[refpolicy] [ v6 PATCH 1/1] Git daemon policy

* [refpolicy] [ v6 PATCH 1/1] Git daemon policy
@ 2011-08-30 19:09 Dominick Grift
  2011-09-02 13:22 ` Christopher J. PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Dominick Grift @ 2011-08-30 19:09 UTC (permalink / raw)
  To: refpolicy

    Renamed git_session_role_template to git_role as per requested.
    Only allow callers of the git_role to manage, execute and relabel git user content as per request.
    Make callers of the git_role transition to git session tunable as per request.
    Make logging to syslog for git session tunable as per request.
    Make git cgi script access to search user home directories tunable as per request.

Dumbed down policy:

No longer support git shell, if administrators want this functionality they better start learning how to write selinux policy because it is currently not supported.
Admins best bet is to create a userdomain based off of userdom_restricted_user_template, and allow this user domain to manage and execute git sys content.

No longer support the use of Type enforcement to enforce git shared repository isolation, There is only one git shared repository type (git_sys_content). If admin wants to use selinux to restrict access to the various shared repositories, then admins best bet currently is to use MCS.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 2be17d2... cdc6c98... M	policy/modules/roles/staff.te
:100644 100644 0f96353... a27e9a4... M	policy/modules/roles/sysadm.te
:100644 100644 7e9da77... 3043ea8... M	policy/modules/roles/unprivuser.te
:100644 100644 54f0737... 65b7dbc... M	policy/modules/services/git.fc
:100644 100644 458aac6... 6daf082... M	policy/modules/services/git.if
:100644 100644 7382f85... 12d93d8... M	policy/modules/services/git.te
 policy/modules/roles/staff.te      |    4 +
 policy/modules/roles/sysadm.te     |    4 +
 policy/modules/roles/unprivuser.te |    4 +
 policy/modules/services/git.fc     |   12 ++-
 policy/modules/services/git.if     |   60 +++++++++-
 policy/modules/services/git.te     |  228 +++++++++++++++++++++++++++++++++++-
 6 files changed, 308 insertions(+), 4 deletions(-)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 2be17d2..cdc6c98 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -27,6 +27,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	git_role(staff_r, staff_t)
+')
+
+optional_policy(`
 	postgresql_role(staff_r, staff_t)
 ')
 
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 0f96353..a27e9a4 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -148,6 +148,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	git_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
 	hostname_run(sysadm_t, sysadm_r)
 ')
 
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 7e9da77..3043ea8 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -17,6 +17,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	git_role(user_r, user_t)
+')
+
+optional_policy(`
 	screen_role_template(user, user_r, user_t)
 ')
 
diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
index 54f0737..65b7dbc 100644
--- a/policy/modules/services/git.fc
+++ b/policy/modules/services/git.fc
@@ -1,3 +1,11 @@
-/var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
-/var/lib/git(/.*)?		gen_context(system_u:object_r:httpd_git_content_t,s0)
+HOME_DIR/public_git(/.*)?	gen_context(system_u:object_r:git_user_content_t,s0)
+
+/usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t,s0)
+
+/var/cache/cgit(/.*)?	gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
+
+/var/lib/git(/.*)?	gen_context(system_u:object_r:git_sys_content_t,s0)
+
 /var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/git(/.*)?	gen_context(system_u:object_r:httpd_git_content_t,s0)
+/var/www/git/gitweb\.cgi	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index 458aac6..6daf082 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@@ -1 +1,59 @@
-## <summary>GIT revision control system</summary>
+## <summary>GIT revision control system.</summary>
+
+########################################
+## <summary>
+##	Role access for Git session.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+#
+template(`git_role',`
+	gen_require(`
+		type git_session_t, gitd_exec_t, git_user_content_t;
+	')
+
+	########################################
+	#
+	# Declarations
+	#
+
+	## <desc>
+	##	<p>
+	##	Determine whether calling user domains
+	##	can execute Git daemon in the
+	##	git_session_t domain.
+	##	</p>
+	## </desc>
+	gen_tunable(git_session_users, false)
+
+	role $1 types git_session_t;
+
+	########################################
+	#
+	# Policy
+	#
+
+	manage_dirs_pattern($2, git_user_content_t, git_user_content_t)
+	relabel_dirs_pattern($2, git_user_content_t, git_user_content_t)
+
+	exec_files_pattern($2, git_user_content_t, git_user_content_t)
+	manage_files_pattern($2, git_user_content_t, git_user_content_t)
+	relabel_files_pattern($2, git_user_content_t, git_user_content_t)
+
+	allow $2 git_session_t:process { ptrace signal_perms };
+	ps_process_pattern($2, git_session_t)
+
+	tunable_policy(`git_session_users',`
+		domtrans_pattern($2, gitd_exec_t, git_session_t)
+	',`
+		can_exec($2, gitd_exec_t)
+	')
+')
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index 7382f85..12d93d8 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -2,7 +2,233 @@ policy_module(git, 1.0)
 
 ########################################
 #
-# Declarations
+# Git global declarations
 #
 
+attribute git_daemon;
+
+type gitd_exec_t;
+
+########################################
+#
+# Git CGI declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether Git CGI
+##	can search home directories.
+##	</p>
+## </desc>
+gen_tunable(git_cgi_enable_homedirs, false)
+
+## <desc>
+##	<p>
+##	Determine whether Git CGI
+##	can access cifs file systems.
+##	</p>
+## </desc>
+gen_tunable(git_cgi_use_cifs, false)
+
+## <desc>
+##	<p>
+##	Determine whether Git CGI
+##	can access nfs file systems.
+##	</p>
+## </desc>
+gen_tunable(git_cgi_use_nfs, false)
+
 apache_content_template(git)
+
+########################################
+#
+# Git session declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether Git session daemons
+##	can send syslog messages.
+##	</p>
+## </desc>
+gen_tunable(git_session_send_syslog_msg, false)
+
+type git_session_t, git_daemon;
+application_domain(git_session_t, gitd_exec_t)
+ubac_constrained(git_session_t)
+
+type git_user_content_t;
+userdom_user_home_content(git_user_content_t)
+
+########################################
+#
+# Git system declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether Git system daemon
+##	can search home directories.
+##	</p>
+## </desc>
+gen_tunable(git_system_enable_homedirs, false)
+
+## <desc>
+##	<p>
+##	Determine whether Git system daemon
+##	can access cifs file systems.
+##	</p>
+## </desc>
+gen_tunable(git_system_use_cifs, false)
+
+## <desc>
+##	<p>
+##	Determine whether Git system daemon
+##	can access nfs file systems.
+##	</p>
+## </desc>
+gen_tunable(git_system_use_nfs, false)
+
+type git_system_t, git_daemon;
+inetd_service_domain(git_system_t, gitd_exec_t)
+
+type git_sys_content_t;
+files_type(git_sys_content_t)
+
+########################################
+#
+# Git global policy
+#
+
+allow git_daemon self:fifo_file rw_fifo_file_perms;
+
+kernel_read_system_state(git_daemon)
+
+corecmd_exec_bin(git_daemon)
+
+files_read_usr_files(git_daemon)
+
+fs_search_auto_mountpoints(git_daemon)
+
+auth_use_nsswitch(git_daemon)
+
+miscfiles_read_localization(git_daemon)
+
+########################################
+#
+# Git session policy
+#
+
+allow git_session_t self:tcp_socket { accept listen };
+
+list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
+read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
+userdom_search_user_home_dirs(git_session_t)
+
+corenet_all_recvfrom_netlabel(git_session_t)
+corenet_all_recvfrom_unlabeled(git_session_t)
+corenet_tcp_bind_generic_node(git_session_t)
+corenet_tcp_sendrecv_generic_if(git_session_t)
+corenet_tcp_sendrecv_generic_node(git_session_t)
+corenet_tcp_sendrecv_generic_port(git_session_t)
+corenet_tcp_bind_git_port(git_session_t)
+corenet_tcp_sendrecv_git_port(git_session_t)
+corenet_sendrecv_git_server_packets(git_session_t)
+
+userdom_use_user_terminals(git_session_t)
+
+tunable_policy(`git_session_send_syslog_msg',`
+	logging_send_syslog_msg(git_session_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_read_nfs_files(git_session_t)
+',`
+	fs_dontaudit_read_nfs_files(git_session_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_read_cifs_files(git_session_t)
+',`
+	fs_dontaudit_read_cifs_files(git_session_t)
+')
+
+########################################
+#
+# Git system policy
+#
+
+list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
+read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
+files_search_var_lib(git_system_t)
+
+logging_send_syslog_msg(git_system_t)
+
+tunable_policy(`git_system_enable_homedirs',`
+	userdom_search_user_home_dirs(git_system_t)
+')
+
+tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
+	fs_read_nfs_files(git_system_t)
+',`
+	fs_dontaudit_read_nfs_files(git_system_t)
+')
+
+tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
+	fs_read_cifs_files(git_system_t)
+',`
+	fs_dontaudit_read_cifs_files(git_system_t)
+')
+
+tunable_policy(`git_system_use_cifs',`
+	fs_read_cifs_files(git_system_t)
+',`
+	fs_dontaudit_read_cifs_files(git_system_t)
+')
+
+tunable_policy(`git_system_use_nfs',`
+	fs_read_nfs_files(git_system_t)
+',`
+	fs_dontaudit_read_nfs_files(git_system_t)
+')
+
+########################################
+#
+# Git CGI policy
+#
+
+list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+files_search_var_lib(httpd_git_script_t)
+
+files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
+
+auth_use_nsswitch(httpd_git_script_t)
+
+tunable_policy(`git_cgi_enable_homedirs',`
+	userdom_search_user_home_dirs(httpd_git_script_t)
+')
+
+tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',`
+	fs_read_nfs_files(httpd_git_script_t)
+',`
+	fs_dontaudit_read_nfs_files(httpd_git_script_t)
+')
+
+tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',`
+	fs_read_cifs_files(httpd_git_script_t)
+',`
+	fs_dontaudit_read_cifs_files(httpd_git_script_t)
+')
+
+tunable_policy(`git_cgi_use_cifs',`
+	fs_read_cifs_files(httpd_git_script_t)
+',`
+	fs_dontaudit_read_cifs_files(httpd_git_script_t)
+')
+
+tunable_policy(`git_cgi_use_nfs',`
+	fs_read_nfs_files(httpd_git_script_t)
+',`
+	fs_dontaudit_read_nfs_files(httpd_git_script_t)
+')
-- 
1.7.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110830/808bd037/attachment-0001.bin 

^ permalink raw reply related	[flat|nested] 2+ messages in thread