file mode 100644
index 0000000..f5aa6cb
--- /dev/null
+++ b/policy/modules/roles/git_shell.te
@@ -0,0 +1,15 @@
+policy_module(git_shell, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+userdom_git_user_template(git_shell)
+
+########################################
+#
+# Local policy
+#
+
+#gen_user(git_shell_u,, git_shell_r, s0, s0)
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index 4da6875..6238d54 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@@ -2,6 +2,73 @@
########################################
## <summary>
+## Execute Git daemon generic shared
+## repository content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_exec_generic_sys_content_files',`
+ gen_require(`
+ type git_sys_content_t;
+ ')
+
+ exec_files_pattern($1, git_sys_content_t, git_sys_content_t)
+ files_search_var_lib($1)
+
+ tunable_policy(`gitd_use_cifs',`
+ fs_exec_cifs_files($1)
+ ')
+
+ tunable_policy(`gitd_use_nfs',`
+ fs_exec_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## Git daemon generic shared
+## repository content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_manage_generic_sys_content',`
+ gen_require(`
+ type git_sys_content_t;
+ ')
+
+ manage_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
+ manage_files_pattern($1, git_sys_content_t, git_sys_content_t)
+ files_search_var_lib($1)
+
+ tunable_policy(`gitd_use_cifs',`
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ',`
+ fs_dontaudit_manage_cifs_dirs($1)
+ fs_dontaudit_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`gitd_use_nfs',`
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ',`
+ fs_dontaudit_manage_nfs_dirs($1)
+ fs_dontaudit_manage_nfs_files($1)
+ ')
+')
+
+
+########################################
+## <summary>
## Execute Git daemon personal
## repository content files.
## </summary>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 2dc8697..5c30b4b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2,6 +2,69 @@
#######################################
## <summary>
+## Template for creating Git users.
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## Prefix of the user domain.
+## </summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_git_user_template',`
+ gen_require(`
+ attribute unpriv_userdomain, userdomain;
+ class context contains;
+ role system_r;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_t, unpriv_userdomain, userdomain;
+ domain_type($1_t)
+ ubac_constrained($1_t)
+ role $1_r;
+ role $1_r types $1_t;
+ allow system_r $1_r;
+
+ ########################################
+ #
+ # Local policy
+ #
+
+ allow $1_t self:context contains;
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+
+ kernel_read_system_state($1_t)
+
+ corecmd_exec_bin($1_t)
+ corecmd_bin_entry_type($1_t)
+ corecmd_shell_entry_type($1_t)
+
+ domain_interactive_fd($1_t)
+ domain_user_exemption_target($1_t)
+
+ files_dontaudit_list_non_security($1_t)
+ files_dontaudit_getattr_non_security_files($1_t)
+ files_dontaudit_getattr_non_security_symlinks($1_t)
+ files_dontaudit_getattr_non_security_pipes($1_t)
+ files_dontaudit_getattr_non_security_sockets($1_t)
+
+ auth_use_nsswitch($1_t)
+
+ miscfiles_read_localization($1_t)
+
+ git_exec_generic_sys_content_files($1_t)
+ git_manage_generic_sys_content($1_t)
+
+ ssh_rw_stream_sockets($1_t)
+')
+
+#######################################
+## <summary>
## The template containing the most basic rules common to all users.
## </summary>
## <desc>
--
1.7.1
next prev parent reply other threads:[~2011-08-24 12:35 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-24 12:35 [refpolicy] [ v3 PATCH 0/8] Git daemon domain Dominick Grift
2011-08-24 12:35 ` [refpolicy] [ v3 PATCH 1/8] Git inetd service domain and a primage Git shared repository type Dominick Grift
2011-08-24 12:35 ` [refpolicy] [ v3 PATCH 2/8] Git personal repositories Dominick Grift
2011-08-26 13:18 ` Christopher J. PeBenito
2011-08-26 13:30 ` Dominick Grift
2011-08-30 13:37 ` Christopher J. PeBenito
2011-08-30 17:31 ` Dominick Grift
2011-08-24 12:35 ` Dominick Grift [this message]
2011-08-25 9:07 ` [refpolicy] [ v3 PATCH 3/8] Git shell users Dominick Grift
2011-08-26 13:28 ` Christopher J. PeBenito
2011-08-26 15:36 ` Dominick Grift
2011-08-26 17:26 ` Dominick Grift
2011-08-24 12:35 ` [refpolicy] [ v3 PATCH 4/8] Git session daemon Dominick Grift
2011-08-26 13:33 ` Christopher J. PeBenito
2011-08-26 15:30 ` Dominick Grift
2011-08-30 13:50 ` Christopher J. PeBenito
2011-08-30 17:20 ` Dominick Grift
2011-08-31 14:36 ` Christopher J. PeBenito
2011-08-31 14:49 ` Dominick Grift
2011-08-31 15:14 ` Christopher J. PeBenito
2011-08-31 15:38 ` Dominick Grift
2011-08-24 12:35 ` [refpolicy] [ v3 PATCH 5/8] Gitweb, cgit and the git_content attribute Dominick Grift
2011-08-26 13:35 ` Christopher J. PeBenito
2011-08-26 16:14 ` Dominick Grift
2011-08-30 13:23 ` Christopher J. PeBenito
2011-08-30 17:15 ` Dominick Grift
2011-08-31 14:48 ` Christopher J. PeBenito
2011-08-24 12:35 ` [refpolicy] [ v3 PATCH 6/8] Git shared repository separation and custom shared repository types Dominick Grift
2011-08-26 13:46 ` Christopher J. PeBenito
2011-08-26 15:46 ` Dominick Grift
2011-08-24 12:35 ` [refpolicy] [ v3 PATCH 7/8] Git session daemons binding TCP sockets to unreserved ports Dominick Grift
2011-08-24 12:35 ` [refpolicy] [ v3 PATCH 8/8] I am not sure about this but it might prove useful for NIS? Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1314189346-10866-4-git-send-email-domg472@gmail.com \
--to=domg472@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.