All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [ Git patch 1/1] Initial Git daemon domain. Modify git_selinux.8
@ 2011-08-22 10:39 Dominick Grift
  0 siblings, 0 replies; only message in thread
From: Dominick Grift @ 2011-08-22 10:39 UTC (permalink / raw)
  To: refpolicy

This is Fedoras' Git module revisited. Modified git_selinux.8 to reflect changes.

In my view unprivileged user domains, and admin domains should be able, from an SELinux perspective at least,  to run Git session daemons in the Git session daemon domain by default. Git session domains should be allowed to bind tcp sockets to Git ports.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 e9c43b1... 3cc33d7... M	man/man8/git_selinux.8
:100644 100644 2be17d2... addc3ad... M	policy/modules/roles/staff.te
:100644 100644 0f96353... 58eb890... M	policy/modules/roles/sysadm.te
:100644 100644 7e9da77... 46d24e3... M	policy/modules/roles/unprivuser.te
:100644 100644 54f0737... e7a135c... M	policy/modules/services/git.fc
:100644 100644 458aac6... 3a3db2b... M	policy/modules/services/git.if
:100644 100644 7382f85... 2360634... M	policy/modules/services/git.te
 man/man8/git_selinux.8             |   48 ++--
 policy/modules/roles/staff.te      |    4 +
 policy/modules/roles/sysadm.te     |    4 +
 policy/modules/roles/unprivuser.te |    4 +
 policy/modules/services/git.fc     |   16 +-
 policy/modules/services/git.if     |  534 +++++++++++++++++++++++++++++++++++-
 policy/modules/services/git.te     |  186 +++++++++++++-
 7 files changed, 767 insertions(+), 29 deletions(-)

diff --git a/man/man8/git_selinux.8 b/man/man8/git_selinux.8
index e9c43b1..3cc33d7 100644
--- a/man/man8/git_selinux.8
+++ b/man/man8/git_selinux.8
@@ -19,83 +19,83 @@ SELinux Git policy is very flexible allowing users to setup their web services i
 .PP 
 The following file contexts types are by default defined for Git:
 .EX
-git_system_content_t 
+git_sys_content_t 
 .EE 
-- Set files with git_system_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all "Git shell" users.
+- Set files with git_sys_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all Git system users.
 .EX
 git_session_content_t 
 .EE 
-- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all users. Note that "Git shell" users may not interact with this type.
+- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all Git session users. Note that Git system users may not interact with this type.
 .SH BOOLEANS
 SELinux policy is customizable based on least access required. Git policy is extremely flexible and has several booleans that allow you to manipulate the policy and run Git with the tightest access possible.
 .PP
-Allow the Git system daemon to search user home directories so that it can find git session content. This is useful if you want the Git system daemon to host users personal repositories. 
+Determine whether Git system daemon can search user home directories so that it can find Git session repository content. This is useful if you want the Git system daemon to host personal Git repository content.
 .EX
 sudo setsebool -P git_system_enable_homedirs 1
 .EE
 .PP
-Allow the Git system daemon to read system shared repositories on NFS shares.
+Determine whether Git system daemon can read any Git shared repository content on NFS shares.
 .EX
 sudo setsebool -P git_system_use_nfs 1
 .EE
 .PP
-Allow the Git system daemon to read system shared repositories on Samba shares.
+Determine whether Git system daemon can read any shared repository content on Samba shares.
 .EX
 sudo setsebool -P git_system_use_cifs 1
 .EE
 .PP
-Allow the Git session daemon to read users personal repositories on NFS mounted home directories.
+Determine whether Git session daemons can read personal repository content on NFS mounted home directories.
 .EX
 sudo setsebool -P use_nfs_home_dirs 1
 .EE
 .PP
-Allow the Git session daemon to read users personal repositories on Samba mounted home directories.
+Determine whether Git session daemons can read personal repository content on Samba mounted home directories.
 .EX
 sudo setsebool -P use_samba_home_dirs 1
 .EE
 .PP
-To also allow Git system daemon to read users personal repositories on NFS and Samba mounted home directories you must also allow the Git system daemon to search home directories so that it can find the repositories.
+To allow Git system daemon to read personal repository content on NFS and Samba mounted home directories you must also allow Git system daemon to search home directories so that it can find the personal repository content.
 .EX
 sudo setsebool -P git_system_enable_homedirs 1
 .EE
 .PP
-To allow the Git System daemon mass hosting of users personal repositories you can allow the Git daemon to listen to any unreserved ports.
+Determine whether Git session daemons can listen on any unreserved TCP ports. This is useful for mass hosting of personal repository content.
 .EX
 sudo setsebool -P git_session_bind_all_unreserved_ports 1
 .EE
 .SH GIT_SHELL
-The Git policy by default provides a restricted user environment to be used with "Git shell". This default git_shell_u SELinux user can modify and execute generic Git system content (generic system shared respositories with type git_system_content_t).
+The Git policy by default provides a restricted user environment to be used with "Git shell". The default git_shell_u Git system SELinux user can manage and execute generic Git shared repository content (shared repository content with type git_sys_content_t).
 .PP
-To add a new Linux user and map him to this Git shell user domain automatically:
+Add a new Unix user and map this user to the default Git system SELinux user automatically:
 .EX
 sudo useradd -Z git_shell_u joe
 .EE
-.SH ADVANCED_SYSTEM_SHARED_REPOSITORY_AND GIT_SHELL_RESTRICTIONS
-Alternatively Git SELinux policy can be used to restrict "Git shell" users to git system shared repositories. The policy allows for the creation of new types of Git system content and Git shell user environment. The policy allows for delegation of types of "Git shell" environments to types of Git system content.
+.SH ADVANCED_SHARED_REPOSITORY_AND GIT_SHELL_RESTRICTIONS
+Alternatively Git SELinux policy can be used to restrict Git system user types access to Git shared repository content types. The policy allows for the creation of new types of Git shared repository content and Git system users. The policy allows one to specify Git system user types access to Git shared repository content types. Note that any Git system user is allowed to manage and execute generic Git shared repository content.
 .PP
-To add a new Git system repository type, for example "project1" create a file named project1.te and add to it:
+Add a new Git shared repository content type, for example "project1". Create a file named project1.te and add to it:
 .EX
 policy_module(project1, 1.0.0)
-git_content_template(project1)
+git_sys_content_files_type(project1)
 .EE
-Next create a file named project1.fc and add a file context specification for the new repository type to it:
+Create a file named project1.fc, and add a file context specification for the new shared repository content type to it:
 .EX
-/srv/git/project1\.git(/.*)? gen_context(system_u:object_r:git_project1_content_t,s0)
+/var/lib/git/project1\.git(/.*)? gen_context(system_u:object_r:git_project1_content_t,s0)
 .EE
-Build a binary representation of this source policy module, load it into the policy store and restore the context of the repository:
+Build a binary representation of this source policy module, load it into the policy store and restore the context of the shared repository content:
 .EX
 make -f /usr/share/selinux/devel/Makefile project.pp
 sudo semodule -i project1.pp
-sudo restorecon -R -v /srv/git/project1
+sudo restorecon -R -v /var/lib/git/project1.git
 .EE
-To create a "Git shell" domain that can interact with this repository create a file named project1user.te in the same directory as where the source policy for the Git systemm content type is and add the following:
+Create a Git system user domain that can interact with this shared repository content. Create a file named project1user.te in the same directory as where the source policy for the Git sys content file type is and add the following:
 .EX
 policy_module(project1user, 1.0.0) 
-git_role_template(project1user)
-git_content_delegation(project1user_t, git_project1_content_t)
+git_system_user_template(project1user)
+git_rwx_spec_sys_content(project1user_t, git_project1_content_t)
 gen_user(project1user_u, user, project1user_r, s0, s0)
 .EE
-Build a binary representation of this source policy module, load it into the policy store and map Linux users to the new project1user_u SELinux user:
+Build a binary representation of this source policy module, load it into the policy store and map Unix users to the project1user_u SELinux user that was created:
 .EX
 make -f /usr/share/selinux/devel/Makefile project1user.pp
 sudo semodule -i project1user.pp
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 2be17d2..addc3ad 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -27,6 +27,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	git_session_role_template(staff_r, staff_t)
+')
+
+optional_policy(`
 	postgresql_role(staff_r, staff_t)
 ')
 
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 0f96353..58eb890 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -148,6 +148,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	git_session_role_template(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
 	hostname_run(sysadm_t, sysadm_r)
 ')
 
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 7e9da77..46d24e3 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -17,6 +17,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	git_session_role_template(user_r, user_t)
+')
+
+optional_policy(`
 	screen_role_template(user, user_r, user_t)
 ')
 
diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
index 54f0737..e7a135c 100644
--- a/policy/modules/services/git.fc
+++ b/policy/modules/services/git.fc
@@ -1,3 +1,15 @@
-/var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
-/var/lib/git(/.*)?		gen_context(system_u:object_r:httpd_git_content_t,s0)
+HOME_DIR/public_git(/.*)?	gen_context(system_u:object_r:git_session_content_t,s0)
+HOME_DIR/\.gitaliases	--	gen_context(system_u:object_r:git_session_content_t,s0)
+HOME_DIR/\.gitconfig	--	gen_context(system_u:object_r:git_session_content_t,s0)
+
+/srv/git(/.*)?	gen_context(system_u:object_r:git_sys_content_t,s0)
+
+/usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t,s0)
+
+/var/cache/cgit(/.*)?	gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
+
+/var/lib/git(/.*)?	gen_context(system_u:object_r:git_sys_content_t,s0)
+
 /var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/git(/.*)?	gen_context(system_u:object_r:httpd_git_content_t,s0)
+/var/www/git/gitweb.cgi	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index 458aac6..3a3db2b 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@@ -1 +1,533 @@
-## <summary>GIT revision control system</summary>
+## <summary>Fast Version Control System.</summary>
+
+########################################
+## <summary>
+##	Role access for Git session daemon.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+#
+template(`git_session_role_template',`
+	gen_require(`
+		type git_session_t, gitd_exec_t, git_session_content_t;
+	')
+
+	########################################
+	#
+	# Git session daemon shared declarations.
+	#
+
+	role $1 types git_session_t;
+
+	########################################
+	#
+	# Git session daemon shared policy.
+	#
+
+	domtrans_pattern($2, gitd_exec_t, git_session_t)
+
+	allow $2 git_session_t:process { ptrace signal_perms };
+	ps_process_pattern($2, git_session_t)
+
+	allow $2 git_session_content_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 git_session_content_t:file { manage_file_perms relabel_file_perms };
+')
+
+########################################
+## <summary>
+##	Create a set of derived types for
+##	Git daemon shared repository content.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix to be used.
+##	</summary>
+## </param>
+#
+interface(`git_sys_content_files_type',`
+	gen_require(`
+		attribute git_system_content, git_content;
+	')
+
+	########################################
+	#
+	# Git daemon shared repository
+	# content declarations.
+	#
+
+	type git_$1_content_t, git_system_content, git_content;
+	files_type(git_$1_content_t)
+')
+
+########################################
+## <summary>
+##	Create a set of derived types for Git
+##	daemon shared repository roles.
+## </summary>
+## <param name="userdomain_prefix">
+##	<summary>
+##	Prefix for the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <rolebase/>
+#
+template(`git_system_user_template',`
+	gen_require(`
+		attribute unpriv_userdomain, userdomain;
+		class context contains;
+		role system_r;
+	')
+
+	########################################
+	#
+	# Git daemon role shared declarations.
+	#
+
+	type $1_t, unpriv_userdomain, userdomain;
+	domain_type($1_t)
+	ubac_constrained($1_t)
+	role $1_r;
+	role $1_r types $1_t;
+	allow system_r $1_r;
+
+	########################################
+	#
+	# Git daemon role shared policy.
+	#
+
+	allow $1_t self:context contains;
+	allow $1_t self:fifo_file rw_fifo_file_perms;
+
+	kernel_read_system_state($1_t)
+
+	corecmd_exec_bin($1_t)
+	corecmd_bin_entry_type($1_t)
+	corecmd_shell_entry_type($1_t)
+
+	domain_interactive_fd($1_t)
+	domain_user_exemption_target($1_t)
+
+	files_dontaudit_search_home($1_t)
+
+	auth_use_nsswitch($1_t)
+
+	miscfiles_read_localization($1_t)
+
+	git_rwx_generic_sys_content($1_t)
+
+	ssh_rw_stream_sockets($1_t)
+
+	tunable_policy(`git_system_use_cifs',`
+		fs_exec_cifs_files($1_t)
+		fs_manage_cifs_dirs($1_t)
+		fs_manage_cifs_files($1_t)
+	')
+
+	tunable_policy(`git_system_use_nfs',`
+		fs_exec_nfs_files($1_t)
+		fs_manage_nfs_dirs($1_t)
+		fs_manage_nfs_files($1_t)
+	')
+')
+
+#######################################
+## <summary>
+##	Manage and execute specified Git
+##	daemon shared repository content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="git_sys_content_files_type">
+##	<summary>
+##	Git system content file type to be allowed.
+##	</summary>
+## </param>
+#
+interface(`git_rwx_spec_sys_content',`
+	gen_require(`
+		type $1, $2;
+	')
+
+	exec_files_pattern($1, $2, $2)
+	manage_dirs_pattern($1, $2, $2)
+	manage_files_pattern($1, $2, $2)
+	files_search_var_lib($1)
+
+	tunable_policy(`git_system_use_cifs',`
+		fs_exec_cifs_files($1)
+		fs_manage_cifs_dirs($1)
+		fs_manage_cifs_files($1)
+	')
+
+	tunable_policy(`git_system_use_nfs',`
+		fs_exec_nfs_files($1)
+		fs_manage_nfs_dirs($1)
+		fs_manage_nfs_files($1)
+	')
+')
+
+########################################
+## <summary>
+##	Manage and execute all Git daemon
+##	repository content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`git_rwx_all_content',`
+	gen_require(`
+		attribute git_content;
+	')
+
+	exec_files_pattern($1, git_content, git_content)
+	manage_dirs_pattern($1, git_content, git_content)
+	manage_files_pattern($1, git_content, git_content)
+	userdom_search_user_home_dirs($1)
+	files_search_var_lib($1)
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_exec_nfs_files($1)
+		fs_manage_nfs_dirs($1)
+		fs_manage_nfs_files($1)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_exec_cifs_files($1)
+		fs_manage_cifs_dirs($1)
+		fs_manage_cifs_files($1)
+	')
+
+	tunable_policy(`git_system_use_cifs',`
+		fs_exec_cifs_files($1)
+		fs_manage_cifs_dirs($1)
+		fs_manage_cifs_files($1)
+	')
+
+	tunable_policy(`git_system_use_nfs',`
+		fs_exec_nfs_files($1)
+		fs_manage_nfs_dirs($1)
+		fs_manage_nfs_files($1)
+	')
+')
+
+########################################
+## <summary>
+##	Manage and execute all Git daemon
+##	shared repository content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`git_rwx_all_sys_content',`
+	gen_require(`
+		attribute git_system_content;
+	')
+
+	exec_files_pattern($1, git_system_content, git_system_content)
+	manage_dirs_pattern($1, git_system_content, git_system_content)
+	manage_files_pattern($1, git_system_content, git_system_content)
+	files_search_var_lib($1)
+
+	tunable_policy(`git_system_use_cifs',`
+		fs_exec_cifs_files($1)
+		fs_manage_cifs_dirs($1)
+		fs_manage_cifs_files($1)
+	')
+
+	tunable_policy(`git_system_use_nfs',`
+		fs_exec_nfs_files($1)
+		fs_manage_nfs_dirs($1)
+		fs_manage_nfs_files($1)
+	')
+')
+
+########################################
+## <summary>
+##	Manage and execute Git daemon
+##	generic shared repository content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`git_rwx_generic_sys_content',`
+	gen_require(`
+		type git_sys_content_t;
+	')
+
+	exec_files_pattern($1, git_sys_content_t, git_sys_content_t)
+	manage_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
+	manage_files_pattern($1, git_sys_content_t, git_sys_content_t)
+	files_search_var_lib($1)
+
+	tunable_policy(`git_system_use_cifs',`
+		fs_exec_cifs_files($1)
+		fs_manage_cifs_dirs($1)
+		fs_manage_cifs_files($1)
+	')
+
+	tunable_policy(`git_system_use_nfs',`
+		fs_exec_nfs_files($1)
+		fs_manage_nfs_dirs($1)
+		fs_manage_nfs_files($1)
+	')
+')
+
+########################################
+## <summary>
+##	Read all Git daemon repository
+##	content files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`git_read_all_content_files',`
+	gen_require(`
+		attribute git_content;
+	')
+
+	list_dirs_pattern($1, git_content, git_content)
+	read_files_pattern($1, git_content, git_content)
+	userdom_search_user_home_dirs($1)
+	files_search_var_lib($1)
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_list_nfs($1)
+		fs_read_nfs_files($1)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_list_cifs($1)
+		fs_read_cifs_files($1)
+	')
+
+	tunable_policy(`git_system_use_cifs',`
+		fs_list_cifs($1)
+		fs_read_cifs_files($1)
+	')
+
+	tunable_policy(`git_system_use_nfs',`
+		fs_list_nfs($1)
+		fs_read_nfs_files($1)
+	')
+')
+
+########################################
+## <summary>
+##	Read Git daemon personal reposutory
+##	content files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`git_read_session_content_files',`
+	gen_require(`
+		type git_session_content_t;
+	')
+
+	list_dirs_pattern($1, git_session_content_t, git_session_content_t)
+	read_files_pattern($1, git_session_content_t, git_session_content_t)
+	userdom_search_user_home_dirs($1)
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_list_nfs($1)
+		fs_read_nfs_files($1)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_list_cifs($1)
+		fs_read_cifs_files($1)
+	')
+')
+
+#######################################
+## <summary>
+##	Do not audit attempts to read
+##	generic personal repository
+##	content files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`git_dontaudit_read_session_content_files',`
+	gen_require(`
+		type git_session_content_t;
+	')
+
+	dontaudit $1 git_session_content_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read all Git daemon shared
+##	repository content files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`git_read_all_sys_content_files',`
+	gen_require(`
+		attribute git_system_content;
+	')
+
+	list_dirs_pattern($1, git_system_content, git_system_content)
+	read_files_pattern($1, git_system_content, git_system_content)
+	files_search_var_lib($1)
+
+	tunable_policy(`git_system_use_cifs',`
+		fs_list_cifs($1)
+		fs_read_cifs_files($1)
+	')
+
+	tunable_policy(`git_system_use_nfs',`
+		fs_list_nfs($1)
+		fs_read_nfs_files($1)
+	')
+')
+
+########################################
+## <summary>
+##	Read Git daemon generic shared
+##	repository content files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`git_read_generic_sys_content_files',`
+	gen_require(`
+		type git_sys_content_t;
+	')
+
+	list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
+	read_files_pattern($1, git_sys_content_t, git_sys_content_t)
+	files_search_var_lib($1)
+
+	tunable_policy(`git_system_use_cifs',`
+		fs_list_cifs($1)
+		fs_read_cifs_files($1)
+	')
+
+	tunable_policy(`git_system_use_nfs',`
+		fs_list_nfs($1)
+		fs_read_nfs_files($1)
+	')
+')
+
+########################################
+## <summary>
+##	Relabel all Git daemon repository content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`git_relabel_all_content',`
+	gen_require(`
+		attribute git_content;
+	')
+
+	relabel_dirs_pattern($1, git_content, git_content)
+	relabel_files_pattern($1, git_content, git_content)
+	userdom_search_user_home_dirs($1)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Relabel all Git daemon shared
+##	repository content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`git_relabel_all_sys_content',`
+	gen_require(`
+		attribute git_system_content;
+	')
+
+	relabel_dirs_pattern($1, git_system_content, git_system_content)
+	relabel_files_pattern($1, git_system_content, git_system_content)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Relabel Git daemon generic shared
+##	repository content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`git_relabel_generic_sys_content',`
+	gen_require(`
+		type git_sys_content_t;
+	')
+
+	relabel_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
+	relabel_files_pattern($1, git_sys_content_t, git_sys_content_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Relabel Git daemon session
+##	repository content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`git_relabel_session_content',`
+	gen_require(`
+		type git_session_content_t;
+	')
+
+	relabel_dirs_pattern($1, git_session_content_t, git_session_content_t)
+	relabel_files_pattern($1, git_session_content_t, git_session_content_t)
+	userdom_search_user_home_dirs($1)
+')
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index 7382f85..2360634 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -1,8 +1,190 @@
 policy_module(git, 1.0)
 
+## <desc>
+##	<p>
+##	Determine whether Git system daemon
+##	can search home directories.
+##	</p>
+## </desc>
+gen_tunable(git_system_enable_homedirs, false)
+
+## <desc>
+##	<p>
+##	Determine whether Git system daemon
+##	can access cifs file systems.
+##	</p>
+## </desc>
+gen_tunable(git_system_use_cifs, false)
+
+## <desc>
+##	<p>
+##	Determine whether Git system daemon
+##	can access nfs file systems.
+##	</p>
+## </desc>
+gen_tunable(git_system_use_nfs, false)
+
+########################################
+#
+# Git daemon global private declarations.
+#
+
+attribute git_domain;
+attribute git_system_content;
+attribute git_content;
+
+type gitd_exec_t;
+application_executable_file(gitd_exec_t)
+
+role git_shell_r;
+
+########################################
+#
+# Git system daemon private declarations.
+#
+
+type git_system_t, git_domain;
+inetd_service_domain(git_system_t, gitd_exec_t)
+role system_r types git_system_t;
+
+type git_sys_content_t, git_system_content, git_content;
+files_type(git_sys_content_t)
+
+########################################
+#
+# Git session daemon private declarations.
+#
+
+## <desc>
+##	<p>
+##	Determine whether Git session daemons
+##	can bind tcp sockets to all unreserved ports.
+##	</p>
+## </desc>
+gen_tunable(git_session_bind_all_unreserved_ports, false)
+
+type git_session_t, git_domain;
+application_domain(git_session_t, gitd_exec_t)
+ubac_constrained(git_session_t)
+
+type git_session_content_t, git_content;
+userdom_user_home_content(git_session_content_t)
+
+########################################
+#
+# Git daemon global private policy.
+#
+
+allow git_domain self:fifo_file rw_fifo_file_perms;
+allow git_domain self:unix_dgram_socket create_socket_perms;
+
+kernel_read_system_state(git_domain)
+
+corenet_all_recvfrom_netlabel(git_domain)
+corenet_all_recvfrom_unlabeled(git_domain)
+corenet_tcp_bind_generic_node(git_domain)
+corenet_tcp_sendrecv_generic_if(git_domain)
+corenet_tcp_sendrecv_generic_node(git_domain)
+corenet_tcp_sendrecv_generic_port(git_domain)
+corenet_tcp_bind_git_port(git_domain)
+corenet_tcp_sendrecv_git_port(git_domain)
+corenet_sendrecv_git_server_packets(git_domain)
+
+corecmd_exec_bin(git_domain)
+
+files_read_usr_files(git_domain)
+
+fs_search_auto_mountpoints(git_domain)
+
+auth_use_nsswitch(git_domain)
+
+logging_send_syslog_msg(git_domain)
+
+miscfiles_read_localization(git_domain)
+
+optional_policy(`
+	automount_dontaudit_getattr_tmp_dirs(git_domain)
+')
+
+########################################
+#
+# Git system daemon private policy.
+#
+
+list_dirs_pattern(git_system_t, git_content, git_content)
+read_files_pattern(git_system_t, git_content, git_content)
+files_search_var_lib(git_system_t)
+
+tunable_policy(`git_system_enable_homedirs',`
+	userdom_search_user_home_dirs(git_system_t)
+')
+
+tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
+	fs_list_nfs(git_system_t)
+	fs_read_nfs_files(git_system_t)
+')
+
+tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
+	fs_list_cifs(git_system_t)
+	fs_read_cifs_files(git_system_t)
+')
+
+tunable_policy(`git_system_use_cifs',`
+	fs_list_cifs(git_system_t)
+	fs_read_cifs_files(git_system_t)
+')
+
+tunable_policy(`git_system_use_nfs',`
+	fs_list_nfs(git_system_t)
+	fs_read_nfs_files(git_system_t)
+')
+
+########################################
+#
+# Git session daemon private policy.
+#
+
+allow git_session_t self:tcp_socket { accept listen };
+
+list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
+read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
+userdom_search_user_home_dirs(git_session_t)
+
+userdom_use_user_terminals(git_session_t)
+
+tunable_policy(`git_session_bind_all_unreserved_ports',`
+	corenet_tcp_bind_all_unreserved_ports(git_session_t)
+	corenet_tcp_sendrecv_all_ports(git_session_t)
+	corenet_sendrecv_generic_server_packets(git_session_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_list_nfs(git_session_t)
+	fs_read_nfs_files(git_session_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_list_cifs(git_session_t)
+	fs_read_cifs_files(git_session_t)
+')
+
+########################################
+#
+# Git CGI domain private policy.
+#
+
+optional_policy(`
+	apache_content_template(git)
+	git_read_all_content_files(httpd_git_script_t)
+	files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
+
+	auth_use_nsswitch(httpd_git_script_t)
+')
+
 ########################################
 #
-# Declarations
+# Git system user private policy.
 #
 
-apache_content_template(git)
+git_system_user_template(git_shell)
+gen_user(git_shell_u, user, git_shell_r, s0, s0)
-- 
1.7.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110822/a0d2149e/attachment-0001.bin 

^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2011-08-22 10:39 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-08-22 10:39 [refpolicy] [ Git patch 1/1] Initial Git daemon domain. Modify git_selinux.8 Dominick Grift

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.