From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [ v3 PATCH 2/8] Git personal repositories
Date: Tue, 30 Aug 2011 19:31:37 +0200 [thread overview]
Message-ID: <20110830173136.GD6861@localhost.localdomain> (raw)
In-Reply-To: <4E5CE78D.2030103@tresys.com>
On Tue, Aug 30, 2011 at 09:37:17AM -0400, Christopher J. PeBenito wrote:
> On 08/26/11 09:30, Dominick Grift wrote:
> > On Fri, Aug 26, 2011 at 09:18:33AM -0400, Christopher J. PeBenito wrote:
> >> On 08/24/11 08:35, Dominick Grift wrote:
> >>> Git inetd service domain can also be configured to read and serve Git personal repositories in the user home directories.
> >>> We would not want Git inetd service domain to be able to read and serve generic or heavens forbid all
> >>> user home content, and therefore a new type for Git personal repositories is declared.
> >>>
> >>> By default Git inetd service domain expects these personal repositories to be in dgrift/public_git.
> >>> It is kind of like apaches userdirs functionality. Git inetd service domain, does not have to be configured to
> >>> read and serve personal repositories, and so we make the policy for this functionality tunable.
> >>>
> >>> We also allow administrators to tune the policy to allow Git inetd service domain to read and serve personal
> >>> repositories on NFS and/or CIFS shares. We added a file context that specifies that public_git
> >>> directories in any user home directory should be labeled with the personal repository file type.
> >>> That means that all login users should be allowed to relabel and manage the git_user_content_t personal
> >>> repository type. Did you know that users might also need to execute some of the Git personal
> >>> repository content. It is not obvious but in some cases users need to be able to execute the Git
> >>> hooks scripts in their personal repositories. For example the might have a script that runs after the user
> >>> commits/pushes for example via ssh (git push ssh://joe at localhost/public_git/joes_personal_repository.git. So we
> >>> also allow all login users to execute Git shared repository files.
>
> >>> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> >>> index c6d3cc8..2dc8697 100644
> >>> --- a/policy/modules/system/userdomain.if
> >>> +++ b/policy/modules/system/userdomain.if
> >>> @@ -188,6 +188,10 @@ interface(`userdom_ro_home_role',`
> >>> fs_dontaudit_list_cifs($2)
> >>> fs_dontaudit_read_cifs_files($2)
> >>> ')
> >>> +
> >>> + optional_policy(`
> >>> + git_read_user_content($2)
> >>> + ')
> >>> ')
> >>>
> >>> #######################################
> >>> @@ -267,6 +271,11 @@ interface(`userdom_manage_home_role',`
> >>> fs_dontaudit_manage_cifs_dirs($2)
> >>> fs_dontaudit_manage_cifs_files($2)
> >>> ')
> >>> +
> >>> + optional_policy(`
> >>> + git_manage_user_content($2)
> >>> + git_relabel_user_content($2)
> >>> + ')
> >>> ')
> >>>
> >>> #######################################
> >>> @@ -789,6 +798,10 @@ template(`userdom_login_user_template', `
> >>> ')
> >>>
> >>> optional_policy(`
> >>> + git_exec_user_content_files($1_t)
> >>> + ')
> >>> +
> >>> + optional_policy(`
> >>> kerberos_use($1_t)
> >>> ')
> >>
> >> All of these content rules seem like it should be in a git_role()
> >> interface, which would be invoked from the various role.te files.
> >
> > Why do you think that?
> >
> > i will explain why i think not:
> >
> > 1. the file context spec. labels all ~/pubic_git type git_user_content_t, whether the user calls git_role_template or not.
> > 2. sysadm can decide to allow git system daemon to host personal repositories of users that arent allowed to run the git session daemon in the git session domain.
>
> For the first two, they absolutely do not belong there. Those interfaces are
> providing general user home directory access. For the last, it makes more sense
> for that access to go with the other git rules for users. If you're saying that
> users should have git content types w/o any other git policy, I'd say thats
> overengineered. MCS would seem more appropriate in that case.
I can't say that i agree, since apache also have httpd user content types without a httpd session domain, but ok
I can rebase my patch set with the requested changes as soon as we have figured out a way to deal with git_shell user domains and custom shared repository types, see my latest RFC email about that.
We could also do it the easy way and not support Type enforcement shared repository isolation and not support user domain tailored to git shell users.
Instead opt to just settle for using guest_t for git shell and using mcs to limit what guest_t domain can access what git shared repository.
Not my prefered solution but it would make the policy much simpler ( yet harder for admins to grasp )
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110830/d18e20b7/attachment.bin
next prev parent reply other threads:[~2011-08-30 17:31 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-24 12:35 [refpolicy] [ v3 PATCH 0/8] Git daemon domain Dominick Grift
2011-08-24 12:35 ` [refpolicy] [ v3 PATCH 1/8] Git inetd service domain and a primage Git shared repository type Dominick Grift
2011-08-24 12:35 ` [refpolicy] [ v3 PATCH 2/8] Git personal repositories Dominick Grift
2011-08-26 13:18 ` Christopher J. PeBenito
2011-08-26 13:30 ` Dominick Grift
2011-08-30 13:37 ` Christopher J. PeBenito
2011-08-30 17:31 ` Dominick Grift [this message]
2011-08-24 12:35 ` [refpolicy] [ v3 PATCH 3/8] Git shell users Dominick Grift
2011-08-25 9:07 ` Dominick Grift
2011-08-26 13:28 ` Christopher J. PeBenito
2011-08-26 15:36 ` Dominick Grift
2011-08-26 17:26 ` Dominick Grift
2011-08-24 12:35 ` [refpolicy] [ v3 PATCH 4/8] Git session daemon Dominick Grift
2011-08-26 13:33 ` Christopher J. PeBenito
2011-08-26 15:30 ` Dominick Grift
2011-08-30 13:50 ` Christopher J. PeBenito
2011-08-30 17:20 ` Dominick Grift
2011-08-31 14:36 ` Christopher J. PeBenito
2011-08-31 14:49 ` Dominick Grift
2011-08-31 15:14 ` Christopher J. PeBenito
2011-08-31 15:38 ` Dominick Grift
2011-08-24 12:35 ` [refpolicy] [ v3 PATCH 5/8] Gitweb, cgit and the git_content attribute Dominick Grift
2011-08-26 13:35 ` Christopher J. PeBenito
2011-08-26 16:14 ` Dominick Grift
2011-08-30 13:23 ` Christopher J. PeBenito
2011-08-30 17:15 ` Dominick Grift
2011-08-31 14:48 ` Christopher J. PeBenito
2011-08-24 12:35 ` [refpolicy] [ v3 PATCH 6/8] Git shared repository separation and custom shared repository types Dominick Grift
2011-08-26 13:46 ` Christopher J. PeBenito
2011-08-26 15:46 ` Dominick Grift
2011-08-24 12:35 ` [refpolicy] [ v3 PATCH 7/8] Git session daemons binding TCP sockets to unreserved ports Dominick Grift
2011-08-24 12:35 ` [refpolicy] [ v3 PATCH 8/8] I am not sure about this but it might prove useful for NIS? Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110830173136.GD6861@localhost.localdomain \
--to=domg472@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.