[refpolicy] [ v3 PATCH 0/8] Git daemon domain

[refpolicy] [ v3 PATCH 0/8] Git daemon domain

[Dominick Grift]

 config/appconfig-mcs/git_shell_u_default_contexts  |    2 +
 config/appconfig-mls/git_shell_u_default_contexts  |    2 +
 .../git_shell_u_default_contexts                   |    2 +
 policy/modules/roles/git_shell.fc                  |    1 +
 policy/modules/roles/git_shell.if                  |   50 +++
 policy/modules/roles/git_shell.te                  |   15 +
 policy/modules/roles/staff.te                      |    4 +
 policy/modules/roles/sysadm.te                     |    4 +
 policy/modules/roles/unprivuser.te                 |    4 +
 policy/modules/services/git.fc                     |   12 +-
 policy/modules/services/git.if                     |  366 ++++++++++++++++++++
 policy/modules/services/git.te                     |  179 ++++++++++-
 policy/modules/system/userdomain.if                |   76 ++++
 13 files changed, 714 insertions(+), 3 deletions(-)

Had to rebase it all. There was another compatibility issue. In the first patch i declare gitd_t in the fourth patch i change gitd_t to git_system_t without making gitd_t an alias to git_system_t.
Another issue was that in the third patch i added references to booleans that did not exist at that time (git_system_use_nfs and git_system_use_cifs vs. gitd_use_nfs and gitd_use_nfs respectively.

Everything else is the same

Sorry...

[refpolicy] [ v3 PATCH 1/8] Git inetd service domain and a primage Git shared repository type

[Dominick Grift]

Create a Git inetd service domain and create a primary shared repository file type.

Quote from the Git daemon manual page: "git-daemon - A really simple server for git repositories".

This really is no joke. This policy allows Git inetd service domain to read and serve Git shared
repositories located in /var/lib/git. This implementation allows administrators to tune the policy to
allow Git inetd service domain to read and serve Git shared repositories on NFS and/or CIFS shares.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 54f0737... 164d2bf... M	policy/modules/services/git.fc
:100644 100644 7382f85... 7766253... M	policy/modules/services/git.te
 policy/modules/services/git.fc |    6 +++-
 policy/modules/services/git.te |   64 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+), 1 deletions(-)

diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
index 54f0737..164d2bf 100644
--- a/policy/modules/services/git.fc
+++ b/policy/modules/services/git.fc
@@ -1,3 +1,7 @@
+/usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t,s0)
+
 /var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
-/var/lib/git(/.*)?		gen_context(system_u:object_r:httpd_git_content_t,s0)
+
+/var/lib/git(/.*)?	gen_context(system_u:object_r:git_sys_content_t,s0)
+
 /var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index 7382f85..7766253 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -5,4 +5,68 @@ policy_module(git, 1.0)
 # Declarations
 #
 
+## <desc>
+##	<p>
+##	Determine whether Git daemon
+##	can access cifs file systems.
+##	</p>
+## </desc>
+gen_tunable(gitd_use_cifs, false)
+
+## <desc>
+##	<p>
+##	Determine whether Git daemon
+##	can access nfs file systems.
+##	</p>
+## </desc>
+gen_tunable(gitd_use_nfs, false)
+
+type gitd_t;
+type gitd_exec_t;
+inetd_service_domain(gitd_t, gitd_exec_t)
+
+type git_sys_content_t;
+files_type(git_sys_content_t)
+
+########################################
+#
+# Local policy
+#
+
+allow gitd_t self:fifo_file rw_fifo_file_perms;
+allow gitd_t self:unix_dgram_socket create_socket_perms;
+
+list_dirs_pattern(gitd_t, git_sys_content_t, git_sys_content_t)
+read_files_pattern(gitd_t, git_sys_content_t, git_sys_content_t)
+files_search_var_lib(gitd_t)
+
+kernel_read_system_state(gitd_t)
+
+corecmd_exec_bin(gitd_t)
+
+files_read_usr_files(gitd_t)
+
+auth_use_nsswitch(gitd_t)
+
+logging_send_syslog_msg(gitd_t)
+
+miscfiles_read_localization(gitd_t)
+
+tunable_policy(`gitd_use_cifs',`
+	fs_read_cifs_files(gitd_t)
+',`
+	fs_dontaudit_read_cifs_files(gitd_t)
+')
+
+tunable_policy(`gitd_use_nfs',`
+	fs_read_nfs_files(gitd_t)
+',`
+	fs_dontaudit_read_nfs_files(gitd_t)
+')
+
+########################################
+#
+# Git apache CGI domain
+#
+
 apache_content_template(git)
-- 
1.7.1

[refpolicy] [ v3 PATCH 2/8] Git personal repositories

[Dominick Grift]

Git inetd service domain can also be configured to read and serve Git personal repositories in the user home directories.
We would not want Git inetd service domain to be able to read and serve generic or heavens forbid all
user home content, and therefore a new type for Git personal repositories is declared.

By default Git inetd service domain expects these personal repositories to be in dgrift/public_git.
It is kind of like apaches userdirs functionality. Git inetd service domain, does not have to be configured to
read and serve personal repositories, and so we make the policy for this functionality tunable.

We also allow administrators to tune the policy to allow Git inetd service domain to read and serve personal
repositories on NFS and/or CIFS shares. We added a file context that specifies that public_git
directories in any user home directory should be labeled with the personal repository file type.
That means that all login users should be allowed to relabel and manage the git_user_content_t personal
repository type. Did you know that users might also need to execute some of the Git personal
repository content. It is not obvious but in some cases users need to be able to execute the Git
hooks scripts in their personal repositories. For example the might have a script that runs after the user
commits/pushes for example via ssh (git push ssh://joe at localhost/public_git/joes_personal_repository.git. So we
also allow all login users to execute Git shared repository files.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 164d2bf... 7314ecb... M	policy/modules/services/git.fc
:100644 100644 458aac6... 4da6875... M	policy/modules/services/git.if
:100644 100644 7766253... 6c8e672... M	policy/modules/services/git.te
:100644 100644 c6d3cc8... 2dc8697... M	policy/modules/system/userdomain.if
 policy/modules/services/git.fc      |    2 +
 policy/modules/services/git.if      |  119 +++++++++++++++++++++++++++++++++++
 policy/modules/services/git.te      |   31 +++++++++-
 policy/modules/system/userdomain.if |   13 ++++
 4 files changed, 163 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
index 164d2bf..7314ecb 100644
--- a/policy/modules/services/git.fc
+++ b/policy/modules/services/git.fc
@@ -1,3 +1,5 @@
+HOME_DIR/public_git(/.*)?	gen_context(system_u:object_r:git_user_content_t,s0)
+
 /usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t,s0)
 
 /var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index 458aac6..4da6875 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@@ -1 +1,120 @@
 ## <summary>GIT revision control system</summary>
+
+########################################
+## <summary>
+##	Execute Git daemon personal
+##	repository content files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`git_exec_user_content_files',`
+	gen_require(`
+		type git_user_content_t;
+	')
+
+	exec_files_pattern($1, git_user_content_t, git_user_content_t)
+	userdom_search_user_home_dirs($1)
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_exec_cifs_files($1)
+	')
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_exec_nfs_files($1)
+	')
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	Git daemon personal repository content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`git_manage_user_content',`
+	gen_require(`
+		type git_user_content_t;
+	')
+
+	manage_dirs_pattern($1, git_user_content_t, git_user_content_t)
+	manage_files_pattern($1, git_user_content_t, git_user_content_t)
+	userdom_search_user_home_dirs($1)
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_manage_cifs_dirs($1)
+		fs_manage_cifs_files($1)
+	',`
+		fs_dontaudit_manage_cifs_dirs($1)
+		fs_dontaudit_manage_cifs_files($1)
+	')
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_manage_nfs_dirs($1)
+		fs_manage_nfs_files($1)
+	',`
+		fs_dontaudit_manage_nfs_dirs($1)
+		fs_dontaudit_manage_nfs_files($1)
+	')
+')
+
+########################################
+## <summary>
+##	Read Git daemon personal repository
+##	content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`git_read_user_content',`
+	gen_require(`
+		type git_user_content_t;
+	')
+
+	list_dirs_pattern($1, git_user_content_t, git_user_content_t)
+	read_files_pattern($1, git_user_content_t, git_user_content_t)
+	userdom_search_user_home_dirs($1)
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_read_nfs_files($1)
+	',`
+		fs_dontaudit_read_cifs_files($1)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_read_cifs_files($1)
+	',`
+		fs_dontaudit_read_cifs_files($1)
+	')
+')
+
+########################################
+## <summary>
+##	Relabel Git daemon personal
+##	repository content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`git_relabel_user_content',`
+	gen_require(`
+		type git_user_content_t;
+	')
+
+	relabel_dirs_pattern($1, git_user_content_t, git_user_content_t)
+	relabel_files_pattern($1, git_user_content_t, git_user_content_t)
+	userdom_search_user_home_dirs($1)
+')
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index 7766253..6c8e672 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -8,6 +8,14 @@ policy_module(git, 1.0)
 ## <desc>
 ##	<p>
 ##	Determine whether Git daemon
+##	can search home directories.
+##	</p>
+## </desc>
+gen_tunable(gitd_enable_homedirs, false)
+
+## <desc>
+##	<p>
+##	Determine whether Git daemon
 ##	can access cifs file systems.
 ##	</p>
 ## </desc>
@@ -28,6 +36,9 @@ inetd_service_domain(gitd_t, gitd_exec_t)
 type git_sys_content_t;
 files_type(git_sys_content_t)
 
+type git_user_content_t;
+userdom_user_home_content(git_user_content_t)
+
 ########################################
 #
 # Local policy
@@ -36,8 +47,8 @@ files_type(git_sys_content_t)
 allow gitd_t self:fifo_file rw_fifo_file_perms;
 allow gitd_t self:unix_dgram_socket create_socket_perms;
 
-list_dirs_pattern(gitd_t, git_sys_content_t, git_sys_content_t)
-read_files_pattern(gitd_t, git_sys_content_t, git_sys_content_t)
+list_dirs_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
+read_files_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
 files_search_var_lib(gitd_t)
 
 kernel_read_system_state(gitd_t)
@@ -52,6 +63,22 @@ logging_send_syslog_msg(gitd_t)
 
 miscfiles_read_localization(gitd_t)
 
+tunable_policy(`gitd_enable_homedirs',`
+	userdom_search_user_home_dirs(gitd_t)
+')
+
+tunable_policy(`gitd_enable_homedirs && use_nfs_home_dirs',`
+	fs_read_nfs_files(gitd_t)
+',`
+	fs_dontaudit_read_nfs_files(gitd_t)
+')
+
+tunable_policy(`gitd_enable_homedirs && use_samba_home_dirs',`
+	fs_read_cifs_files(gitd_t)
+',`
+	fs_dontaudit_read_cifs_files(gitd_t)
+')
+
 tunable_policy(`gitd_use_cifs',`
 	fs_read_cifs_files(gitd_t)
 ',`
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index c6d3cc8..2dc8697 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -188,6 +188,10 @@ interface(`userdom_ro_home_role',`
 		fs_dontaudit_list_cifs($2)
 		fs_dontaudit_read_cifs_files($2)
 	')
+
+	optional_policy(`
+		git_read_user_content($2)
+	')
 ')
 
 #######################################
@@ -267,6 +271,11 @@ interface(`userdom_manage_home_role',`
 		fs_dontaudit_manage_cifs_dirs($2)
 		fs_dontaudit_manage_cifs_files($2)
 	')
+
+	optional_policy(`
+		git_manage_user_content($2)
+		git_relabel_user_content($2)
+	')
 ')
 
 #######################################
@@ -789,6 +798,10 @@ template(`userdom_login_user_template', `
 	')
 
 	optional_policy(`
+		git_exec_user_content_files($1_t)
+	')
+
+	optional_policy(`
 		kerberos_use($1_t)
 	')
 
-- 
1.7.1

[refpolicy] [ v3 PATCH 3/8] Git shell users

[Dominick Grift]

Did you know that there is a Git shell in /usr/bin/git-shell, and did you know that you can use that
together with OpenSSH to commit to shared repositories? Heck you can even commit to shared repositories
using OpenSSH with a plain bash shell, but the Git shell is much cooler. A user domain solely for the
purpose of commiting to shared repositories needs much less privileges that the least privilege
userdom_base_user_template provides.

Git shell users do not need pty's, execmem or many other privileges provided by the base_user_template.
Therefore we implement a template just for Git shell users, and we create a Git shell role, so that
administrators can easily map their Unix logins to the Git shell SELinux user.

This Git shell user domain is allowed to manage and execute (primary) shared repositories.

FIXED: the default context in config/appconfig-mls for git_shell_u was wrong.
git_shell.te: userdom_git_user_template was called by git_user but should be called by git_shell

Fix2: booleans git_system_use_cifs and git_system_use_nfs are currenlty named gitd_use_cifs and gitd_use_nfs respectively

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:000000 100644 0000000... 2d9c6bc... A	config/appconfig-mcs/git_shell_u_default_contexts
:000000 100644 0000000... 2d9c6bc... A	config/appconfig-mls/git_shell_u_default_contexts
:000000 100644 0000000... bfbd788... A	config/appconfig-standard/git_shell_u_default_contexts
:000000 100644 0000000... 601a7b0... A	policy/modules/roles/git_shell.fc
:000000 100644 0000000... c6d9896... A	policy/modules/roles/git_shell.if
:000000 100644 0000000... f5aa6cb... A	policy/modules/roles/git_shell.te
:100644 100644 4da6875... 6238d54... M	policy/modules/services/git.if
:100644 100644 2dc8697... 5c30b4b... M	policy/modules/system/userdomain.if
 config/appconfig-mcs/git_shell_u_default_contexts  |    2 +
 config/appconfig-mls/git_shell_u_default_contexts  |    2 +
 .../git_shell_u_default_contexts                   |    2 +
 policy/modules/roles/git_shell.fc                  |    1 +
 policy/modules/roles/git_shell.if                  |   50 +++++++++++++++
 policy/modules/roles/git_shell.te                  |   15 +++++
 policy/modules/services/git.if                     |   67 ++++++++++++++++++++
 policy/modules/system/userdomain.if                |   63 ++++++++++++++++++
 8 files changed, 202 insertions(+), 0 deletions(-)

diff --git a/config/appconfig-mcs/git_shell_u_default_contexts b/config/appconfig-mcs/git_shell_u_default_contexts
new file mode 100644
index 0000000..2d9c6bc
--- /dev/null
+++ b/config/appconfig-mcs/git_shell_u_default_contexts
@@ -0,0 +1,2 @@
+git_shell_r:git_shell_t:s0		git_shell_r:git_shell_t:s0
+system_r:sshd_t:s0		git_shell_r:git_shell_t:s0
diff --git a/config/appconfig-mls/git_shell_u_default_contexts b/config/appconfig-mls/git_shell_u_default_contexts
new file mode 100644
index 0000000..2d9c6bc
--- /dev/null
+++ b/config/appconfig-mls/git_shell_u_default_contexts
@@ -0,0 +1,2 @@
+git_shell_r:git_shell_t:s0		git_shell_r:git_shell_t:s0
+system_r:sshd_t:s0		git_shell_r:git_shell_t:s0
diff --git a/config/appconfig-standard/git_shell_u_default_contexts b/config/appconfig-standard/git_shell_u_default_contexts
new file mode 100644
index 0000000..bfbd788
--- /dev/null
+++ b/config/appconfig-standard/git_shell_u_default_contexts
@@ -0,0 +1,2 @@
+git_shell_r:git_shell_t			git_shell_r:git_shell_t
+system_r:sshd_t			git_shell_r:git_shell_t
diff --git a/policy/modules/roles/git_shell.fc b/policy/modules/roles/git_shell.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/git_shell.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/git_shell.if b/policy/modules/roles/git_shell.if
new file mode 100644
index 0000000..c6d9896
--- /dev/null
+++ b/policy/modules/roles/git_shell.if
@@ -0,0 +1,50 @@
+## <summary>Git shell user role.</summary>
+
+########################################
+## <summary>
+##	Change to the git shell role.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`git_shell_role_change',`
+	gen_require(`
+		role git_shell_r;
+	')
+
+	allow $1 git_shell_r;
+')
+
+########################################
+## <summary>
+##	Change from the git shell role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the git shell role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is an interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`git_shell_role_change_to',`
+	gen_require(`
+		role git_shell_r;
+	')
+
+	allow git_shell_r $1;
+')
diff --git a/policy/modules/roles/git_shell.te b/policy/modules/roles/git_shell.te
new file mode 100644
index 0000000..f5aa6cb
--- /dev/null
+++ b/policy/modules/roles/git_shell.te
@@ -0,0 +1,15 @@
+policy_module(git_shell, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+userdom_git_user_template(git_shell)
+
+########################################
+#
+# Local policy
+#
+
+#gen_user(git_shell_u,, git_shell_r, s0, s0)
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index 4da6875..6238d54 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@@ -2,6 +2,73 @@
 
 ########################################
 ## <summary>
+##	Execute Git daemon generic shared
+##	repository content files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`git_exec_generic_sys_content_files',`
+	gen_require(`
+		type git_sys_content_t;
+	')
+
+	exec_files_pattern($1, git_sys_content_t, git_sys_content_t)
+	files_search_var_lib($1)
+
+	tunable_policy(`gitd_use_cifs',`
+		fs_exec_cifs_files($1)
+	')
+
+	tunable_policy(`gitd_use_nfs',`
+		fs_exec_nfs_files($1)
+	')
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	Git daemon generic shared
+##	repository content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`git_manage_generic_sys_content',`
+	gen_require(`
+		type git_sys_content_t;
+	')
+
+	manage_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
+	manage_files_pattern($1, git_sys_content_t, git_sys_content_t)
+	files_search_var_lib($1)
+
+	tunable_policy(`gitd_use_cifs',`
+		fs_manage_cifs_dirs($1)
+		fs_manage_cifs_files($1)
+	',`
+		fs_dontaudit_manage_cifs_dirs($1)
+		fs_dontaudit_manage_cifs_files($1)
+	')
+
+	tunable_policy(`gitd_use_nfs',`
+		fs_manage_nfs_dirs($1)
+		fs_manage_nfs_files($1)
+	',`
+		fs_dontaudit_manage_nfs_dirs($1)
+		fs_dontaudit_manage_nfs_files($1)
+	')
+')
+
+
+########################################
+## <summary>
 ##	Execute Git daemon personal
 ##	repository content files.
 ## </summary>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 2dc8697..5c30b4b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2,6 +2,69 @@
 
 #######################################
 ## <summary>
+##	Template for creating Git users.
+## </summary>
+## <param name="userdomain_prefix">
+##	<summary>
+##	Prefix of the user domain.
+##	</summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_git_user_template',`
+	gen_require(`
+		attribute unpriv_userdomain, userdomain;
+		class context contains;
+		role system_r;
+	')
+
+	########################################
+	#
+	# Declarations
+	#
+
+	type $1_t, unpriv_userdomain, userdomain;
+	domain_type($1_t)
+	ubac_constrained($1_t)
+	role $1_r;
+	role $1_r types $1_t;
+	allow system_r $1_r;
+
+	########################################
+	#
+	# Local policy
+	#
+
+	allow $1_t self:context contains;
+	allow $1_t self:fifo_file rw_fifo_file_perms;
+
+	kernel_read_system_state($1_t)
+
+	corecmd_exec_bin($1_t)
+	corecmd_bin_entry_type($1_t)
+	corecmd_shell_entry_type($1_t)
+
+	domain_interactive_fd($1_t)
+	domain_user_exemption_target($1_t)
+
+	files_dontaudit_list_non_security($1_t)
+	files_dontaudit_getattr_non_security_files($1_t)
+	files_dontaudit_getattr_non_security_symlinks($1_t)
+	files_dontaudit_getattr_non_security_pipes($1_t)
+	files_dontaudit_getattr_non_security_sockets($1_t)
+
+	auth_use_nsswitch($1_t)
+
+	miscfiles_read_localization($1_t)
+
+	git_exec_generic_sys_content_files($1_t)
+	git_manage_generic_sys_content($1_t)
+
+	ssh_rw_stream_sockets($1_t)
+')
+
+#######################################
+## <summary>
 ##	The template containing the most basic rules common to all users.
 ## </summary>
 ## <desc>
-- 
1.7.1

[refpolicy] [ v3 PATCH 4/8] Git session daemon

[Dominick Grift]

Wait! Theres more. Besides running Git daemon as a inetd service domain, unprivileged users can also
run Git daemon by executing /usr/libexec/git-core/git-daemon from a shell to allow it to
read and serve their Git personal repositories in ~/public_git. It in large parts does the same
as Git daemon run by inetd but there are some differences. Most notably is the network access
that the Git session daemon requires to listen on the Git port for service.

The Git system daemon does not need this because inetd takes care of the network for it.
Another difference is that Git session daemon can only read and serve users Git personal
repositories, where Git system daemon can, if configured, read and serve both shared as well
as personal repositories. Since much of the policy is common to both session and
system, we declared a git_daemon attribute and assigned that to both the Git system and
session daemons. This allows use to write policy that both daemon have in common once.
Leaving the policy as compact as possible. So now we have two Git daemon domains, one
session domain started by unprivileged users and one system domain started by inetd.

Fix: since we renamed gitd_t to git_system_t, add alias.
Change back gitd_use_nfs, gitd_use_cifs to git_system_use_nfs and git_system_use_cifs respectively

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 2be17d2... 17fc624... M	policy/modules/roles/staff.te
:100644 100644 0f96353... 7461e65... M	policy/modules/roles/sysadm.te
:100644 100644 7e9da77... 52156cd... M	policy/modules/roles/unprivuser.te
:100644 100644 6238d54... f1466e1... M	policy/modules/services/git.if
:100644 100644 6c8e672... 7040bf6... M	policy/modules/services/git.te
 policy/modules/roles/staff.te      |    4 +
 policy/modules/roles/sysadm.te     |    4 +
 policy/modules/roles/unprivuser.te |    4 +
 policy/modules/services/git.if     |   46 +++++++++++-
 policy/modules/services/git.te     |  134 ++++++++++++++++++++++++++----------
 5 files changed, 150 insertions(+), 42 deletions(-)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 2be17d2..17fc624 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -89,6 +89,10 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
+		git_session_role_template(staff_r, staff_t)
+	')
+
+	optional_policy(`
 		gnome_role(staff_r, staff_t)
 	')
 
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 0f96353..7461e65 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -438,6 +438,10 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
+		git_session_role_template(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
 		gnome_role(sysadm_r, sysadm_t)
 	')
 
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 7e9da77..52156cd 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -62,6 +62,10 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
+		git_session_role_template(user_r, user_t)
+	')
+
+	optional_policy(`
 		gnome_role(user_r, user_t)
 	')
 
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index 6238d54..f1466e1 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@@ -2,6 +2,44 @@
 
 ########################################
 ## <summary>
+##	Role access for Git session daemon.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+#
+template(`git_session_role_template',`
+	gen_require(`
+		type git_session_t, gitd_exec_t;
+	')
+
+	########################################
+	#
+	# Git session daemon shared declarations
+	#
+
+	role $1 types git_session_t;
+
+	########################################
+	#
+	# Git session daemon shared policy
+	#
+
+	domtrans_pattern($2, gitd_exec_t, git_session_t)
+
+	allow $2 git_session_t:process { ptrace signal_perms };
+	ps_process_pattern($2, git_session_t)
+')
+
+########################################
+## <summary>
 ##	Execute Git daemon generic shared
 ##	repository content files.
 ## </summary>
@@ -19,11 +57,11 @@ interface(`git_exec_generic_sys_content_files',`
 	exec_files_pattern($1, git_sys_content_t, git_sys_content_t)
 	files_search_var_lib($1)
 
-	tunable_policy(`gitd_use_cifs',`
+	tunable_policy(`git_system_use_cifs',`
 		fs_exec_cifs_files($1)
 	')
 
-	tunable_policy(`gitd_use_nfs',`
+	tunable_policy(`git_system_use_nfs',`
 		fs_exec_nfs_files($1)
 	')
 ')
@@ -49,7 +87,7 @@ interface(`git_manage_generic_sys_content',`
 	manage_files_pattern($1, git_sys_content_t, git_sys_content_t)
 	files_search_var_lib($1)
 
-	tunable_policy(`gitd_use_cifs',`
+	tunable_policy(`git_system_use_cifs',`
 		fs_manage_cifs_dirs($1)
 		fs_manage_cifs_files($1)
 	',`
@@ -57,7 +95,7 @@ interface(`git_manage_generic_sys_content',`
 		fs_dontaudit_manage_cifs_files($1)
 	')
 
-	tunable_policy(`gitd_use_nfs',`
+	tunable_policy(`git_system_use_nfs',`
 		fs_manage_nfs_dirs($1)
 		fs_manage_nfs_files($1)
 	',`
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index 6c8e672..7040bf6 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -2,93 +2,151 @@ policy_module(git, 1.0)
 
 ########################################
 #
-# Declarations
+# Git daemon global declarations
+#
+
+attribute git_daemon;
+
+type gitd_exec_t;
+
+########################################
+#
+# Git session daemon declarations
+#
+
+type git_session_t, git_daemon;
+application_domain(git_session_t, gitd_exec_t)
+ubac_constrained(git_session_t)
+
+type git_user_content_t;
+userdom_user_home_content(git_user_content_t)
+
+########################################
+#
+# Git system daemon declarations
 #
 
 ## <desc>
 ##	<p>
-##	Determine whether Git daemon
+##	Determine whether Git system daemon
 ##	can search home directories.
 ##	</p>
 ## </desc>
-gen_tunable(gitd_enable_homedirs, false)
+gen_tunable(git_system_enable_homedirs, false)
 
 ## <desc>
 ##	<p>
-##	Determine whether Git daemon
+##	Determine whether Git system daemon
 ##	can access cifs file systems.
 ##	</p>
 ## </desc>
-gen_tunable(gitd_use_cifs, false)
+gen_tunable(git_system_use_cifs, false)
 
 ## <desc>
 ##	<p>
-##	Determine whether Git daemon
+##	Determine whether Git system daemon
 ##	can access nfs file systems.
 ##	</p>
 ## </desc>
-gen_tunable(gitd_use_nfs, false)
+gen_tunable(git_system_use_nfs, false)
 
-type gitd_t;
-type gitd_exec_t;
-inetd_service_domain(gitd_t, gitd_exec_t)
+type git_system_t, git_daemon;
+typealias git_system_t alias gitd_t;
+inetd_service_domain(git_system_t, gitd_exec_t)
 
 type git_sys_content_t;
 files_type(git_sys_content_t)
 
-type git_user_content_t;
-userdom_user_home_content(git_user_content_t)
+########################################
+#
+# Git daemon global policy
+#
+
+allow git_daemon self:fifo_file rw_fifo_file_perms;
+allow git_daemon self:unix_dgram_socket create_socket_perms;
+
+kernel_read_system_state(git_daemon)
+
+corecmd_exec_bin(git_daemon)
+
+files_read_usr_files(git_daemon)
+
+auth_use_nsswitch(git_daemon)
+
+logging_send_syslog_msg(git_daemon)
+
+miscfiles_read_localization(git_daemon)
 
 ########################################
 #
-# Local policy
+# Git session daemon policy
 #
 
-allow gitd_t self:fifo_file rw_fifo_file_perms;
-allow gitd_t self:unix_dgram_socket create_socket_perms;
+allow git_session_t self:tcp_socket { accept listen };
 
-list_dirs_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
-read_files_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
-files_search_var_lib(gitd_t)
+list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
+read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
+userdom_search_user_home_dirs(git_session_t)
 
-kernel_read_system_state(gitd_t)
+corenet_all_recvfrom_netlabel(git_session_t)
+corenet_all_recvfrom_unlabeled(git_session_t)
+corenet_tcp_bind_generic_node(git_session_t)
+corenet_tcp_sendrecv_generic_if(git_session_t)
+corenet_tcp_sendrecv_generic_node(git_session_t)
+corenet_tcp_sendrecv_generic_port(git_session_t)
+corenet_tcp_bind_git_port(git_session_t)
+corenet_tcp_sendrecv_git_port(git_session_t)
+corenet_sendrecv_git_server_packets(git_session_t)
 
-corecmd_exec_bin(gitd_t)
+userdom_use_user_terminals(git_session_t)
 
-files_read_usr_files(gitd_t)
+tunable_policy(`use_nfs_home_dirs',`
+	fs_read_nfs_files(git_session_t)
+',`
+	fs_dontaudit_read_nfs_files(git_session_t)
+')
 
-auth_use_nsswitch(gitd_t)
+tunable_policy(`use_samba_home_dirs',`
+	fs_read_cifs_files(git_session_t)
+',`
+	fs_dontaudit_read_cifs_files(git_session_t)
+')
 
-logging_send_syslog_msg(gitd_t)
+########################################
+#
+# Git system daemon policy
+#
 
-miscfiles_read_localization(gitd_t)
+list_dirs_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
+read_files_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
+files_search_var_lib(git_system_t)
 
-tunable_policy(`gitd_enable_homedirs',`
-	userdom_search_user_home_dirs(gitd_t)
+tunable_policy(`git_system_enable_homedirs',`
+	userdom_search_user_home_dirs(git_system_t)
 ')
 
-tunable_policy(`gitd_enable_homedirs && use_nfs_home_dirs',`
-	fs_read_nfs_files(gitd_t)
+tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
+	fs_read_nfs_files(git_system_t)
 ',`
-	fs_dontaudit_read_nfs_files(gitd_t)
+	fs_dontaudit_read_nfs_files(git_system_t)
 ')
 
-tunable_policy(`gitd_enable_homedirs && use_samba_home_dirs',`
-	fs_read_cifs_files(gitd_t)
+tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
+	fs_read_cifs_files(git_system_t)
 ',`
-	fs_dontaudit_read_cifs_files(gitd_t)
+	fs_dontaudit_read_cifs_files(git_system_t)
 ')
 
-tunable_policy(`gitd_use_cifs',`
-	fs_read_cifs_files(gitd_t)
+tunable_policy(`git_system_use_cifs',`
+	fs_read_cifs_files(git_system_t)
 ',`
-	fs_dontaudit_read_cifs_files(gitd_t)
+	fs_dontaudit_read_cifs_files(git_system_t)
 ')
 
-tunable_policy(`gitd_use_nfs',`
-	fs_read_nfs_files(gitd_t)
+tunable_policy(`git_system_use_nfs',`
+	fs_read_nfs_files(git_system_t)
 ',`
-	fs_dontaudit_read_nfs_files(gitd_t)
+	fs_dontaudit_read_nfs_files(git_system_t)
 ')
 
 ########################################
-- 
1.7.1

[refpolicy] [ v3 PATCH 5/8] Gitweb, cgit and the git_content attribute

[Dominick Grift]

Cgit and gitweb are both cgi web applications that run in the httpd_git_script_t apache CGI domain.
The policy in this commit was taken from Fedora. It is well tested i believe.
These web applications display Git repositories. And they Should be able to read any Git
repository whether shared or personal. We implemented another attribute for it called git_content.
This attribute will be assigned to any and all Git repository content types, either existing or
to be created. Hopefully the next commit should explain why this attribute makes sense.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 7314ecb... c005782... M	policy/modules/services/git.fc
:100644 100644 f1466e1... 83356f2... M	policy/modules/services/git.if
:100644 100644 7040bf6... 8602887... M	policy/modules/services/git.te
 policy/modules/services/git.fc |    4 ++-
 policy/modules/services/git.if |   46 ++++++++++++++++++++++++++++++++++++++++
 policy/modules/services/git.te |   11 +++++++-
 3 files changed, 58 insertions(+), 3 deletions(-)

diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
index 7314ecb..c005782 100644
--- a/policy/modules/services/git.fc
+++ b/policy/modules/services/git.fc
@@ -2,8 +2,10 @@ HOME_DIR/public_git(/.*)?	gen_context(system_u:object_r:git_user_content_t,s0)
 
 /usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t,s0)
 
-/var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
+/var/cache/cgit(/.*)?	gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
 
 /var/lib/git(/.*)?	gen_context(system_u:object_r:git_sys_content_t,s0)
 
 /var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/git(/.*)?	gen_context(system_u:object_r:httpd_git_content_t,s0)
+/var/www/git/gitweb.cgi	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index f1466e1..83356f2 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@@ -40,6 +40,52 @@ template(`git_session_role_template',`
 
 ########################################
 ## <summary>
+##	Read all Git daemon repository
+##	content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`git_read_all_content',`
+	gen_require(`
+		attribute git_content;
+	')
+
+	list_dirs_pattern($1, git_content, git_content)
+	read_files_pattern($1, git_content, git_content)
+	userdom_search_user_home_dirs($1)
+	files_search_var_lib($1)
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_read_nfs_files($1)
+	',`
+		fs_dontaudit_read_nfs_files($1)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_read_cifs_files($1)
+	',`
+		fs_dontaudit_read_cifs_files($1)
+	')
+
+	tunable_policy(`git_system_use_cifs',`
+		fs_read_cifs_files($1)
+	',`
+		fs_dontaudit_read_cifs_files($1)
+	')
+
+	tunable_policy(`git_system_use_nfs',`
+		fs_read_nfs_files($1)
+	',`
+		fs_dontaudit_read_nfs_files($1)
+	')
+')
+
+########################################
+## <summary>
 ##	Execute Git daemon generic shared
 ##	repository content files.
 ## </summary>
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index 7040bf6..8602887 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -5,6 +5,7 @@ policy_module(git, 1.0)
 # Git daemon global declarations
 #
 
+attribute git_content;
 attribute git_daemon;
 
 type gitd_exec_t;
@@ -18,7 +19,7 @@ type git_session_t, git_daemon;
 application_domain(git_session_t, gitd_exec_t)
 ubac_constrained(git_session_t)
 
-type git_user_content_t;
+type git_user_content_t, git_content;
 userdom_user_home_content(git_user_content_t)
 
 ########################################
@@ -54,7 +55,7 @@ type git_system_t, git_daemon;
 typealias git_system_t alias gitd_t;
 inetd_service_domain(git_system_t, gitd_exec_t)
 
-type git_sys_content_t;
+type git_sys_content_t, git_content;
 files_type(git_sys_content_t)
 
 ########################################
@@ -155,3 +156,9 @@ tunable_policy(`git_system_use_nfs',`
 #
 
 apache_content_template(git)
+
+files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
+
+auth_use_nsswitch(httpd_git_script_t)
+
+git_read_all_content(httpd_git_script_t)
-- 
1.7.1

[refpolicy] [ v3 PATCH 6/8] Git shared repository separation and custom shared repository types

[Dominick Grift]

In my previous commit i promised i would try to explain the use of the git_content attribute.
It is a attribute to asign to existing and to be create shared and private repository types.

In this commit we are using this attribute to allow Git system daemon to read and serve any
repository content. We do this because the userdom_git_user_template allows use to provides
administrators with advanced type enforcement possibility to restrict access to
various types of shared repository. In this commit we created the
git_shared_content_template.

This template allows for easy creation of new shared repository types.
We also created git_manage_spec_shared_content and git_exec_spec_shared_content_files interfaces.
This allows us to make a connection between Git user domain and Git shared repository content
types. These interfaces and templates allow administrators to create new Git user domains
and allow the various Git user domains access to specified Git shared repositories.

This allows administrators to employ Type enforcement for shared repository and Git user separation.
We also created a attribute called git_system_content that is assigned to all types derived from the
prefix that the git_shared_content_template expects. This might be handy if some one later wants a
given Git user domain to have access to any shared repository type and not just the primary
git_sys_content_t repository type.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 83356f2... fb27b32... M	policy/modules/services/git.if
:100644 100644 8602887... ba56287... M	policy/modules/services/git.te
 policy/modules/services/git.if |   96 ++++++++++++++++++++++++++++++++++++++++
 policy/modules/services/git.te |    9 ++--
 2 files changed, 101 insertions(+), 4 deletions(-)

diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index 83356f2..fb27b32 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@@ -40,6 +40,102 @@ template(`git_session_role_template',`
 
 ########################################
 ## <summary>
+##	Create a set of derived types for
+##	Git daemon shared repository content.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`git_shared_content_template',`
+	gen_require(`
+		attribute git_system_content, git_content;
+	')
+
+	type git_$1_content_t, git_system_content, git_content;
+	files_type(git_$1_content_t)
+')
+
+#######################################
+## <summary>
+##	Execute specified Git daemon
+##	shared repository content files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	Type to allow access to.
+##	</summary>
+## </param>
+#
+interface(`git_exec_spec_shared_content_files',`
+	gen_require(`
+		type $1, $2;
+	')
+
+	exec_files_pattern($1, $2, $2)
+	files_search_var_lib($1)
+
+	tunable_policy(`git_system_use_cifs',`
+		fs_exec_cifs_files($1)
+	')
+
+	tunable_policy(`git_system_use_nfs',`
+		fs_exec_nfs_files($1)
+	')
+')
+
+#######################################
+## <summary>
+##	Create, read, write, and delete
+##	specified Git daemon shared
+##	repository content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	Type to allow access to.
+##	</summary>
+## </param>
+#
+interface(`git_manage_spec_shared_content',`
+	gen_require(`
+		type $1, $2;
+	')
+
+	manage_dirs_pattern($1, $2, $2)
+	manage_files_pattern($1, $2, $2)
+	files_search_var_lib($1)
+
+	tunable_policy(`git_system_use_cifs',`
+		fs_manage_cifs_dirs($1)
+		fs_manage_cifs_files($1)
+	',`
+		fs_dontaudit_manage_cifs_dirs($1)
+		fs_dontaudit_manage_cifs_files($1)
+	')
+
+	tunable_policy(`git_system_use_nfs',`
+		fs_manage_nfs_dirs($1)
+		fs_manage_nfs_files($1)
+	',`
+		fs_dontaudit_manage_nfs_dirs($1)
+		fs_dontaudit_manage_nfs_files($1)
+	')
+')
+
+########################################
+## <summary>
 ##	Read all Git daemon repository
 ##	content.
 ## </summary>
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index 8602887..ba56287 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -51,12 +51,13 @@ gen_tunable(git_system_use_cifs, false)
 ## </desc>
 gen_tunable(git_system_use_nfs, false)
 
+attribute git_system_content;
+
 type git_system_t, git_daemon;
 typealias git_system_t alias gitd_t;
 inetd_service_domain(git_system_t, gitd_exec_t)
 
-type git_sys_content_t, git_content;
-files_type(git_sys_content_t)
+git_shared_content_template(sys)
 
 ########################################
 #
@@ -118,8 +119,8 @@ tunable_policy(`use_samba_home_dirs',`
 # Git system daemon policy
 #
 
-list_dirs_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
-read_files_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
+list_dirs_pattern(git_system_t, git_content, git_content)
+read_files_pattern(git_system_t, git_content, git_content)
 files_search_var_lib(git_system_t)
 
 tunable_policy(`git_system_enable_homedirs',`
-- 
1.7.1

[refpolicy] [ v3 PATCH 7/8] Git session daemons binding TCP sockets to unreserved ports

[Dominick Grift]

Assume you own this big shell hosting company and you want to allow your customers to be able to
serve their Git personal repositories to their discretion. You might end up with hundreds
of instances of Git session daemons. They cannot all bind TCP sockets to a single Git port.

This functionality allows the administrator to tune the policy to allow Git session daemons to
bind TCP sockets to any unreserved port.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 ba56287... 6723c99... M	policy/modules/services/git.te
 policy/modules/services/git.te |   14 ++++++++++++++
 1 files changed, 14 insertions(+), 0 deletions(-)

diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index ba56287..6723c99 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -15,6 +15,14 @@ type gitd_exec_t;
 # Git session daemon declarations
 #
 
+## <desc>
+##	<p>
+##	Determine whether Git session daemons
+##	can bind tcp sockets to all unreserved ports.
+##	</p>
+## </desc>
+gen_tunable(git_session_tcp_bind_all_unreserved_ports, false)
+
 type git_session_t, git_daemon;
 application_domain(git_session_t, gitd_exec_t)
 ubac_constrained(git_session_t)
@@ -102,6 +110,12 @@ corenet_sendrecv_git_server_packets(git_session_t)
 
 userdom_use_user_terminals(git_session_t)
 
+tunable_policy(`git_session_tcp_bind_all_unreserved_ports',`
+	corenet_tcp_bind_all_unreserved_ports(git_session_t)
+	corenet_tcp_sendrecv_all_ports(git_session_t)
+	corenet_sendrecv_generic_server_packets(git_session_t)
+')
+
 tunable_policy(`use_nfs_home_dirs',`
 	fs_read_nfs_files(git_session_t)
 ',`
-- 
1.7.1

[refpolicy] [ v3 PATCH 8/8] I am not sure about this but it might prove useful for NIS?

[Dominick Grift]

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 6723c99... a60be12... M	policy/modules/services/git.te
 policy/modules/services/git.te |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index 6723c99..a60be12 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -81,12 +81,18 @@ corecmd_exec_bin(git_daemon)
 
 files_read_usr_files(git_daemon)
 
+fs_search_auto_mountpoints(git_daemon)
+
 auth_use_nsswitch(git_daemon)
 
 logging_send_syslog_msg(git_daemon)
 
 miscfiles_read_localization(git_daemon)
 
+optional_policy(`
+	automount_dontaudit_getattr_tmp_dirs(git_daemon)
+')
+
 ########################################
 #
 # Git session daemon policy
-- 
1.7.1

[refpolicy] [ v3 PATCH 3/8] Git shell users

[Dominick Grift]

On Wed, Aug 24, 2011 at 02:35:41PM +0200, Dominick Grift wrote:

Today i was reading an article about the scponly shell. This seems to have properties similar to Git shell. Maybe we could make userdom_git_user_template -> userdom_base_user_template, and rename the current userdom_base_user_template, or something along those lines.

I have been thinking about possible arguments against a userdom_git_user_tempplate.

Q: Why not just use userdom_base_user_template for "git shell (and possibly scponly) users?
A: That would make it harder to configure for administrators. The nice thing about this current implementation is that a default Git shell seuser exists. Administrators can just map their users logins to it and start. It provides Git shell users with access to generic shared repositories. Besides, compare the userdom_git_user_template to userdom_base_user_template, the laster gives the caller way more privileges that arent needed.

But userdom_git_user_template is useless for scponly users currently because it provides access to generic shared repositories. We do not want scponly users to have this privilege.

That brings me to another issue where the inteface calls git_manage_generic_sys_content and git exec_generic_content_files are not optional policy in the userdom_git_user_template. Which means any calling module will have a dependency on the git module.

> Did you know that there is a Git shell in /usr/bin/git-shell, and did you know that you can use that
> together with OpenSSH to commit to shared repositories? Heck you can even commit to shared repositories
> using OpenSSH with a plain bash shell, but the Git shell is much cooler. A user domain solely for the
> purpose of commiting to shared repositories needs much less privileges that the least privilege
> userdom_base_user_template provides.
> 
> Git shell users do not need pty's, execmem or many other privileges provided by the base_user_template.
> Therefore we implement a template just for Git shell users, and we create a Git shell role, so that
> administrators can easily map their Unix logins to the Git shell SELinux user.
> 
> This Git shell user domain is allowed to manage and execute (primary) shared repositories.
> 
> FIXED: the default context in config/appconfig-mls for git_shell_u was wrong.
> git_shell.te: userdom_git_user_template was called by git_user but should be called by git_shell
> 
> Fix2: booleans git_system_use_cifs and git_system_use_nfs are currenlty named gitd_use_cifs and gitd_use_nfs respectively
> 
> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :000000 100644 0000000... 2d9c6bc... A	config/appconfig-mcs/git_shell_u_default_contexts
> :000000 100644 0000000... 2d9c6bc... A	config/appconfig-mls/git_shell_u_default_contexts
> :000000 100644 0000000... bfbd788... A	config/appconfig-standard/git_shell_u_default_contexts
> :000000 100644 0000000... 601a7b0... A	policy/modules/roles/git_shell.fc
> :000000 100644 0000000... c6d9896... A	policy/modules/roles/git_shell.if
> :000000 100644 0000000... f5aa6cb... A	policy/modules/roles/git_shell.te
> :100644 100644 4da6875... 6238d54... M	policy/modules/services/git.if
> :100644 100644 2dc8697... 5c30b4b... M	policy/modules/system/userdomain.if
>  config/appconfig-mcs/git_shell_u_default_contexts  |    2 +
>  config/appconfig-mls/git_shell_u_default_contexts  |    2 +
>  .../git_shell_u_default_contexts                   |    2 +
>  policy/modules/roles/git_shell.fc                  |    1 +
>  policy/modules/roles/git_shell.if                  |   50 +++++++++++++++
>  policy/modules/roles/git_shell.te                  |   15 +++++
>  policy/modules/services/git.if                     |   67 ++++++++++++++++++++
>  policy/modules/system/userdomain.if                |   63 ++++++++++++++++++
>  8 files changed, 202 insertions(+), 0 deletions(-)
> 
> diff --git a/config/appconfig-mcs/git_shell_u_default_contexts b/config/appconfig-mcs/git_shell_u_default_contexts
> new file mode 100644
> index 0000000..2d9c6bc
> --- /dev/null
> +++ b/config/appconfig-mcs/git_shell_u_default_contexts
> @@ -0,0 +1,2 @@
> +git_shell_r:git_shell_t:s0		git_shell_r:git_shell_t:s0
> +system_r:sshd_t:s0		git_shell_r:git_shell_t:s0
> diff --git a/config/appconfig-mls/git_shell_u_default_contexts b/config/appconfig-mls/git_shell_u_default_contexts
> new file mode 100644
> index 0000000..2d9c6bc
> --- /dev/null
> +++ b/config/appconfig-mls/git_shell_u_default_contexts
> @@ -0,0 +1,2 @@
> +git_shell_r:git_shell_t:s0		git_shell_r:git_shell_t:s0
> +system_r:sshd_t:s0		git_shell_r:git_shell_t:s0
> diff --git a/config/appconfig-standard/git_shell_u_default_contexts b/config/appconfig-standard/git_shell_u_default_contexts
> new file mode 100644
> index 0000000..bfbd788
> --- /dev/null
> +++ b/config/appconfig-standard/git_shell_u_default_contexts
> @@ -0,0 +1,2 @@
> +git_shell_r:git_shell_t			git_shell_r:git_shell_t
> +system_r:sshd_t			git_shell_r:git_shell_t
> diff --git a/policy/modules/roles/git_shell.fc b/policy/modules/roles/git_shell.fc
> new file mode 100644
> index 0000000..601a7b0
> --- /dev/null
> +++ b/policy/modules/roles/git_shell.fc
> @@ -0,0 +1 @@
> +# file contexts handled by userdomain and genhomedircon
> diff --git a/policy/modules/roles/git_shell.if b/policy/modules/roles/git_shell.if
> new file mode 100644
> index 0000000..c6d9896
> --- /dev/null
> +++ b/policy/modules/roles/git_shell.if
> @@ -0,0 +1,50 @@
> +## <summary>Git shell user role.</summary>
> +
> +########################################
> +## <summary>
> +##	Change to the git shell role.
> +## </summary>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`git_shell_role_change',`
> +	gen_require(`
> +		role git_shell_r;
> +	')
> +
> +	allow $1 git_shell_r;
> +')
> +
> +########################################
> +## <summary>
> +##	Change from the git shell role.
> +## </summary>
> +## <desc>
> +##	<p>
> +##	Change from the git shell role to
> +##	the specified role.
> +##	</p>
> +##	<p>
> +##	This is an interface to support third party modules
> +##	and its use is not allowed in upstream reference
> +##	policy.
> +##	</p>
> +## </desc>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`git_shell_role_change_to',`
> +	gen_require(`
> +		role git_shell_r;
> +	')
> +
> +	allow git_shell_r $1;
> +')
> diff --git a/policy/modules/roles/git_shell.te b/policy/modules/roles/git_shell.te
> new file mode 100644
> index 0000000..f5aa6cb
> --- /dev/null
> +++ b/policy/modules/roles/git_shell.te
> @@ -0,0 +1,15 @@
> +policy_module(git_shell, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +userdom_git_user_template(git_shell)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +#gen_user(git_shell_u,, git_shell_r, s0, s0)
> diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
> index 4da6875..6238d54 100644
> --- a/policy/modules/services/git.if
> +++ b/policy/modules/services/git.if
> @@ -2,6 +2,73 @@
>  
>  ########################################
>  ## <summary>
> +##	Execute Git daemon generic shared
> +##	repository content files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`git_exec_generic_sys_content_files',`
> +	gen_require(`
> +		type git_sys_content_t;
> +	')
> +
> +	exec_files_pattern($1, git_sys_content_t, git_sys_content_t)
> +	files_search_var_lib($1)
> +
> +	tunable_policy(`gitd_use_cifs',`
> +		fs_exec_cifs_files($1)
> +	')
> +
> +	tunable_policy(`gitd_use_nfs',`
> +		fs_exec_nfs_files($1)
> +	')
> +')
> +
> +########################################
> +## <summary>
> +##	Create, read, write, and delete
> +##	Git daemon generic shared
> +##	repository content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`git_manage_generic_sys_content',`
> +	gen_require(`
> +		type git_sys_content_t;
> +	')
> +
> +	manage_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
> +	manage_files_pattern($1, git_sys_content_t, git_sys_content_t)
> +	files_search_var_lib($1)
> +
> +	tunable_policy(`gitd_use_cifs',`
> +		fs_manage_cifs_dirs($1)
> +		fs_manage_cifs_files($1)
> +	',`
> +		fs_dontaudit_manage_cifs_dirs($1)
> +		fs_dontaudit_manage_cifs_files($1)
> +	')
> +
> +	tunable_policy(`gitd_use_nfs',`
> +		fs_manage_nfs_dirs($1)
> +		fs_manage_nfs_files($1)
> +	',`
> +		fs_dontaudit_manage_nfs_dirs($1)
> +		fs_dontaudit_manage_nfs_files($1)
> +	')
> +')
> +
> +
> +########################################
> +## <summary>
>  ##	Execute Git daemon personal
>  ##	repository content files.
>  ## </summary>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 2dc8697..5c30b4b 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -2,6 +2,69 @@
>  
>  #######################################
>  ## <summary>
> +##	Template for creating Git users.
> +## </summary>
> +## <param name="userdomain_prefix">
> +##	<summary>
> +##	Prefix of the user domain.
> +##	</summary>
> +## </param>
> +## <rolebase/>
> +#
> +template(`userdom_git_user_template',`
> +	gen_require(`
> +		attribute unpriv_userdomain, userdomain;
> +		class context contains;
> +		role system_r;
> +	')
> +
> +	########################################
> +	#
> +	# Declarations
> +	#
> +
> +	type $1_t, unpriv_userdomain, userdomain;
> +	domain_type($1_t)
> +	ubac_constrained($1_t)
> +	role $1_r;
> +	role $1_r types $1_t;
> +	allow system_r $1_r;
> +
> +	########################################
> +	#
> +	# Local policy
> +	#
> +
> +	allow $1_t self:context contains;
> +	allow $1_t self:fifo_file rw_fifo_file_perms;
> +
> +	kernel_read_system_state($1_t)
> +
> +	corecmd_exec_bin($1_t)
> +	corecmd_bin_entry_type($1_t)
> +	corecmd_shell_entry_type($1_t)
> +
> +	domain_interactive_fd($1_t)
> +	domain_user_exemption_target($1_t)
> +
> +	files_dontaudit_list_non_security($1_t)
> +	files_dontaudit_getattr_non_security_files($1_t)
> +	files_dontaudit_getattr_non_security_symlinks($1_t)
> +	files_dontaudit_getattr_non_security_pipes($1_t)
> +	files_dontaudit_getattr_non_security_sockets($1_t)
> +
> +	auth_use_nsswitch($1_t)
> +
> +	miscfiles_read_localization($1_t)
> +
> +	git_exec_generic_sys_content_files($1_t)
> +	git_manage_generic_sys_content($1_t)
> +
> +	ssh_rw_stream_sockets($1_t)
> +')
> +
> +#######################################
> +## <summary>
>  ##	The template containing the most basic rules common to all users.
>  ## </summary>
>  ## <desc>
> -- 
> 1.7.1
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110825/7565474c/attachment-0001.bin 

[refpolicy] [ v3 PATCH 2/8] Git personal repositories

[Christopher J. PeBenito]

On 08/24/11 08:35, Dominick Grift wrote:
> Git inetd service domain can also be configured to read and serve Git personal repositories in the user home directories.
> We would not want Git inetd service domain to be able to read and serve generic or heavens forbid all
> user home content, and therefore a new type for Git personal repositories is declared.
> 
> By default Git inetd service domain expects these personal repositories to be in dgrift/public_git.
> It is kind of like apaches userdirs functionality. Git inetd service domain, does not have to be configured to
> read and serve personal repositories, and so we make the policy for this functionality tunable.
> 
> We also allow administrators to tune the policy to allow Git inetd service domain to read and serve personal
> repositories on NFS and/or CIFS shares. We added a file context that specifies that public_git
> directories in any user home directory should be labeled with the personal repository file type.
> That means that all login users should be allowed to relabel and manage the git_user_content_t personal
> repository type. Did you know that users might also need to execute some of the Git personal
> repository content. It is not obvious but in some cases users need to be able to execute the Git
> hooks scripts in their personal repositories. For example the might have a script that runs after the user
> commits/pushes for example via ssh (git push ssh://joe at localhost/public_git/joes_personal_repository.git. So we
> also allow all login users to execute Git shared repository files.
> 
> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :100644 100644 164d2bf... 7314ecb... M	policy/modules/services/git.fc
> :100644 100644 458aac6... 4da6875... M	policy/modules/services/git.if
> :100644 100644 7766253... 6c8e672... M	policy/modules/services/git.te
> :100644 100644 c6d3cc8... 2dc8697... M	policy/modules/system/userdomain.if
>  policy/modules/services/git.fc      |    2 +
>  policy/modules/services/git.if      |  119 +++++++++++++++++++++++++++++++++++
>  policy/modules/services/git.te      |   31 +++++++++-
>  policy/modules/system/userdomain.if |   13 ++++
>  4 files changed, 163 insertions(+), 2 deletions(-)
> 
> diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
> index 164d2bf..7314ecb 100644
> --- a/policy/modules/services/git.fc
> +++ b/policy/modules/services/git.fc
> @@ -1,3 +1,5 @@
> +HOME_DIR/public_git(/.*)?	gen_context(system_u:object_r:git_user_content_t,s0)
> +
>  /usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t,s0)
>  
>  /var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
> diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
> index 458aac6..4da6875 100644
> --- a/policy/modules/services/git.if
> +++ b/policy/modules/services/git.if
> @@ -1 +1,120 @@
>  ## <summary>GIT revision control system</summary>
> +
> +########################################
> +## <summary>
> +##	Execute Git daemon personal
> +##	repository content files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`git_exec_user_content_files',`
> +	gen_require(`
> +		type git_user_content_t;
> +	')
> +
> +	exec_files_pattern($1, git_user_content_t, git_user_content_t)
> +	userdom_search_user_home_dirs($1)
> +
> +	tunable_policy(`use_samba_home_dirs',`
> +		fs_exec_cifs_files($1)
> +	')
> +
> +	tunable_policy(`use_nfs_home_dirs',`
> +		fs_exec_nfs_files($1)
> +	')
> +')
> +
> +########################################
> +## <summary>
> +##	Create, read, write, and delete
> +##	Git daemon personal repository content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`git_manage_user_content',`
> +	gen_require(`
> +		type git_user_content_t;
> +	')
> +
> +	manage_dirs_pattern($1, git_user_content_t, git_user_content_t)
> +	manage_files_pattern($1, git_user_content_t, git_user_content_t)
> +	userdom_search_user_home_dirs($1)
> +
> +	tunable_policy(`use_samba_home_dirs',`
> +		fs_manage_cifs_dirs($1)
> +		fs_manage_cifs_files($1)
> +	',`
> +		fs_dontaudit_manage_cifs_dirs($1)
> +		fs_dontaudit_manage_cifs_files($1)
> +	')
> +
> +	tunable_policy(`use_nfs_home_dirs',`
> +		fs_manage_nfs_dirs($1)
> +		fs_manage_nfs_files($1)
> +	',`
> +		fs_dontaudit_manage_nfs_dirs($1)
> +		fs_dontaudit_manage_nfs_files($1)
> +	')
> +')
> +
> +########################################
> +## <summary>
> +##	Read Git daemon personal repository
> +##	content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`git_read_user_content',`
> +	gen_require(`
> +		type git_user_content_t;
> +	')
> +
> +	list_dirs_pattern($1, git_user_content_t, git_user_content_t)
> +	read_files_pattern($1, git_user_content_t, git_user_content_t)
> +	userdom_search_user_home_dirs($1)
> +
> +	tunable_policy(`use_nfs_home_dirs',`
> +		fs_read_nfs_files($1)
> +	',`
> +		fs_dontaudit_read_cifs_files($1)
> +	')
> +
> +	tunable_policy(`use_samba_home_dirs',`
> +		fs_read_cifs_files($1)
> +	',`
> +		fs_dontaudit_read_cifs_files($1)
> +	')
> +')
> +
> +########################################
> +## <summary>
> +##	Relabel Git daemon personal
> +##	repository content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`git_relabel_user_content',`
> +	gen_require(`
> +		type git_user_content_t;
> +	')
> +
> +	relabel_dirs_pattern($1, git_user_content_t, git_user_content_t)
> +	relabel_files_pattern($1, git_user_content_t, git_user_content_t)
> +	userdom_search_user_home_dirs($1)
> +')
> diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
> index 7766253..6c8e672 100644
> --- a/policy/modules/services/git.te
> +++ b/policy/modules/services/git.te
> @@ -8,6 +8,14 @@ policy_module(git, 1.0)
>  ## <desc>
>  ##	<p>
>  ##	Determine whether Git daemon
> +##	can search home directories.
> +##	</p>
> +## </desc>
> +gen_tunable(gitd_enable_homedirs, false)
> +
> +## <desc>
> +##	<p>
> +##	Determine whether Git daemon
>  ##	can access cifs file systems.
>  ##	</p>
>  ## </desc>
> @@ -28,6 +36,9 @@ inetd_service_domain(gitd_t, gitd_exec_t)
>  type git_sys_content_t;
>  files_type(git_sys_content_t)
>  
> +type git_user_content_t;
> +userdom_user_home_content(git_user_content_t)
> +
>  ########################################
>  #
>  # Local policy
> @@ -36,8 +47,8 @@ files_type(git_sys_content_t)
>  allow gitd_t self:fifo_file rw_fifo_file_perms;
>  allow gitd_t self:unix_dgram_socket create_socket_perms;
>  
> -list_dirs_pattern(gitd_t, git_sys_content_t, git_sys_content_t)
> -read_files_pattern(gitd_t, git_sys_content_t, git_sys_content_t)
> +list_dirs_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
> +read_files_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
>  files_search_var_lib(gitd_t)
>  
>  kernel_read_system_state(gitd_t)
> @@ -52,6 +63,22 @@ logging_send_syslog_msg(gitd_t)
>  
>  miscfiles_read_localization(gitd_t)
>  
> +tunable_policy(`gitd_enable_homedirs',`
> +	userdom_search_user_home_dirs(gitd_t)
> +')
> +
> +tunable_policy(`gitd_enable_homedirs && use_nfs_home_dirs',`
> +	fs_read_nfs_files(gitd_t)
> +',`
> +	fs_dontaudit_read_nfs_files(gitd_t)
> +')
> +
> +tunable_policy(`gitd_enable_homedirs && use_samba_home_dirs',`
> +	fs_read_cifs_files(gitd_t)
> +',`
> +	fs_dontaudit_read_cifs_files(gitd_t)
> +')
> +
>  tunable_policy(`gitd_use_cifs',`
>  	fs_read_cifs_files(gitd_t)
>  ',`
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index c6d3cc8..2dc8697 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -188,6 +188,10 @@ interface(`userdom_ro_home_role',`
>  		fs_dontaudit_list_cifs($2)
>  		fs_dontaudit_read_cifs_files($2)
>  	')
> +
> +	optional_policy(`
> +		git_read_user_content($2)
> +	')
>  ')
>  
>  #######################################
> @@ -267,6 +271,11 @@ interface(`userdom_manage_home_role',`
>  		fs_dontaudit_manage_cifs_dirs($2)
>  		fs_dontaudit_manage_cifs_files($2)
>  	')
> +
> +	optional_policy(`
> +		git_manage_user_content($2)
> +		git_relabel_user_content($2)
> +	')
>  ')
>  
>  #######################################
> @@ -789,6 +798,10 @@ template(`userdom_login_user_template', `
>  	')
>  
>  	optional_policy(`
> +		git_exec_user_content_files($1_t)
> +	')
> +
> +	optional_policy(`
>  		kerberos_use($1_t)
>  	')

All of these content rules seem like it should be in a git_role()
interface, which would be invoked from the various role.te files.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [ v3 PATCH 3/8] Git shell users

[Christopher J. PeBenito]

On 08/25/11 05:07, Dominick Grift wrote:
> On Wed, Aug 24, 2011 at 02:35:41PM +0200, Dominick Grift wrote:
> 
> Today i was reading an article about the scponly shell. This seems to have properties similar to Git shell. Maybe we could make userdom_git_user_template -> userdom_base_user_template, and rename the current userdom_base_user_template, or something along those lines.
> 
> I have been thinking about possible arguments against a userdom_git_user_tempplate.
> 
> Q: Why not just use userdom_base_user_template for "git shell (and possibly scponly) users?
> A: That would make it harder to configure for administrators. The nice thing about this current implementation is that a default Git shell seuser exists. Administrators can just map their users logins to it and start. It provides Git shell users with access to generic shared repositories. Besides, compare the userdom_git_user_template to userdom_base_user_template, the laster gives the caller way more privileges that arent needed.

I'm very conflicted on this point.  My initial reaction is that I don't
like putting any git stuff in userdomain and that
userdom_base_user_template is fine.  Alternatively we could make a
generic template which is useful for special user shell accounts like
git_shell and scponly.  I'll have to think about it more.

> But userdom_git_user_template is useless for scponly users currently because it provides access to generic shared repositories. We do not want scponly users to have this privilege.
> 
> That brings me to another issue where the inteface calls git_manage_generic_sys_content and git exec_generic_content_files are not optional policy in the userdom_git_user_template. Which means any calling module will have a dependency on the git module.
> 
>> Did you know that there is a Git shell in /usr/bin/git-shell, and did you know that you can use that
>> together with OpenSSH to commit to shared repositories? Heck you can even commit to shared repositories
>> using OpenSSH with a plain bash shell, but the Git shell is much cooler. A user domain solely for the
>> purpose of commiting to shared repositories needs much less privileges that the least privilege
>> userdom_base_user_template provides.
>>
>> Git shell users do not need pty's, execmem or many other privileges provided by the base_user_template.
>> Therefore we implement a template just for Git shell users, and we create a Git shell role, so that
>> administrators can easily map their Unix logins to the Git shell SELinux user.
>>
>> This Git shell user domain is allowed to manage and execute (primary) shared repositories.
>>
>> FIXED: the default context in config/appconfig-mls for git_shell_u was wrong.
>> git_shell.te: userdom_git_user_template was called by git_user but should be called by git_shell
>>
>> Fix2: booleans git_system_use_cifs and git_system_use_nfs are currenlty named gitd_use_cifs and gitd_use_nfs respectively
>>
>> Signed-off-by: Dominick Grift <domg472@gmail.com>
>> ---
>> :000000 100644 0000000... 2d9c6bc... A	config/appconfig-mcs/git_shell_u_default_contexts
>> :000000 100644 0000000... 2d9c6bc... A	config/appconfig-mls/git_shell_u_default_contexts
>> :000000 100644 0000000... bfbd788... A	config/appconfig-standard/git_shell_u_default_contexts
>> :000000 100644 0000000... 601a7b0... A	policy/modules/roles/git_shell.fc
>> :000000 100644 0000000... c6d9896... A	policy/modules/roles/git_shell.if
>> :000000 100644 0000000... f5aa6cb... A	policy/modules/roles/git_shell.te
>> :100644 100644 4da6875... 6238d54... M	policy/modules/services/git.if
>> :100644 100644 2dc8697... 5c30b4b... M	policy/modules/system/userdomain.if
>>  config/appconfig-mcs/git_shell_u_default_contexts  |    2 +
>>  config/appconfig-mls/git_shell_u_default_contexts  |    2 +
>>  .../git_shell_u_default_contexts                   |    2 +
>>  policy/modules/roles/git_shell.fc                  |    1 +
>>  policy/modules/roles/git_shell.if                  |   50 +++++++++++++++
>>  policy/modules/roles/git_shell.te                  |   15 +++++
>>  policy/modules/services/git.if                     |   67 ++++++++++++++++++++
>>  policy/modules/system/userdomain.if                |   63 ++++++++++++++++++
>>  8 files changed, 202 insertions(+), 0 deletions(-)

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [ v3 PATCH 2/8] Git personal repositories

[Dominick Grift]

On Fri, Aug 26, 2011 at 09:18:33AM -0400, Christopher J. PeBenito wrote:
> On 08/24/11 08:35, Dominick Grift wrote:
> > Git inetd service domain can also be configured to read and serve Git personal repositories in the user home directories.
> > We would not want Git inetd service domain to be able to read and serve generic or heavens forbid all
> > user home content, and therefore a new type for Git personal repositories is declared.
> > 
> > By default Git inetd service domain expects these personal repositories to be in dgrift/public_git.
> > It is kind of like apaches userdirs functionality. Git inetd service domain, does not have to be configured to
> > read and serve personal repositories, and so we make the policy for this functionality tunable.
> > 
> > We also allow administrators to tune the policy to allow Git inetd service domain to read and serve personal
> > repositories on NFS and/or CIFS shares. We added a file context that specifies that public_git
> > directories in any user home directory should be labeled with the personal repository file type.
> > That means that all login users should be allowed to relabel and manage the git_user_content_t personal
> > repository type. Did you know that users might also need to execute some of the Git personal
> > repository content. It is not obvious but in some cases users need to be able to execute the Git
> > hooks scripts in their personal repositories. For example the might have a script that runs after the user
> > commits/pushes for example via ssh (git push ssh://joe at localhost/public_git/joes_personal_repository.git. So we
> > also allow all login users to execute Git shared repository files.
> > 
> > Signed-off-by: Dominick Grift <domg472@gmail.com>
> > ---
> > :100644 100644 164d2bf... 7314ecb... M	policy/modules/services/git.fc
> > :100644 100644 458aac6... 4da6875... M	policy/modules/services/git.if
> > :100644 100644 7766253... 6c8e672... M	policy/modules/services/git.te
> > :100644 100644 c6d3cc8... 2dc8697... M	policy/modules/system/userdomain.if
> >  policy/modules/services/git.fc      |    2 +
> >  policy/modules/services/git.if      |  119 +++++++++++++++++++++++++++++++++++
> >  policy/modules/services/git.te      |   31 +++++++++-
> >  policy/modules/system/userdomain.if |   13 ++++
> >  4 files changed, 163 insertions(+), 2 deletions(-)
> > 
> > diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
> > index 164d2bf..7314ecb 100644
> > --- a/policy/modules/services/git.fc
> > +++ b/policy/modules/services/git.fc
> > @@ -1,3 +1,5 @@
> > +HOME_DIR/public_git(/.*)?	gen_context(system_u:object_r:git_user_content_t,s0)
> > +
> >  /usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t,s0)
> >  
> >  /var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
> > diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
> > index 458aac6..4da6875 100644
> > --- a/policy/modules/services/git.if
> > +++ b/policy/modules/services/git.if
> > @@ -1 +1,120 @@
> >  ## <summary>GIT revision control system</summary>
> > +
> > +########################################
> > +## <summary>
> > +##	Execute Git daemon personal
> > +##	repository content files.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`git_exec_user_content_files',`
> > +	gen_require(`
> > +		type git_user_content_t;
> > +	')
> > +
> > +	exec_files_pattern($1, git_user_content_t, git_user_content_t)
> > +	userdom_search_user_home_dirs($1)
> > +
> > +	tunable_policy(`use_samba_home_dirs',`
> > +		fs_exec_cifs_files($1)
> > +	')
> > +
> > +	tunable_policy(`use_nfs_home_dirs',`
> > +		fs_exec_nfs_files($1)
> > +	')
> > +')
> > +
> > +########################################
> > +## <summary>
> > +##	Create, read, write, and delete
> > +##	Git daemon personal repository content.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`git_manage_user_content',`
> > +	gen_require(`
> > +		type git_user_content_t;
> > +	')
> > +
> > +	manage_dirs_pattern($1, git_user_content_t, git_user_content_t)
> > +	manage_files_pattern($1, git_user_content_t, git_user_content_t)
> > +	userdom_search_user_home_dirs($1)
> > +
> > +	tunable_policy(`use_samba_home_dirs',`
> > +		fs_manage_cifs_dirs($1)
> > +		fs_manage_cifs_files($1)
> > +	',`
> > +		fs_dontaudit_manage_cifs_dirs($1)
> > +		fs_dontaudit_manage_cifs_files($1)
> > +	')
> > +
> > +	tunable_policy(`use_nfs_home_dirs',`
> > +		fs_manage_nfs_dirs($1)
> > +		fs_manage_nfs_files($1)
> > +	',`
> > +		fs_dontaudit_manage_nfs_dirs($1)
> > +		fs_dontaudit_manage_nfs_files($1)
> > +	')
> > +')
> > +
> > +########################################
> > +## <summary>
> > +##	Read Git daemon personal repository
> > +##	content.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`git_read_user_content',`
> > +	gen_require(`
> > +		type git_user_content_t;
> > +	')
> > +
> > +	list_dirs_pattern($1, git_user_content_t, git_user_content_t)
> > +	read_files_pattern($1, git_user_content_t, git_user_content_t)
> > +	userdom_search_user_home_dirs($1)
> > +
> > +	tunable_policy(`use_nfs_home_dirs',`
> > +		fs_read_nfs_files($1)
> > +	',`
> > +		fs_dontaudit_read_cifs_files($1)
> > +	')
> > +
> > +	tunable_policy(`use_samba_home_dirs',`
> > +		fs_read_cifs_files($1)
> > +	',`
> > +		fs_dontaudit_read_cifs_files($1)
> > +	')
> > +')
> > +
> > +########################################
> > +## <summary>
> > +##	Relabel Git daemon personal
> > +##	repository content.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`git_relabel_user_content',`
> > +	gen_require(`
> > +		type git_user_content_t;
> > +	')
> > +
> > +	relabel_dirs_pattern($1, git_user_content_t, git_user_content_t)
> > +	relabel_files_pattern($1, git_user_content_t, git_user_content_t)
> > +	userdom_search_user_home_dirs($1)
> > +')
> > diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
> > index 7766253..6c8e672 100644
> > --- a/policy/modules/services/git.te
> > +++ b/policy/modules/services/git.te
> > @@ -8,6 +8,14 @@ policy_module(git, 1.0)
> >  ## <desc>
> >  ##	<p>
> >  ##	Determine whether Git daemon
> > +##	can search home directories.
> > +##	</p>
> > +## </desc>
> > +gen_tunable(gitd_enable_homedirs, false)
> > +
> > +## <desc>
> > +##	<p>
> > +##	Determine whether Git daemon
> >  ##	can access cifs file systems.
> >  ##	</p>
> >  ## </desc>
> > @@ -28,6 +36,9 @@ inetd_service_domain(gitd_t, gitd_exec_t)
> >  type git_sys_content_t;
> >  files_type(git_sys_content_t)
> >  
> > +type git_user_content_t;
> > +userdom_user_home_content(git_user_content_t)
> > +
> >  ########################################
> >  #
> >  # Local policy
> > @@ -36,8 +47,8 @@ files_type(git_sys_content_t)
> >  allow gitd_t self:fifo_file rw_fifo_file_perms;
> >  allow gitd_t self:unix_dgram_socket create_socket_perms;
> >  
> > -list_dirs_pattern(gitd_t, git_sys_content_t, git_sys_content_t)
> > -read_files_pattern(gitd_t, git_sys_content_t, git_sys_content_t)
> > +list_dirs_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
> > +read_files_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
> >  files_search_var_lib(gitd_t)
> >  
> >  kernel_read_system_state(gitd_t)
> > @@ -52,6 +63,22 @@ logging_send_syslog_msg(gitd_t)
> >  
> >  miscfiles_read_localization(gitd_t)
> >  
> > +tunable_policy(`gitd_enable_homedirs',`
> > +	userdom_search_user_home_dirs(gitd_t)
> > +')
> > +
> > +tunable_policy(`gitd_enable_homedirs && use_nfs_home_dirs',`
> > +	fs_read_nfs_files(gitd_t)
> > +',`
> > +	fs_dontaudit_read_nfs_files(gitd_t)
> > +')
> > +
> > +tunable_policy(`gitd_enable_homedirs && use_samba_home_dirs',`
> > +	fs_read_cifs_files(gitd_t)
> > +',`
> > +	fs_dontaudit_read_cifs_files(gitd_t)
> > +')
> > +
> >  tunable_policy(`gitd_use_cifs',`
> >  	fs_read_cifs_files(gitd_t)
> >  ',`
> > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> > index c6d3cc8..2dc8697 100644
> > --- a/policy/modules/system/userdomain.if
> > +++ b/policy/modules/system/userdomain.if
> > @@ -188,6 +188,10 @@ interface(`userdom_ro_home_role',`
> >  		fs_dontaudit_list_cifs($2)
> >  		fs_dontaudit_read_cifs_files($2)
> >  	')
> > +
> > +	optional_policy(`
> > +		git_read_user_content($2)
> > +	')
> >  ')
> >  
> >  #######################################
> > @@ -267,6 +271,11 @@ interface(`userdom_manage_home_role',`
> >  		fs_dontaudit_manage_cifs_dirs($2)
> >  		fs_dontaudit_manage_cifs_files($2)
> >  	')
> > +
> > +	optional_policy(`
> > +		git_manage_user_content($2)
> > +		git_relabel_user_content($2)
> > +	')
> >  ')
> >  
> >  #######################################
> > @@ -789,6 +798,10 @@ template(`userdom_login_user_template', `
> >  	')
> >  
> >  	optional_policy(`
> > +		git_exec_user_content_files($1_t)
> > +	')
> > +
> > +	optional_policy(`
> >  		kerberos_use($1_t)
> >  	')
> 
> All of these content rules seem like it should be in a git_role()
> interface, which would be invoked from the various role.te files.

Why do you think that?

i will explain why i think not:

1. the file context spec. labels all ~/pubic_git type git_user_content_t, whether the user calls git_role_template or not.
2. sysadm can decide to allow git system daemon to host personal repositories of users that arent allowed to run the git session daemon in the git session domain.



> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110826/83638ff2/attachment-0001.bin 

[refpolicy] [ v3 PATCH 4/8] Git session daemon

[Christopher J. PeBenito]

On 08/24/11 08:35, Dominick Grift wrote:
> Wait! Theres more. Besides running Git daemon as a inetd service domain, unprivileged users can also
> run Git daemon by executing /usr/libexec/git-core/git-daemon from a shell to allow it to
> read and serve their Git personal repositories in ~/public_git. It in large parts does the same
> as Git daemon run by inetd but there are some differences. Most notably is the network access
> that the Git session daemon requires to listen on the Git port for service.
> 
> The Git system daemon does not need this because inetd takes care of the network for it.
> Another difference is that Git session daemon can only read and serve users Git personal
> repositories, where Git system daemon can, if configured, read and serve both shared as well
> as personal repositories. Since much of the policy is common to both session and
> system, we declared a git_daemon attribute and assigned that to both the Git system and
> session daemons. This allows use to write policy that both daemon have in common once.
> Leaving the policy as compact as possible. So now we have two Git daemon domains, one
> session domain started by unprivileged users and one system domain started by inetd.
> 
> Fix: since we renamed gitd_t to git_system_t, add alias.
> Change back gitd_use_nfs, gitd_use_cifs to git_system_use_nfs and git_system_use_cifs respectively

Perhaps I missed something, but how did it make sense to separate out
the content types from this patch?

I'm confused why its renaming things from previous patches.  Why not
create it right in the first place?

git_session_role_template() isn't creating any types, so it should be
renamed to git_session_role().  Or in light of the previous patches,
git_role().

> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :100644 100644 2be17d2... 17fc624... M	policy/modules/roles/staff.te
> :100644 100644 0f96353... 7461e65... M	policy/modules/roles/sysadm.te
> :100644 100644 7e9da77... 52156cd... M	policy/modules/roles/unprivuser.te
> :100644 100644 6238d54... f1466e1... M	policy/modules/services/git.if
> :100644 100644 6c8e672... 7040bf6... M	policy/modules/services/git.te
>  policy/modules/roles/staff.te      |    4 +
>  policy/modules/roles/sysadm.te     |    4 +
>  policy/modules/roles/unprivuser.te |    4 +
>  policy/modules/services/git.if     |   46 +++++++++++-
>  policy/modules/services/git.te     |  134 ++++++++++++++++++++++++++----------
>  5 files changed, 150 insertions(+), 42 deletions(-)
> 
> diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> index 2be17d2..17fc624 100644
> --- a/policy/modules/roles/staff.te
> +++ b/policy/modules/roles/staff.te
> @@ -89,6 +89,10 @@ ifndef(`distro_redhat',`
>  	')
>  
>  	optional_policy(`
> +		git_session_role_template(staff_r, staff_t)
> +	')
> +
> +	optional_policy(`
>  		gnome_role(staff_r, staff_t)
>  	')
>  
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 0f96353..7461e65 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -438,6 +438,10 @@ ifndef(`distro_redhat',`
>  	')
>  
>  	optional_policy(`
> +		git_session_role_template(sysadm_r, sysadm_t)
> +	')
> +
> +	optional_policy(`
>  		gnome_role(sysadm_r, sysadm_t)
>  	')
>  
> diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> index 7e9da77..52156cd 100644
> --- a/policy/modules/roles/unprivuser.te
> +++ b/policy/modules/roles/unprivuser.te
> @@ -62,6 +62,10 @@ ifndef(`distro_redhat',`
>  	')
>  
>  	optional_policy(`
> +		git_session_role_template(user_r, user_t)
> +	')
> +
> +	optional_policy(`
>  		gnome_role(user_r, user_t)
>  	')
>  
> diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
> index 6238d54..f1466e1 100644
> --- a/policy/modules/services/git.if
> +++ b/policy/modules/services/git.if
> @@ -2,6 +2,44 @@
>  
>  ########################################
>  ## <summary>
> +##	Role access for Git session daemon.
> +## </summary>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +## <param name="domain">
> +##	<summary>
> +##	User domain for the role.
> +##	</summary>
> +## </param>
> +#
> +template(`git_session_role_template',`
> +	gen_require(`
> +		type git_session_t, gitd_exec_t;
> +	')
> +
> +	########################################
> +	#
> +	# Git session daemon shared declarations
> +	#
> +
> +	role $1 types git_session_t;
> +
> +	########################################
> +	#
> +	# Git session daemon shared policy
> +	#
> +
> +	domtrans_pattern($2, gitd_exec_t, git_session_t)
> +
> +	allow $2 git_session_t:process { ptrace signal_perms };
> +	ps_process_pattern($2, git_session_t)
> +')
> +
> +########################################
> +## <summary>
>  ##	Execute Git daemon generic shared
>  ##	repository content files.
>  ## </summary>
> @@ -19,11 +57,11 @@ interface(`git_exec_generic_sys_content_files',`
>  	exec_files_pattern($1, git_sys_content_t, git_sys_content_t)
>  	files_search_var_lib($1)
>  
> -	tunable_policy(`gitd_use_cifs',`
> +	tunable_policy(`git_system_use_cifs',`
>  		fs_exec_cifs_files($1)
>  	')
>  
> -	tunable_policy(`gitd_use_nfs',`
> +	tunable_policy(`git_system_use_nfs',`
>  		fs_exec_nfs_files($1)
>  	')
>  ')
> @@ -49,7 +87,7 @@ interface(`git_manage_generic_sys_content',`
>  	manage_files_pattern($1, git_sys_content_t, git_sys_content_t)
>  	files_search_var_lib($1)
>  
> -	tunable_policy(`gitd_use_cifs',`
> +	tunable_policy(`git_system_use_cifs',`
>  		fs_manage_cifs_dirs($1)
>  		fs_manage_cifs_files($1)
>  	',`
> @@ -57,7 +95,7 @@ interface(`git_manage_generic_sys_content',`
>  		fs_dontaudit_manage_cifs_files($1)
>  	')
>  
> -	tunable_policy(`gitd_use_nfs',`
> +	tunable_policy(`git_system_use_nfs',`
>  		fs_manage_nfs_dirs($1)
>  		fs_manage_nfs_files($1)
>  	',`
> diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
> index 6c8e672..7040bf6 100644
> --- a/policy/modules/services/git.te
> +++ b/policy/modules/services/git.te
> @@ -2,93 +2,151 @@ policy_module(git, 1.0)
>  
>  ########################################
>  #
> -# Declarations
> +# Git daemon global declarations
> +#
> +
> +attribute git_daemon;
> +
> +type gitd_exec_t;
> +
> +########################################
> +#
> +# Git session daemon declarations
> +#
> +
> +type git_session_t, git_daemon;
> +application_domain(git_session_t, gitd_exec_t)
> +ubac_constrained(git_session_t)
> +
> +type git_user_content_t;
> +userdom_user_home_content(git_user_content_t)
> +
> +########################################
> +#
> +# Git system daemon declarations
>  #
>  
>  ## <desc>
>  ##	<p>
> -##	Determine whether Git daemon
> +##	Determine whether Git system daemon
>  ##	can search home directories.
>  ##	</p>
>  ## </desc>
> -gen_tunable(gitd_enable_homedirs, false)
> +gen_tunable(git_system_enable_homedirs, false)
>  
>  ## <desc>
>  ##	<p>
> -##	Determine whether Git daemon
> +##	Determine whether Git system daemon
>  ##	can access cifs file systems.
>  ##	</p>
>  ## </desc>
> -gen_tunable(gitd_use_cifs, false)
> +gen_tunable(git_system_use_cifs, false)
>  
>  ## <desc>
>  ##	<p>
> -##	Determine whether Git daemon
> +##	Determine whether Git system daemon
>  ##	can access nfs file systems.
>  ##	</p>
>  ## </desc>
> -gen_tunable(gitd_use_nfs, false)
> +gen_tunable(git_system_use_nfs, false)
>  
> -type gitd_t;
> -type gitd_exec_t;
> -inetd_service_domain(gitd_t, gitd_exec_t)
> +type git_system_t, git_daemon;
> +typealias git_system_t alias gitd_t;
> +inetd_service_domain(git_system_t, gitd_exec_t)
>  
>  type git_sys_content_t;
>  files_type(git_sys_content_t)
>  
> -type git_user_content_t;
> -userdom_user_home_content(git_user_content_t)
> +########################################
> +#
> +# Git daemon global policy
> +#
> +
> +allow git_daemon self:fifo_file rw_fifo_file_perms;
> +allow git_daemon self:unix_dgram_socket create_socket_perms;
> +
> +kernel_read_system_state(git_daemon)
> +
> +corecmd_exec_bin(git_daemon)
> +
> +files_read_usr_files(git_daemon)
> +
> +auth_use_nsswitch(git_daemon)
> +
> +logging_send_syslog_msg(git_daemon)
> +
> +miscfiles_read_localization(git_daemon)
>  
>  ########################################
>  #
> -# Local policy
> +# Git session daemon policy
>  #
>  
> -allow gitd_t self:fifo_file rw_fifo_file_perms;
> -allow gitd_t self:unix_dgram_socket create_socket_perms;
> +allow git_session_t self:tcp_socket { accept listen };
>  
> -list_dirs_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
> -read_files_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
> -files_search_var_lib(gitd_t)
> +list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
> +read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
> +userdom_search_user_home_dirs(git_session_t)
>  
> -kernel_read_system_state(gitd_t)
> +corenet_all_recvfrom_netlabel(git_session_t)
> +corenet_all_recvfrom_unlabeled(git_session_t)
> +corenet_tcp_bind_generic_node(git_session_t)
> +corenet_tcp_sendrecv_generic_if(git_session_t)
> +corenet_tcp_sendrecv_generic_node(git_session_t)
> +corenet_tcp_sendrecv_generic_port(git_session_t)
> +corenet_tcp_bind_git_port(git_session_t)
> +corenet_tcp_sendrecv_git_port(git_session_t)
> +corenet_sendrecv_git_server_packets(git_session_t)
>  
> -corecmd_exec_bin(gitd_t)
> +userdom_use_user_terminals(git_session_t)
>  
> -files_read_usr_files(gitd_t)
> +tunable_policy(`use_nfs_home_dirs',`
> +	fs_read_nfs_files(git_session_t)
> +',`
> +	fs_dontaudit_read_nfs_files(git_session_t)
> +')
>  
> -auth_use_nsswitch(gitd_t)
> +tunable_policy(`use_samba_home_dirs',`
> +	fs_read_cifs_files(git_session_t)
> +',`
> +	fs_dontaudit_read_cifs_files(git_session_t)
> +')
>  
> -logging_send_syslog_msg(gitd_t)
> +########################################
> +#
> +# Git system daemon policy
> +#
>  
> -miscfiles_read_localization(gitd_t)
> +list_dirs_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
> +read_files_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
> +files_search_var_lib(git_system_t)
>  
> -tunable_policy(`gitd_enable_homedirs',`
> -	userdom_search_user_home_dirs(gitd_t)
> +tunable_policy(`git_system_enable_homedirs',`
> +	userdom_search_user_home_dirs(git_system_t)
>  ')
>  
> -tunable_policy(`gitd_enable_homedirs && use_nfs_home_dirs',`
> -	fs_read_nfs_files(gitd_t)
> +tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
> +	fs_read_nfs_files(git_system_t)
>  ',`
> -	fs_dontaudit_read_nfs_files(gitd_t)
> +	fs_dontaudit_read_nfs_files(git_system_t)
>  ')
>  
> -tunable_policy(`gitd_enable_homedirs && use_samba_home_dirs',`
> -	fs_read_cifs_files(gitd_t)
> +tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
> +	fs_read_cifs_files(git_system_t)
>  ',`
> -	fs_dontaudit_read_cifs_files(gitd_t)
> +	fs_dontaudit_read_cifs_files(git_system_t)
>  ')
>  
> -tunable_policy(`gitd_use_cifs',`
> -	fs_read_cifs_files(gitd_t)
> +tunable_policy(`git_system_use_cifs',`
> +	fs_read_cifs_files(git_system_t)
>  ',`
> -	fs_dontaudit_read_cifs_files(gitd_t)
> +	fs_dontaudit_read_cifs_files(git_system_t)
>  ')
>  
> -tunable_policy(`gitd_use_nfs',`
> -	fs_read_nfs_files(gitd_t)
> +tunable_policy(`git_system_use_nfs',`
> +	fs_read_nfs_files(git_system_t)
>  ',`
> -	fs_dontaudit_read_nfs_files(gitd_t)
> +	fs_dontaudit_read_nfs_files(git_system_t)
>  ')
>  
>  ########################################


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [ v3 PATCH 5/8] Gitweb, cgit and the git_content attribute

[Christopher J. PeBenito]

On 08/24/11 08:35, Dominick Grift wrote:
> Cgit and gitweb are both cgi web applications that run in the httpd_git_script_t apache CGI domain.
> The policy in this commit was taken from Fedora. It is well tested i believe.
> These web applications display Git repositories. And they Should be able to read any Git
> repository whether shared or personal. We implemented another attribute for it called git_content.

Really all repos?  It seems like access to user repos should be tunable.

> This attribute will be assigned to any and all Git repository content types, either existing or
> to be created. Hopefully the next commit should explain why this attribute makes sense.
> 
> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :100644 100644 7314ecb... c005782... M	policy/modules/services/git.fc
> :100644 100644 f1466e1... 83356f2... M	policy/modules/services/git.if
> :100644 100644 7040bf6... 8602887... M	policy/modules/services/git.te
>  policy/modules/services/git.fc |    4 ++-
>  policy/modules/services/git.if |   46 ++++++++++++++++++++++++++++++++++++++++
>  policy/modules/services/git.te |   11 +++++++-
>  3 files changed, 58 insertions(+), 3 deletions(-)
> 
> diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
> index 7314ecb..c005782 100644
> --- a/policy/modules/services/git.fc
> +++ b/policy/modules/services/git.fc
> @@ -2,8 +2,10 @@ HOME_DIR/public_git(/.*)?	gen_context(system_u:object_r:git_user_content_t,s0)
>  
>  /usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t,s0)
>  
> -/var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
> +/var/cache/cgit(/.*)?	gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
>  
>  /var/lib/git(/.*)?	gen_context(system_u:object_r:git_sys_content_t,s0)
>  
>  /var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
> +/var/www/git(/.*)?	gen_context(system_u:object_r:httpd_git_content_t,s0)
> +/var/www/git/gitweb.cgi	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
> diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
> index f1466e1..83356f2 100644
> --- a/policy/modules/services/git.if
> +++ b/policy/modules/services/git.if
> @@ -40,6 +40,52 @@ template(`git_session_role_template',`
>  
>  ########################################
>  ## <summary>
> +##	Read all Git daemon repository
> +##	content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`git_read_all_content',`
> +	gen_require(`
> +		attribute git_content;
> +	')
> +
> +	list_dirs_pattern($1, git_content, git_content)
> +	read_files_pattern($1, git_content, git_content)
> +	userdom_search_user_home_dirs($1)
> +	files_search_var_lib($1)
> +
> +	tunable_policy(`use_nfs_home_dirs',`
> +		fs_read_nfs_files($1)
> +	',`
> +		fs_dontaudit_read_nfs_files($1)
> +	')
> +
> +	tunable_policy(`use_samba_home_dirs',`
> +		fs_read_cifs_files($1)
> +	',`
> +		fs_dontaudit_read_cifs_files($1)
> +	')
> +
> +	tunable_policy(`git_system_use_cifs',`
> +		fs_read_cifs_files($1)
> +	',`
> +		fs_dontaudit_read_cifs_files($1)
> +	')
> +
> +	tunable_policy(`git_system_use_nfs',`
> +		fs_read_nfs_files($1)
> +	',`
> +		fs_dontaudit_read_nfs_files($1)
> +	')
> +')
> +
> +########################################
> +## <summary>
>  ##	Execute Git daemon generic shared
>  ##	repository content files.
>  ## </summary>
> diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
> index 7040bf6..8602887 100644
> --- a/policy/modules/services/git.te
> +++ b/policy/modules/services/git.te
> @@ -5,6 +5,7 @@ policy_module(git, 1.0)
>  # Git daemon global declarations
>  #
>  
> +attribute git_content;
>  attribute git_daemon;
>  
>  type gitd_exec_t;
> @@ -18,7 +19,7 @@ type git_session_t, git_daemon;
>  application_domain(git_session_t, gitd_exec_t)
>  ubac_constrained(git_session_t)
>  
> -type git_user_content_t;
> +type git_user_content_t, git_content;
>  userdom_user_home_content(git_user_content_t)
>  
>  ########################################
> @@ -54,7 +55,7 @@ type git_system_t, git_daemon;
>  typealias git_system_t alias gitd_t;
>  inetd_service_domain(git_system_t, gitd_exec_t)
>  
> -type git_sys_content_t;
> +type git_sys_content_t, git_content;
>  files_type(git_sys_content_t)
>  
>  ########################################
> @@ -155,3 +156,9 @@ tunable_policy(`git_system_use_nfs',`
>  #
>  
>  apache_content_template(git)
> +
> +files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
> +
> +auth_use_nsswitch(httpd_git_script_t)
> +
> +git_read_all_content(httpd_git_script_t)


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [ v3 PATCH 6/8] Git shared repository separation and custom shared repository types

[Christopher J. PeBenito]

On 08/24/11 08:35, Dominick Grift wrote:
> In my previous commit i promised i would try to explain the use of the git_content attribute.
> It is a attribute to asign to existing and to be create shared and private repository types.
> 
> In this commit we are using this attribute to allow Git system daemon to read and serve any
> repository content. We do this because the userdom_git_user_template allows use to provides
> administrators with advanced type enforcement possibility to restrict access to
> various types of shared repository. In this commit we created the
> git_shared_content_template.
> 
> This template allows for easy creation of new shared repository types.
> We also created git_manage_spec_shared_content and git_exec_spec_shared_content_files interfaces.
> This allows us to make a connection between Git user domain and Git shared repository content
> types. These interfaces and templates allow administrators to create new Git user domains
> and allow the various Git user domains access to specified Git shared repositories.
> 
> This allows administrators to employ Type enforcement for shared repository and Git user separation.
> We also created a attribute called git_system_content that is assigned to all types derived from the
> prefix that the git_shared_content_template expects. This might be handy if some one later wants a
> given Git user domain to have access to any shared repository type and not just the primary
> git_sys_content_t repository type.
> 
> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :100644 100644 83356f2... fb27b32... M	policy/modules/services/git.if
> :100644 100644 8602887... ba56287... M	policy/modules/services/git.te
>  policy/modules/services/git.if |   96 ++++++++++++++++++++++++++++++++++++++++
>  policy/modules/services/git.te |    9 ++--
>  2 files changed, 101 insertions(+), 4 deletions(-)
> 
> diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
> index 83356f2..fb27b32 100644
> --- a/policy/modules/services/git.if
> +++ b/policy/modules/services/git.if
> @@ -40,6 +40,102 @@ template(`git_session_role_template',`
>  
>  ########################################
>  ## <summary>
> +##	Create a set of derived types for
> +##	Git daemon shared repository content.
> +## </summary>
> +## <param name="prefix">
> +##	<summary>
> +##	The prefix to be used for deriving type names.
> +##	</summary>
> +## </param>
> +#
> +template(`git_shared_content_template',`
> +	gen_require(`
> +		attribute git_system_content, git_content;
> +	')
> +
> +	type git_$1_content_t, git_system_content, git_content;
> +	files_type(git_$1_content_t)
> +')

I see no need to declare derived types like this.  The caller should
create a type and call this interface on it, which adds the appropriate
attribute(s).

> +#######################################
> +## <summary>
> +##	Execute specified Git daemon
> +##	shared repository content files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="file_type">
> +##	<summary>
> +##	Type to allow access to.
> +##	</summary>
> +## </param>
> +#
> +interface(`git_exec_spec_shared_content_files',`
> +	gen_require(`
> +		type $1, $2;
> +	')
> +
> +	exec_files_pattern($1, $2, $2)
> +	files_search_var_lib($1)
> +
> +	tunable_policy(`git_system_use_cifs',`
> +		fs_exec_cifs_files($1)
> +	')
> +
> +	tunable_policy(`git_system_use_nfs',`
> +		fs_exec_nfs_files($1)
> +	')
> +')

NAK.  Explicit interface(s) needs to be declared in the module that owns
the target type.

> +#######################################
> +## <summary>
> +##	Create, read, write, and delete
> +##	specified Git daemon shared
> +##	repository content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="file_type">
> +##	<summary>
> +##	Type to allow access to.
> +##	</summary>
> +## </param>
> +#
> +interface(`git_manage_spec_shared_content',`
> +	gen_require(`
> +		type $1, $2;
> +	')
> +
> +	manage_dirs_pattern($1, $2, $2)
> +	manage_files_pattern($1, $2, $2)
> +	files_search_var_lib($1)
> +
> +	tunable_policy(`git_system_use_cifs',`
> +		fs_manage_cifs_dirs($1)
> +		fs_manage_cifs_files($1)
> +	',`
> +		fs_dontaudit_manage_cifs_dirs($1)
> +		fs_dontaudit_manage_cifs_files($1)
> +	')
> +
> +	tunable_policy(`git_system_use_nfs',`
> +		fs_manage_nfs_dirs($1)
> +		fs_manage_nfs_files($1)
> +	',`
> +		fs_dontaudit_manage_nfs_dirs($1)
> +		fs_dontaudit_manage_nfs_files($1)
> +	')
> +')

Same thing as previous interface.

> +########################################
> +## <summary>
>  ##	Read all Git daemon repository
>  ##	content.
>  ## </summary>
> diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
> index 8602887..ba56287 100644
> --- a/policy/modules/services/git.te
> +++ b/policy/modules/services/git.te
> @@ -51,12 +51,13 @@ gen_tunable(git_system_use_cifs, false)
>  ## </desc>
>  gen_tunable(git_system_use_nfs, false)
>  
> +attribute git_system_content;
> +
>  type git_system_t, git_daemon;
>  typealias git_system_t alias gitd_t;
>  inetd_service_domain(git_system_t, gitd_exec_t)
>  
> -type git_sys_content_t, git_content;
> -files_type(git_sys_content_t)
> +git_shared_content_template(sys)
>  
>  ########################################
>  #
> @@ -118,8 +119,8 @@ tunable_policy(`use_samba_home_dirs',`
>  # Git system daemon policy
>  #
>  
> -list_dirs_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
> -read_files_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
> +list_dirs_pattern(git_system_t, git_content, git_content)
> +read_files_pattern(git_system_t, git_content, git_content)
>  files_search_var_lib(git_system_t)
>  
>  tunable_policy(`git_system_enable_homedirs',`


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [ v3 PATCH 4/8] Git session daemon

[Dominick Grift]

On Fri, Aug 26, 2011 at 09:33:54AM -0400, Christopher J. PeBenito wrote:
> On 08/24/11 08:35, Dominick Grift wrote:
> > Wait! Theres more. Besides running Git daemon as a inetd service domain, unprivileged users can also
> > run Git daemon by executing /usr/libexec/git-core/git-daemon from a shell to allow it to
> > read and serve their Git personal repositories in ~/public_git. It in large parts does the same
> > as Git daemon run by inetd but there are some differences. Most notably is the network access
> > that the Git session daemon requires to listen on the Git port for service.
> > 
> > The Git system daemon does not need this because inetd takes care of the network for it.
> > Another difference is that Git session daemon can only read and serve users Git personal
> > repositories, where Git system daemon can, if configured, read and serve both shared as well
> > as personal repositories. Since much of the policy is common to both session and
> > system, we declared a git_daemon attribute and assigned that to both the Git system and
> > session daemons. This allows use to write policy that both daemon have in common once.
> > Leaving the policy as compact as possible. So now we have two Git daemon domains, one
> > session domain started by unprivileged users and one system domain started by inetd.
> > 
> > Fix: since we renamed gitd_t to git_system_t, add alias.
> > Change back gitd_use_nfs, gitd_use_cifs to git_system_use_nfs and git_system_use_cifs respectively
> 
> Perhaps I missed something, but how did it make sense to separate out
> the content types from this patch?

The git_user_content_t has no relation to git session per se. 

in the git.fc file there is a context spec for HOME_DIR/\public_git(/.*)? ...
this means all login users will get content at ~/public_git labeled git_user_content_t, whether they call git_session_role_template or not.
So they need to be able to manage that. what if a user creates ~/pubic_git, and administrator runs filefiles relabel or restorecon -R -v /home? then ~/public_git will get relabeled to git_user_content_t and that user can no longer interact with it.

By splitting the git_user_content_t type from the git session t policy we make it more flexible.

administrator may want to allow git system domain to read and service ~/public_git even though the user owning it is not allowed to run git session in the git session domain.

in short git_user_content_t and git_session_t arent strictly related. I was hoping the descriptions accompanying the patches would make that clear

> 
> I'm confused why its renaming things from previous patches.  Why not
> create it right in the first place?

I initially started with gitd_t rather than git_system_t because that made sense at that stage. There was no git_session_t yet at that point. Besides, what does it matter i created an alias to git_system_t in the patch that introduce git session t


> git_session_role_template() isn't creating any types, so it should be
> renamed to git_session_role().  Or in light of the previous patches,
> git_role().

Ok that pretty minor and i can just submit a patch to apply that after the other applicable patches are submitted. If i have  to rebase the whole thing for every nit then ill probably be rebasing until next year.

> > Signed-off-by: Dominick Grift <domg472@gmail.com>
> > ---
> > :100644 100644 2be17d2... 17fc624... M	policy/modules/roles/staff.te
> > :100644 100644 0f96353... 7461e65... M	policy/modules/roles/sysadm.te
> > :100644 100644 7e9da77... 52156cd... M	policy/modules/roles/unprivuser.te
> > :100644 100644 6238d54... f1466e1... M	policy/modules/services/git.if
> > :100644 100644 6c8e672... 7040bf6... M	policy/modules/services/git.te
> >  policy/modules/roles/staff.te      |    4 +
> >  policy/modules/roles/sysadm.te     |    4 +
> >  policy/modules/roles/unprivuser.te |    4 +
> >  policy/modules/services/git.if     |   46 +++++++++++-
> >  policy/modules/services/git.te     |  134 ++++++++++++++++++++++++++----------
> >  5 files changed, 150 insertions(+), 42 deletions(-)
> > 
> > diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> > index 2be17d2..17fc624 100644
> > --- a/policy/modules/roles/staff.te
> > +++ b/policy/modules/roles/staff.te
> > @@ -89,6 +89,10 @@ ifndef(`distro_redhat',`
> >  	')
> >  
> >  	optional_policy(`
> > +		git_session_role_template(staff_r, staff_t)
> > +	')
> > +
> > +	optional_policy(`
> >  		gnome_role(staff_r, staff_t)
> >  	')
> >  
> > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> > index 0f96353..7461e65 100644
> > --- a/policy/modules/roles/sysadm.te
> > +++ b/policy/modules/roles/sysadm.te
> > @@ -438,6 +438,10 @@ ifndef(`distro_redhat',`
> >  	')
> >  
> >  	optional_policy(`
> > +		git_session_role_template(sysadm_r, sysadm_t)
> > +	')
> > +
> > +	optional_policy(`
> >  		gnome_role(sysadm_r, sysadm_t)
> >  	')
> >  
> > diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> > index 7e9da77..52156cd 100644
> > --- a/policy/modules/roles/unprivuser.te
> > +++ b/policy/modules/roles/unprivuser.te
> > @@ -62,6 +62,10 @@ ifndef(`distro_redhat',`
> >  	')
> >  
> >  	optional_policy(`
> > +		git_session_role_template(user_r, user_t)
> > +	')
> > +
> > +	optional_policy(`
> >  		gnome_role(user_r, user_t)
> >  	')
> >  
> > diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
> > index 6238d54..f1466e1 100644
> > --- a/policy/modules/services/git.if
> > +++ b/policy/modules/services/git.if
> > @@ -2,6 +2,44 @@
> >  
> >  ########################################
> >  ## <summary>
> > +##	Role access for Git session daemon.
> > +## </summary>
> > +## <param name="role">
> > +##	<summary>
> > +##	Role allowed access.
> > +##	</summary>
> > +## </param>
> > +## <param name="domain">
> > +##	<summary>
> > +##	User domain for the role.
> > +##	</summary>
> > +## </param>
> > +#
> > +template(`git_session_role_template',`
> > +	gen_require(`
> > +		type git_session_t, gitd_exec_t;
> > +	')
> > +
> > +	########################################
> > +	#
> > +	# Git session daemon shared declarations
> > +	#
> > +
> > +	role $1 types git_session_t;
> > +
> > +	########################################
> > +	#
> > +	# Git session daemon shared policy
> > +	#
> > +
> > +	domtrans_pattern($2, gitd_exec_t, git_session_t)
> > +
> > +	allow $2 git_session_t:process { ptrace signal_perms };
> > +	ps_process_pattern($2, git_session_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> >  ##	Execute Git daemon generic shared
> >  ##	repository content files.
> >  ## </summary>
> > @@ -19,11 +57,11 @@ interface(`git_exec_generic_sys_content_files',`
> >  	exec_files_pattern($1, git_sys_content_t, git_sys_content_t)
> >  	files_search_var_lib($1)
> >  
> > -	tunable_policy(`gitd_use_cifs',`
> > +	tunable_policy(`git_system_use_cifs',`
> >  		fs_exec_cifs_files($1)
> >  	')
> >  
> > -	tunable_policy(`gitd_use_nfs',`
> > +	tunable_policy(`git_system_use_nfs',`
> >  		fs_exec_nfs_files($1)
> >  	')
> >  ')
> > @@ -49,7 +87,7 @@ interface(`git_manage_generic_sys_content',`
> >  	manage_files_pattern($1, git_sys_content_t, git_sys_content_t)
> >  	files_search_var_lib($1)
> >  
> > -	tunable_policy(`gitd_use_cifs',`
> > +	tunable_policy(`git_system_use_cifs',`
> >  		fs_manage_cifs_dirs($1)
> >  		fs_manage_cifs_files($1)
> >  	',`
> > @@ -57,7 +95,7 @@ interface(`git_manage_generic_sys_content',`
> >  		fs_dontaudit_manage_cifs_files($1)
> >  	')
> >  
> > -	tunable_policy(`gitd_use_nfs',`
> > +	tunable_policy(`git_system_use_nfs',`
> >  		fs_manage_nfs_dirs($1)
> >  		fs_manage_nfs_files($1)
> >  	',`
> > diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
> > index 6c8e672..7040bf6 100644
> > --- a/policy/modules/services/git.te
> > +++ b/policy/modules/services/git.te
> > @@ -2,93 +2,151 @@ policy_module(git, 1.0)
> >  
> >  ########################################
> >  #
> > -# Declarations
> > +# Git daemon global declarations
> > +#
> > +
> > +attribute git_daemon;
> > +
> > +type gitd_exec_t;
> > +
> > +########################################
> > +#
> > +# Git session daemon declarations
> > +#
> > +
> > +type git_session_t, git_daemon;
> > +application_domain(git_session_t, gitd_exec_t)
> > +ubac_constrained(git_session_t)
> > +
> > +type git_user_content_t;
> > +userdom_user_home_content(git_user_content_t)
> > +
> > +########################################
> > +#
> > +# Git system daemon declarations
> >  #
> >  
> >  ## <desc>
> >  ##	<p>
> > -##	Determine whether Git daemon
> > +##	Determine whether Git system daemon
> >  ##	can search home directories.
> >  ##	</p>
> >  ## </desc>
> > -gen_tunable(gitd_enable_homedirs, false)
> > +gen_tunable(git_system_enable_homedirs, false)
> >  
> >  ## <desc>
> >  ##	<p>
> > -##	Determine whether Git daemon
> > +##	Determine whether Git system daemon
> >  ##	can access cifs file systems.
> >  ##	</p>
> >  ## </desc>
> > -gen_tunable(gitd_use_cifs, false)
> > +gen_tunable(git_system_use_cifs, false)
> >  
> >  ## <desc>
> >  ##	<p>
> > -##	Determine whether Git daemon
> > +##	Determine whether Git system daemon
> >  ##	can access nfs file systems.
> >  ##	</p>
> >  ## </desc>
> > -gen_tunable(gitd_use_nfs, false)
> > +gen_tunable(git_system_use_nfs, false)
> >  
> > -type gitd_t;
> > -type gitd_exec_t;
> > -inetd_service_domain(gitd_t, gitd_exec_t)
> > +type git_system_t, git_daemon;
> > +typealias git_system_t alias gitd_t;
> > +inetd_service_domain(git_system_t, gitd_exec_t)
> >  
> >  type git_sys_content_t;
> >  files_type(git_sys_content_t)
> >  
> > -type git_user_content_t;
> > -userdom_user_home_content(git_user_content_t)
> > +########################################
> > +#
> > +# Git daemon global policy
> > +#
> > +
> > +allow git_daemon self:fifo_file rw_fifo_file_perms;
> > +allow git_daemon self:unix_dgram_socket create_socket_perms;
> > +
> > +kernel_read_system_state(git_daemon)
> > +
> > +corecmd_exec_bin(git_daemon)
> > +
> > +files_read_usr_files(git_daemon)
> > +
> > +auth_use_nsswitch(git_daemon)
> > +
> > +logging_send_syslog_msg(git_daemon)
> > +
> > +miscfiles_read_localization(git_daemon)
> >  
> >  ########################################
> >  #
> > -# Local policy
> > +# Git session daemon policy
> >  #
> >  
> > -allow gitd_t self:fifo_file rw_fifo_file_perms;
> > -allow gitd_t self:unix_dgram_socket create_socket_perms;
> > +allow git_session_t self:tcp_socket { accept listen };
> >  
> > -list_dirs_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
> > -read_files_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
> > -files_search_var_lib(gitd_t)
> > +list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
> > +read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
> > +userdom_search_user_home_dirs(git_session_t)
> >  
> > -kernel_read_system_state(gitd_t)
> > +corenet_all_recvfrom_netlabel(git_session_t)
> > +corenet_all_recvfrom_unlabeled(git_session_t)
> > +corenet_tcp_bind_generic_node(git_session_t)
> > +corenet_tcp_sendrecv_generic_if(git_session_t)
> > +corenet_tcp_sendrecv_generic_node(git_session_t)
> > +corenet_tcp_sendrecv_generic_port(git_session_t)
> > +corenet_tcp_bind_git_port(git_session_t)
> > +corenet_tcp_sendrecv_git_port(git_session_t)
> > +corenet_sendrecv_git_server_packets(git_session_t)
> >  
> > -corecmd_exec_bin(gitd_t)
> > +userdom_use_user_terminals(git_session_t)
> >  
> > -files_read_usr_files(gitd_t)
> > +tunable_policy(`use_nfs_home_dirs',`
> > +	fs_read_nfs_files(git_session_t)
> > +',`
> > +	fs_dontaudit_read_nfs_files(git_session_t)
> > +')
> >  
> > -auth_use_nsswitch(gitd_t)
> > +tunable_policy(`use_samba_home_dirs',`
> > +	fs_read_cifs_files(git_session_t)
> > +',`
> > +	fs_dontaudit_read_cifs_files(git_session_t)
> > +')
> >  
> > -logging_send_syslog_msg(gitd_t)
> > +########################################
> > +#
> > +# Git system daemon policy
> > +#
> >  
> > -miscfiles_read_localization(gitd_t)
> > +list_dirs_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
> > +read_files_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
> > +files_search_var_lib(git_system_t)
> >  
> > -tunable_policy(`gitd_enable_homedirs',`
> > -	userdom_search_user_home_dirs(gitd_t)
> > +tunable_policy(`git_system_enable_homedirs',`
> > +	userdom_search_user_home_dirs(git_system_t)
> >  ')
> >  
> > -tunable_policy(`gitd_enable_homedirs && use_nfs_home_dirs',`
> > -	fs_read_nfs_files(gitd_t)
> > +tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
> > +	fs_read_nfs_files(git_system_t)
> >  ',`
> > -	fs_dontaudit_read_nfs_files(gitd_t)
> > +	fs_dontaudit_read_nfs_files(git_system_t)
> >  ')
> >  
> > -tunable_policy(`gitd_enable_homedirs && use_samba_home_dirs',`
> > -	fs_read_cifs_files(gitd_t)
> > +tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
> > +	fs_read_cifs_files(git_system_t)
> >  ',`
> > -	fs_dontaudit_read_cifs_files(gitd_t)
> > +	fs_dontaudit_read_cifs_files(git_system_t)
> >  ')
> >  
> > -tunable_policy(`gitd_use_cifs',`
> > -	fs_read_cifs_files(gitd_t)
> > +tunable_policy(`git_system_use_cifs',`
> > +	fs_read_cifs_files(git_system_t)
> >  ',`
> > -	fs_dontaudit_read_cifs_files(gitd_t)
> > +	fs_dontaudit_read_cifs_files(git_system_t)
> >  ')
> >  
> > -tunable_policy(`gitd_use_nfs',`
> > -	fs_read_nfs_files(gitd_t)
> > +tunable_policy(`git_system_use_nfs',`
> > +	fs_read_nfs_files(git_system_t)
> >  ',`
> > -	fs_dontaudit_read_nfs_files(gitd_t)
> > +	fs_dontaudit_read_nfs_files(git_system_t)
> >  ')
> >  
> >  ########################################
> 
> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110826/ea89b1f9/attachment.bin 

[refpolicy] [ v3 PATCH 3/8] Git shell users

[Dominick Grift]

On Fri, Aug 26, 2011 at 09:28:38AM -0400, Christopher J. PeBenito wrote:
> On 08/25/11 05:07, Dominick Grift wrote:
> > On Wed, Aug 24, 2011 at 02:35:41PM +0200, Dominick Grift wrote:
> > 
> > Today i was reading an article about the scponly shell. This seems to have properties similar to Git shell. Maybe we could make userdom_git_user_template -> userdom_base_user_template, and rename the current userdom_base_user_template, or something along those lines.
> > 
> > I have been thinking about possible arguments against a userdom_git_user_tempplate.
> > 
> > Q: Why not just use userdom_base_user_template for "git shell (and possibly scponly) users?
> > A: That would make it harder to configure for administrators. The nice thing about this current implementation is that a default Git shell seuser exists. Administrators can just map their users logins to it and start. It provides Git shell users with access to generic shared repositories. Besides, compare the userdom_git_user_template to userdom_base_user_template, the laster gives the caller way more privileges that arent needed.
> 
> I'm very conflicted on this point.  My initial reaction is that I don't
> like putting any git stuff in userdomain and that
> userdom_base_user_template is fine.  Alternatively we could make a
> generic template which is useful for special user shell accounts like
> git_shell and scponly.  I'll have to think about it more.

I agree that this template could be renamed to something more generic because this interface might also be usable for scponly users. However i do not agree with using the current userdom_base_user_template for git users or scponly users. We want to make this usable for the git environment. We dont want administrators to have to create a policy module just to have this work. Without this it doesnt work and ssh will not transition out of sshd_t and into the userdomain.

What we could do is rename this template to something more generich and make the interface calls to allow caller to manage and execute generic git system content tunable. So we might be able to make this interface usefull to both git users and scponly users. One much keep in mind that git users need access to manage and execute git_sys_content_t for it to make any sense. scpusers shouldnt have access to git_sys_content_t obviously however they would probably need access to manage other content types like for example user_home_t?  So i guess we need to give this patch some more thought.

Fortunalety this patch stands alone from the other patches.


> 
> > But userdom_git_user_template is useless for scponly users currently because it provides access to generic shared repositories. We do not want scponly users to have this privilege.
> > 
> > That brings me to another issue where the inteface calls git_manage_generic_sys_content and git exec_generic_content_files are not optional policy in the userdom_git_user_template. Which means any calling module will have a dependency on the git module.
> > 
> >> Did you know that there is a Git shell in /usr/bin/git-shell, and did you know that you can use that
> >> together with OpenSSH to commit to shared repositories? Heck you can even commit to shared repositories
> >> using OpenSSH with a plain bash shell, but the Git shell is much cooler. A user domain solely for the
> >> purpose of commiting to shared repositories needs much less privileges that the least privilege
> >> userdom_base_user_template provides.
> >>
> >> Git shell users do not need pty's, execmem or many other privileges provided by the base_user_template.
> >> Therefore we implement a template just for Git shell users, and we create a Git shell role, so that
> >> administrators can easily map their Unix logins to the Git shell SELinux user.
> >>
> >> This Git shell user domain is allowed to manage and execute (primary) shared repositories.
> >>
> >> FIXED: the default context in config/appconfig-mls for git_shell_u was wrong.
> >> git_shell.te: userdom_git_user_template was called by git_user but should be called by git_shell
> >>
> >> Fix2: booleans git_system_use_cifs and git_system_use_nfs are currenlty named gitd_use_cifs and gitd_use_nfs respectively
> >>
> >> Signed-off-by: Dominick Grift <domg472@gmail.com>
> >> ---
> >> :000000 100644 0000000... 2d9c6bc... A	config/appconfig-mcs/git_shell_u_default_contexts
> >> :000000 100644 0000000... 2d9c6bc... A	config/appconfig-mls/git_shell_u_default_contexts
> >> :000000 100644 0000000... bfbd788... A	config/appconfig-standard/git_shell_u_default_contexts
> >> :000000 100644 0000000... 601a7b0... A	policy/modules/roles/git_shell.fc
> >> :000000 100644 0000000... c6d9896... A	policy/modules/roles/git_shell.if
> >> :000000 100644 0000000... f5aa6cb... A	policy/modules/roles/git_shell.te
> >> :100644 100644 4da6875... 6238d54... M	policy/modules/services/git.if
> >> :100644 100644 2dc8697... 5c30b4b... M	policy/modules/system/userdomain.if
> >>  config/appconfig-mcs/git_shell_u_default_contexts  |    2 +
> >>  config/appconfig-mls/git_shell_u_default_contexts  |    2 +
> >>  .../git_shell_u_default_contexts                   |    2 +
> >>  policy/modules/roles/git_shell.fc                  |    1 +
> >>  policy/modules/roles/git_shell.if                  |   50 +++++++++++++++
> >>  policy/modules/roles/git_shell.te                  |   15 +++++
> >>  policy/modules/services/git.if                     |   67 ++++++++++++++++++++
> >>  policy/modules/system/userdomain.if                |   63 ++++++++++++++++++
> >>  8 files changed, 202 insertions(+), 0 deletions(-)
> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110826/cf1b1bb0/attachment.bin 

[refpolicy] [ v3 PATCH 6/8] Git shared repository separation and custom shared repository types

[Dominick Grift]

On Fri, Aug 26, 2011 at 09:46:01AM -0400, Christopher J. PeBenito wrote:
> On 08/24/11 08:35, Dominick Grift wrote:
> > In my previous commit i promised i would try to explain the use of the git_content attribute.
> > It is a attribute to asign to existing and to be create shared and private repository types.
> > 
> > In this commit we are using this attribute to allow Git system daemon to read and serve any
> > repository content. We do this because the userdom_git_user_template allows use to provides
> > administrators with advanced type enforcement possibility to restrict access to
> > various types of shared repository. In this commit we created the
> > git_shared_content_template.
> > 
> > This template allows for easy creation of new shared repository types.
> > We also created git_manage_spec_shared_content and git_exec_spec_shared_content_files interfaces.
> > This allows us to make a connection between Git user domain and Git shared repository content
> > types. These interfaces and templates allow administrators to create new Git user domains
> > and allow the various Git user domains access to specified Git shared repositories.
> > 
> > This allows administrators to employ Type enforcement for shared repository and Git user separation.
> > We also created a attribute called git_system_content that is assigned to all types derived from the
> > prefix that the git_shared_content_template expects. This might be handy if some one later wants a
> > given Git user domain to have access to any shared repository type and not just the primary
> > git_sys_content_t repository type.
> > 
> > Signed-off-by: Dominick Grift <domg472@gmail.com>
> > ---
> > :100644 100644 83356f2... fb27b32... M	policy/modules/services/git.if
> > :100644 100644 8602887... ba56287... M	policy/modules/services/git.te
> >  policy/modules/services/git.if |   96 ++++++++++++++++++++++++++++++++++++++++
> >  policy/modules/services/git.te |    9 ++--
> >  2 files changed, 101 insertions(+), 4 deletions(-)
> > 
> > diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
> > index 83356f2..fb27b32 100644
> > --- a/policy/modules/services/git.if
> > +++ b/policy/modules/services/git.if
> > @@ -40,6 +40,102 @@ template(`git_session_role_template',`
> >  
> >  ########################################
> >  ## <summary>
> > +##	Create a set of derived types for
> > +##	Git daemon shared repository content.
> > +## </summary>
> > +## <param name="prefix">
> > +##	<summary>
> > +##	The prefix to be used for deriving type names.
> > +##	</summary>
> > +## </param>
> > +#
> > +template(`git_shared_content_template',`
> > +	gen_require(`
> > +		attribute git_system_content, git_content;
> > +	')
> > +
> > +	type git_$1_content_t, git_system_content, git_content;
> > +	files_type(git_$1_content_t)
> > +')
> 
> I see no need to declare derived types like this.  The caller should
> create a type and call this interface on it, which adds the appropriate
> attribute(s).

Ok i did that before but i thought this would be more appropriate. (like the apache_content_template)
Is there any compelling reason as to why the caller should create a type rather than this template?

I personally like this better because it makes it easier to create new git shared content and it forces the git shared content to be uniformely named (git_*_content_t)

> 
> > +#######################################
> > +## <summary>
> > +##	Execute specified Git daemon
> > +##	shared repository content files.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +## <param name="file_type">
> > +##	<summary>
> > +##	Type to allow access to.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`git_exec_spec_shared_content_files',`
> > +	gen_require(`
> > +		type $1, $2;
> > +	')
> > +
> > +	exec_files_pattern($1, $2, $2)
> > +	files_search_var_lib($1)
> > +
> > +	tunable_policy(`git_system_use_cifs',`
> > +		fs_exec_cifs_files($1)
> > +	')
> > +
> > +	tunable_policy(`git_system_use_nfs',`
> > +		fs_exec_nfs_files($1)
> > +	')
> > +')
> 
> NAK.  Explicit interface(s) needs to be declared in the module that owns
> the target type.

But the target type does not exist at that point... 

I guess if we cannot implement this we lift the entrance barrier. So ok, then we not add this fine but it will make it a hell of a lot harder for joe admin to employ selinux type enforcement to implement repository seperation...

> 
> > +#######################################
> > +## <summary>
> > +##	Create, read, write, and delete
> > +##	specified Git daemon shared
> > +##	repository content.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +## <param name="file_type">
> > +##	<summary>
> > +##	Type to allow access to.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`git_manage_spec_shared_content',`
> > +	gen_require(`
> > +		type $1, $2;
> > +	')
> > +
> > +	manage_dirs_pattern($1, $2, $2)
> > +	manage_files_pattern($1, $2, $2)
> > +	files_search_var_lib($1)
> > +
> > +	tunable_policy(`git_system_use_cifs',`
> > +		fs_manage_cifs_dirs($1)
> > +		fs_manage_cifs_files($1)
> > +	',`
> > +		fs_dontaudit_manage_cifs_dirs($1)
> > +		fs_dontaudit_manage_cifs_files($1)
> > +	')
> > +
> > +	tunable_policy(`git_system_use_nfs',`
> > +		fs_manage_nfs_dirs($1)
> > +		fs_manage_nfs_files($1)
> > +	',`
> > +		fs_dontaudit_manage_nfs_dirs($1)
> > +		fs_dontaudit_manage_nfs_files($1)
> > +	')
> > +')
> 
> Same thing as previous interface.
> 
> > +########################################
> > +## <summary>
> >  ##	Read all Git daemon repository
> >  ##	content.
> >  ## </summary>
> > diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
> > index 8602887..ba56287 100644
> > --- a/policy/modules/services/git.te
> > +++ b/policy/modules/services/git.te
> > @@ -51,12 +51,13 @@ gen_tunable(git_system_use_cifs, false)
> >  ## </desc>
> >  gen_tunable(git_system_use_nfs, false)
> >  
> > +attribute git_system_content;
> > +
> >  type git_system_t, git_daemon;
> >  typealias git_system_t alias gitd_t;
> >  inetd_service_domain(git_system_t, gitd_exec_t)
> >  
> > -type git_sys_content_t, git_content;
> > -files_type(git_sys_content_t)
> > +git_shared_content_template(sys)
> >  
> >  ########################################
> >  #
> > @@ -118,8 +119,8 @@ tunable_policy(`use_samba_home_dirs',`
> >  # Git system daemon policy
> >  #
> >  
> > -list_dirs_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
> > -read_files_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
> > +list_dirs_pattern(git_system_t, git_content, git_content)
> > +read_files_pattern(git_system_t, git_content, git_content)
> >  files_search_var_lib(git_system_t)
> >  
> >  tunable_policy(`git_system_enable_homedirs',`
> 
> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110826/a92fa661/attachment-0001.bin 

[refpolicy] [ v3 PATCH 5/8] Gitweb, cgit and the git_content attribute

[Dominick Grift]

On Fri, Aug 26, 2011 at 09:35:45AM -0400, Christopher J. PeBenito wrote:
> On 08/24/11 08:35, Dominick Grift wrote:
> > Cgit and gitweb are both cgi web applications that run in the httpd_git_script_t apache CGI domain.
> > The policy in this commit was taken from Fedora. It is well tested i believe.
> > These web applications display Git repositories. And they Should be able to read any Git
> > repository whether shared or personal. We implemented another attribute for it called git_content.
> 
> Really all repos?  It seems like access to user repos should be tunable.

I guess it could be tunable but is it really worth that? i mean these git webapps are made to read git content. thats their sole purpose. We could
+implement a tunable for access to git_user_content_t but it seems a bit overdone.

But if you want it tunable it will be my please to submit a follow up patch to fix this or a replacement.

By the way i already mentioned this but this httpd cgi domains should be in httpd.te. because it makes for example the git module dependent on the
+apache module whilst, git can work fine without httpd.


> 
> > This attribute will be assigned to any and all Git repository content types, either existing or
> > to be created. Hopefully the next commit should explain why this attribute makes sense.
> > 
> > Signed-off-by: Dominick Grift <domg472@gmail.com>
> > ---
> > :100644 100644 7314ecb... c005782... M	policy/modules/services/git.fc
> > :100644 100644 f1466e1... 83356f2... M	policy/modules/services/git.if
> > :100644 100644 7040bf6... 8602887... M	policy/modules/services/git.te
> >  policy/modules/services/git.fc |    4 ++-
> >  policy/modules/services/git.if |   46 ++++++++++++++++++++++++++++++++++++++++
> >  policy/modules/services/git.te |   11 +++++++-
> >  3 files changed, 58 insertions(+), 3 deletions(-)
> > 
> > diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
> > index 7314ecb..c005782 100644
> > --- a/policy/modules/services/git.fc
> > +++ b/policy/modules/services/git.fc
> > @@ -2,8 +2,10 @@ HOME_DIR/public_git(/.*)?	gen_context(system_u:object_r:git_user_content_t,s0)
> >  
> >  /usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t,s0)
> >  
> > -/var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
> > +/var/cache/cgit(/.*)?	gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
> >  
> >  /var/lib/git(/.*)?	gen_context(system_u:object_r:git_sys_content_t,s0)
> >  
> >  /var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
> > +/var/www/git(/.*)?	gen_context(system_u:object_r:httpd_git_content_t,s0)
> > +/var/www/git/gitweb.cgi	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
> > diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
> > index f1466e1..83356f2 100644
> > --- a/policy/modules/services/git.if
> > +++ b/policy/modules/services/git.if
> > @@ -40,6 +40,52 @@ template(`git_session_role_template',`
> >  
> >  ########################################
> >  ## <summary>
> > +##	Read all Git daemon repository
> > +##	content.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`git_read_all_content',`
> > +	gen_require(`
> > +		attribute git_content;
> > +	')
> > +
> > +	list_dirs_pattern($1, git_content, git_content)
> > +	read_files_pattern($1, git_content, git_content)
> > +	userdom_search_user_home_dirs($1)
> > +	files_search_var_lib($1)
> > +
> > +	tunable_policy(`use_nfs_home_dirs',`
> > +		fs_read_nfs_files($1)
> > +	',`
> > +		fs_dontaudit_read_nfs_files($1)
> > +	')
> > +
> > +	tunable_policy(`use_samba_home_dirs',`
> > +		fs_read_cifs_files($1)
> > +	',`
> > +		fs_dontaudit_read_cifs_files($1)
> > +	')
> > +
> > +	tunable_policy(`git_system_use_cifs',`
> > +		fs_read_cifs_files($1)
> > +	',`
> > +		fs_dontaudit_read_cifs_files($1)
> > +	')
> > +
> > +	tunable_policy(`git_system_use_nfs',`
> > +		fs_read_nfs_files($1)
> > +	',`
> > +		fs_dontaudit_read_nfs_files($1)
> > +	')
> > +')
> > +
> > +########################################
> > +## <summary>
> >  ##	Execute Git daemon generic shared
> >  ##	repository content files.
> >  ## </summary>
> > diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
> > index 7040bf6..8602887 100644
> > --- a/policy/modules/services/git.te
> > +++ b/policy/modules/services/git.te
> > @@ -5,6 +5,7 @@ policy_module(git, 1.0)
> >  # Git daemon global declarations
> >  #
> >  
> > +attribute git_content;
> >  attribute git_daemon;
> >  
> >  type gitd_exec_t;
> > @@ -18,7 +19,7 @@ type git_session_t, git_daemon;
> >  application_domain(git_session_t, gitd_exec_t)
> >  ubac_constrained(git_session_t)
> >  
> > -type git_user_content_t;
> > +type git_user_content_t, git_content;
> >  userdom_user_home_content(git_user_content_t)
> >  
> >  ########################################
> > @@ -54,7 +55,7 @@ type git_system_t, git_daemon;
> >  typealias git_system_t alias gitd_t;
> >  inetd_service_domain(git_system_t, gitd_exec_t)
> >  
> > -type git_sys_content_t;
> > +type git_sys_content_t, git_content;
> >  files_type(git_sys_content_t)
> >  
> >  ########################################
> > @@ -155,3 +156,9 @@ tunable_policy(`git_system_use_nfs',`
> >  #
> >  
> >  apache_content_template(git)
> > +
> > +files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
> > +
> > +auth_use_nsswitch(httpd_git_script_t)
> > +
> > +git_read_all_content(httpd_git_script_t)
> 
> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110826/c8d7aec0/attachment.bin 

[refpolicy] [ v3 PATCH 3/8] Git shell users

[Dominick Grift]

On Fri, Aug 26, 2011 at 09:28:38AM -0400, Christopher J. PeBenito wrote:
> On 08/25/11 05:07, Dominick Grift wrote:
> > On Wed, Aug 24, 2011 at 02:35:41PM +0200, Dominick Grift wrote:
> > 
> > Today i was reading an article about the scponly shell. This seems to have properties similar to Git shell. Maybe we could make userdom_git_user_template -> userdom_base_user_template, and rename the current userdom_base_user_template, or something along those lines.
> > 
> > I have been thinking about possible arguments against a userdom_git_user_tempplate.
> > 
> > Q: Why not just use userdom_base_user_template for "git shell (and possibly scponly) users?
> > A: That would make it harder to configure for administrators. The nice thing about this current implementation is that a default Git shell seuser exists. Administrators can just map their users logins to it and start. It provides Git shell users with access to generic shared repositories. Besides, compare the userdom_git_user_template to userdom_base_user_template, the laster gives the caller way more privileges that arent needed.
> 
> I'm very conflicted on this point.  My initial reaction is that I don't
> like putting any git stuff in userdomain and that
> userdom_base_user_template is fine.  Alternatively we could make a
> generic template which is useful for special user shell accounts like
> git_shell and scponly.  I'll have to think about it more.
> 
> > But userdom_git_user_template is useless for scponly users currently because it provides access to generic shared repositories. We do not want scponly users to have this privilege.
> > 
> > That brings me to another issue where the inteface calls git_manage_generic_sys_content and git exec_generic_content_files are not optional policy in the userdom_git_user_template. Which means any calling module will have a dependency on the git module.

So this is just a bit of brainstorming. Were making the current userdom_git_user_template the new userdom_base_user_template ( and were renaming the current userdom_base_user_template to something else and base that off of the current userdom_git_user_template.

Were removing any reference to git_manage| exec_generic_sys_content from the current userdom_git_user_template.


Then we create a git_shared_content_template that is expecting a prefix as it currently does but we merge the current userdom_git_user_template, git_shared_content_template and git_manage| exec_spec_shared_content into the single one.

we call the (new) userdom_base_user_template(prefix), use the prefix to also prefix the new shared repository type and now we also can provide the user access to the prefixed git shared content: allow $1_t git_$1_content_t:file { manage_file_perms execute_file_perms };
we also allow $1_t access to manage and execute generic shared repositories in there.

hmm this seems like a good idea to me, that would make it very easy for admins to configure, plus we could reuse the new userdom_base_user_template for for example scponly.

The only problem is that git module will now have a userdomain template (although based off of the userdom_base_user_template from userdomain)

> > 
> >> Did you know that there is a Git shell in /usr/bin/git-shell, and did you know that you can use that
> >> together with OpenSSH to commit to shared repositories? Heck you can even commit to shared repositories
> >> using OpenSSH with a plain bash shell, but the Git shell is much cooler. A user domain solely for the
> >> purpose of commiting to shared repositories needs much less privileges that the least privilege
> >> userdom_base_user_template provides.
> >>
> >> Git shell users do not need pty's, execmem or many other privileges provided by the base_user_template.
> >> Therefore we implement a template just for Git shell users, and we create a Git shell role, so that
> >> administrators can easily map their Unix logins to the Git shell SELinux user.
> >>
> >> This Git shell user domain is allowed to manage and execute (primary) shared repositories.
> >>
> >> FIXED: the default context in config/appconfig-mls for git_shell_u was wrong.
> >> git_shell.te: userdom_git_user_template was called by git_user but should be called by git_shell
> >>
> >> Fix2: booleans git_system_use_cifs and git_system_use_nfs are currenlty named gitd_use_cifs and gitd_use_nfs respectively
> >>
> >> Signed-off-by: Dominick Grift <domg472@gmail.com>
> >> ---
> >> :000000 100644 0000000... 2d9c6bc... A	config/appconfig-mcs/git_shell_u_default_contexts
> >> :000000 100644 0000000... 2d9c6bc... A	config/appconfig-mls/git_shell_u_default_contexts
> >> :000000 100644 0000000... bfbd788... A	config/appconfig-standard/git_shell_u_default_contexts
> >> :000000 100644 0000000... 601a7b0... A	policy/modules/roles/git_shell.fc
> >> :000000 100644 0000000... c6d9896... A	policy/modules/roles/git_shell.if
> >> :000000 100644 0000000... f5aa6cb... A	policy/modules/roles/git_shell.te
> >> :100644 100644 4da6875... 6238d54... M	policy/modules/services/git.if
> >> :100644 100644 2dc8697... 5c30b4b... M	policy/modules/system/userdomain.if
> >>  config/appconfig-mcs/git_shell_u_default_contexts  |    2 +
> >>  config/appconfig-mls/git_shell_u_default_contexts  |    2 +
> >>  .../git_shell_u_default_contexts                   |    2 +
> >>  policy/modules/roles/git_shell.fc                  |    1 +
> >>  policy/modules/roles/git_shell.if                  |   50 +++++++++++++++
> >>  policy/modules/roles/git_shell.te                  |   15 +++++
> >>  policy/modules/services/git.if                     |   67 ++++++++++++++++++++
> >>  policy/modules/system/userdomain.if                |   63 ++++++++++++++++++
> >>  8 files changed, 202 insertions(+), 0 deletions(-)
> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110826/0493e529/attachment.bin 

[refpolicy] [ v3 PATCH 5/8] Gitweb, cgit and the git_content attribute

[Christopher J. PeBenito]

On 08/26/11 12:14, Dominick Grift wrote:
> On Fri, Aug 26, 2011 at 09:35:45AM -0400, Christopher J. PeBenito wrote:
>> On 08/24/11 08:35, Dominick Grift wrote:
>>> Cgit and gitweb are both cgi web applications that run in the httpd_git_script_t apache CGI domain.
>>> The policy in this commit was taken from Fedora. It is well tested i believe.
>>> These web applications display Git repositories. And they Should be able to read any Git
>>> repository whether shared or personal. We implemented another attribute for it called git_content.
>>
>> Really all repos?  It seems like access to user repos should be tunable.
> 
> I guess it could be tunable but is it really worth that? i mean these git webapps are made to read git content. thats their sole purpose. We could
> +implement a tunable for access to git_user_content_t but it seems a bit overdone.

I understand what you're saying, I'm just thinking that there could be a server
that has several "system" repos, but have personal user dev repos that shouldn't
be exported.

> But if you want it tunable it will be my please to submit a follow up patch to fix this or a replacement.
> 
> By the way i already mentioned this but this httpd cgi domains should be in httpd.te. because it makes for example the git module dependent on the
> +apache module whilst, git can work fine without httpd.

You could put that all in an optional.

>>> This attribute will be assigned to any and all Git repository content types, either existing or
>>> to be created. Hopefully the next commit should explain why this attribute makes sense.
>>>
>>> Signed-off-by: Dominick Grift <domg472@gmail.com>
>>> ---
>>> :100644 100644 7314ecb... c005782... M	policy/modules/services/git.fc
>>> :100644 100644 f1466e1... 83356f2... M	policy/modules/services/git.if
>>> :100644 100644 7040bf6... 8602887... M	policy/modules/services/git.te
>>>  policy/modules/services/git.fc |    4 ++-
>>>  policy/modules/services/git.if |   46 ++++++++++++++++++++++++++++++++++++++++
>>>  policy/modules/services/git.te |   11 +++++++-
>>>  3 files changed, 58 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
>>> index 7314ecb..c005782 100644
>>> --- a/policy/modules/services/git.fc
>>> +++ b/policy/modules/services/git.fc
>>> @@ -2,8 +2,10 @@ HOME_DIR/public_git(/.*)?	gen_context(system_u:object_r:git_user_content_t,s0)
>>>  
>>>  /usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t,s0)
>>>  
>>> -/var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
>>> +/var/cache/cgit(/.*)?	gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
>>>  
>>>  /var/lib/git(/.*)?	gen_context(system_u:object_r:git_sys_content_t,s0)
>>>  
>>>  /var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
>>> +/var/www/git(/.*)?	gen_context(system_u:object_r:httpd_git_content_t,s0)
>>> +/var/www/git/gitweb.cgi	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
>>> diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
>>> index f1466e1..83356f2 100644
>>> --- a/policy/modules/services/git.if
>>> +++ b/policy/modules/services/git.if
>>> @@ -40,6 +40,52 @@ template(`git_session_role_template',`
>>>  
>>>  ########################################
>>>  ## <summary>
>>> +##	Read all Git daemon repository
>>> +##	content.
>>> +## </summary>
>>> +## <param name="domain">
>>> +##	<summary>
>>> +##	Domain allowed access.
>>> +##	</summary>
>>> +## </param>
>>> +#
>>> +interface(`git_read_all_content',`
>>> +	gen_require(`
>>> +		attribute git_content;
>>> +	')
>>> +
>>> +	list_dirs_pattern($1, git_content, git_content)
>>> +	read_files_pattern($1, git_content, git_content)
>>> +	userdom_search_user_home_dirs($1)
>>> +	files_search_var_lib($1)
>>> +
>>> +	tunable_policy(`use_nfs_home_dirs',`
>>> +		fs_read_nfs_files($1)
>>> +	',`
>>> +		fs_dontaudit_read_nfs_files($1)
>>> +	')
>>> +
>>> +	tunable_policy(`use_samba_home_dirs',`
>>> +		fs_read_cifs_files($1)
>>> +	',`
>>> +		fs_dontaudit_read_cifs_files($1)
>>> +	')
>>> +
>>> +	tunable_policy(`git_system_use_cifs',`
>>> +		fs_read_cifs_files($1)
>>> +	',`
>>> +		fs_dontaudit_read_cifs_files($1)
>>> +	')
>>> +
>>> +	tunable_policy(`git_system_use_nfs',`
>>> +		fs_read_nfs_files($1)
>>> +	',`
>>> +		fs_dontaudit_read_nfs_files($1)
>>> +	')
>>> +')
>>> +
>>> +########################################
>>> +## <summary>
>>>  ##	Execute Git daemon generic shared
>>>  ##	repository content files.
>>>  ## </summary>
>>> diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
>>> index 7040bf6..8602887 100644
>>> --- a/policy/modules/services/git.te
>>> +++ b/policy/modules/services/git.te
>>> @@ -5,6 +5,7 @@ policy_module(git, 1.0)
>>>  # Git daemon global declarations
>>>  #
>>>  
>>> +attribute git_content;
>>>  attribute git_daemon;
>>>  
>>>  type gitd_exec_t;
>>> @@ -18,7 +19,7 @@ type git_session_t, git_daemon;
>>>  application_domain(git_session_t, gitd_exec_t)
>>>  ubac_constrained(git_session_t)
>>>  
>>> -type git_user_content_t;
>>> +type git_user_content_t, git_content;
>>>  userdom_user_home_content(git_user_content_t)
>>>  
>>>  ########################################
>>> @@ -54,7 +55,7 @@ type git_system_t, git_daemon;
>>>  typealias git_system_t alias gitd_t;
>>>  inetd_service_domain(git_system_t, gitd_exec_t)
>>>  
>>> -type git_sys_content_t;
>>> +type git_sys_content_t, git_content;
>>>  files_type(git_sys_content_t)
>>>  
>>>  ########################################
>>> @@ -155,3 +156,9 @@ tunable_policy(`git_system_use_nfs',`
>>>  #
>>>  
>>>  apache_content_template(git)
>>> +
>>> +files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
>>> +
>>> +auth_use_nsswitch(httpd_git_script_t)
>>> +
>>> +git_read_all_content(httpd_git_script_t)
>>
>>
>> -- 
>> Chris PeBenito
>> Tresys Technology, LLC
>> www.tresys.com | oss.tresys.com
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [ v3 PATCH 2/8] Git personal repositories

[Christopher J. PeBenito]

On 08/26/11 09:30, Dominick Grift wrote:
> On Fri, Aug 26, 2011 at 09:18:33AM -0400, Christopher J. PeBenito wrote:
>> On 08/24/11 08:35, Dominick Grift wrote:
>>> Git inetd service domain can also be configured to read and serve Git personal repositories in the user home directories.
>>> We would not want Git inetd service domain to be able to read and serve generic or heavens forbid all
>>> user home content, and therefore a new type for Git personal repositories is declared.
>>>
>>> By default Git inetd service domain expects these personal repositories to be in dgrift/public_git.
>>> It is kind of like apaches userdirs functionality. Git inetd service domain, does not have to be configured to
>>> read and serve personal repositories, and so we make the policy for this functionality tunable.
>>>
>>> We also allow administrators to tune the policy to allow Git inetd service domain to read and serve personal
>>> repositories on NFS and/or CIFS shares. We added a file context that specifies that public_git
>>> directories in any user home directory should be labeled with the personal repository file type.
>>> That means that all login users should be allowed to relabel and manage the git_user_content_t personal
>>> repository type. Did you know that users might also need to execute some of the Git personal
>>> repository content. It is not obvious but in some cases users need to be able to execute the Git
>>> hooks scripts in their personal repositories. For example the might have a script that runs after the user
>>> commits/pushes for example via ssh (git push ssh://joe at localhost/public_git/joes_personal_repository.git. So we
>>> also allow all login users to execute Git shared repository files.

>>> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
>>> index c6d3cc8..2dc8697 100644
>>> --- a/policy/modules/system/userdomain.if
>>> +++ b/policy/modules/system/userdomain.if
>>> @@ -188,6 +188,10 @@ interface(`userdom_ro_home_role',`
>>>  		fs_dontaudit_list_cifs($2)
>>>  		fs_dontaudit_read_cifs_files($2)
>>>  	')
>>> +
>>> +	optional_policy(`
>>> +		git_read_user_content($2)
>>> +	')
>>>  ')
>>>  
>>>  #######################################
>>> @@ -267,6 +271,11 @@ interface(`userdom_manage_home_role',`
>>>  		fs_dontaudit_manage_cifs_dirs($2)
>>>  		fs_dontaudit_manage_cifs_files($2)
>>>  	')
>>> +
>>> +	optional_policy(`
>>> +		git_manage_user_content($2)
>>> +		git_relabel_user_content($2)
>>> +	')
>>>  ')
>>>  
>>>  #######################################
>>> @@ -789,6 +798,10 @@ template(`userdom_login_user_template', `
>>>  	')
>>>  
>>>  	optional_policy(`
>>> +		git_exec_user_content_files($1_t)
>>> +	')
>>> +
>>> +	optional_policy(`
>>>  		kerberos_use($1_t)
>>>  	')
>>
>> All of these content rules seem like it should be in a git_role()
>> interface, which would be invoked from the various role.te files.
> 
> Why do you think that?
> 
> i will explain why i think not:
> 
> 1. the file context spec. labels all ~/pubic_git type git_user_content_t, whether the user calls git_role_template or not.
> 2. sysadm can decide to allow git system daemon to host personal repositories of users that arent allowed to run the git session daemon in the git session domain.

For the first two, they absolutely do not belong there.  Those interfaces are
providing general user home directory access.  For the last, it makes more sense
for that access to go with the other git rules for users.  If you're saying that
users should have git content types w/o any other git policy, I'd say thats
overengineered.  MCS would seem more appropriate in that case.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [ v3 PATCH 4/8] Git session daemon

[Christopher J. PeBenito]

On 08/26/11 11:30, Dominick Grift wrote:
> On Fri, Aug 26, 2011 at 09:33:54AM -0400, Christopher J. PeBenito wrote:
>> On 08/24/11 08:35, Dominick Grift wrote:
>>> Wait! Theres more. Besides running Git daemon as a inetd service domain, unprivileged users can also
>>> run Git daemon by executing /usr/libexec/git-core/git-daemon from a shell to allow it to
>>> read and serve their Git personal repositories in ~/public_git. It in large parts does the same
>>> as Git daemon run by inetd but there are some differences. Most notably is the network access
>>> that the Git session daemon requires to listen on the Git port for service.
>>>
>>> The Git system daemon does not need this because inetd takes care of the network for it.
>>> Another difference is that Git session daemon can only read and serve users Git personal
>>> repositories, where Git system daemon can, if configured, read and serve both shared as well
>>> as personal repositories. Since much of the policy is common to both session and
>>> system, we declared a git_daemon attribute and assigned that to both the Git system and
>>> session daemons. This allows use to write policy that both daemon have in common once.
>>> Leaving the policy as compact as possible. So now we have two Git daemon domains, one
>>> session domain started by unprivileged users and one system domain started by inetd.
>>>
>>> Fix: since we renamed gitd_t to git_system_t, add alias.
>>> Change back gitd_use_nfs, gitd_use_cifs to git_system_use_nfs and git_system_use_cifs respectively
>>
>> Perhaps I missed something, but how did it make sense to separate out
>> the content types from this patch?
> 
> The git_user_content_t has no relation to git session per se. 
> 
> in the git.fc file there is a context spec for HOME_DIR/\public_git(/.*)? ...
> this means all login users will get content at ~/public_git labeled git_user_content_t, whether they call git_session_role_template or not.
> So they need to be able to manage that. what if a user creates ~/pubic_git, and administrator runs filefiles relabel or restorecon -R -v /home? then ~/public_git will get relabeled to git_user_content_t and that user can no longer interact with it.
> 
> By splitting the git_user_content_t type from the git session t policy we make it more flexible.
> 
> administrator may want to allow git system domain to read and service ~/public_git even though the user owning it is not allowed to run git session in the git session domain.
> 
> in short git_user_content_t and git_session_t arent strictly related. I was hoping the descriptions accompanying the patches would make that clear

NAK.  See my other email about this.  To summarize, I think its overengineered
to have the content w/o session.

>> I'm confused why its renaming things from previous patches.  Why not
>> create it right in the first place?
> 
> I initially started with gitd_t rather than git_system_t because that made sense at that stage. There was no git_session_t yet at that point. Besides, what does it matter i created an alias to git_system_t in the patch that introduce git session t

So, in other words, these patches reflect how your development flow went.  In
the future please try to clean up submissions, as these type of changes make it
confusing for review.

>> git_session_role_template() isn't creating any types, so it should be
>> renamed to git_session_role().  Or in light of the previous patches,
>> git_role().
> 
> Ok that pretty minor and i can just submit a patch to apply that after the other applicable patches are submitted.

Thats fine.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [ v3 PATCH 5/8] Gitweb, cgit and the git_content attribute

[Dominick Grift]

On Tue, Aug 30, 2011 at 09:23:51AM -0400, Christopher J. PeBenito wrote:
> On 08/26/11 12:14, Dominick Grift wrote:
> > On Fri, Aug 26, 2011 at 09:35:45AM -0400, Christopher J. PeBenito wrote:
> >> On 08/24/11 08:35, Dominick Grift wrote:
> >>> Cgit and gitweb are both cgi web applications that run in the httpd_git_script_t apache CGI domain.
> >>> The policy in this commit was taken from Fedora. It is well tested i believe.
> >>> These web applications display Git repositories. And they Should be able to read any Git
> >>> repository whether shared or personal. We implemented another attribute for it called git_content.
> >>
> >> Really all repos?  It seems like access to user repos should be tunable.
> > 
> > I guess it could be tunable but is it really worth that? i mean these git webapps are made to read git content. thats their sole purpose. We could
> > +implement a tunable for access to git_user_content_t but it seems a bit overdone.
> 
> I understand what you're saying, I'm just thinking that there could be a server
> that has several "system" repos, but have personal user dev repos that shouldn't
> be exported.

Ok if you want it that way i can do that to. I can't say i agree. I would call this over engineering. You can configure git to specify which repositories to export and we also have good old dac.

> > But if you want it tunable it will be my please to submit a follow up patch to fix this or a replacement.
> > 
> > By the way i already mentioned this but this httpd cgi domains should be in httpd.te. because it makes for example the git module dependent on the
> > +apache module whilst, git can work fine without httpd.
> 
> You could put that all in an optional.

You cannot make a file context specification optional.

if you make an apache content template call optional, for example:

optional_policy(`
apache_content_template(git)
')

/var/www/cgi-bin/git\.pl -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)

Than it is effectively not optional, because if you decide to disable or de-install the apache module, then the git module will blow up due to the type used in the file context file specification (httpd_git_script_exec_t)

it should be in the apache module instead.

> 
> >>> This attribute will be assigned to any and all Git repository content types, either existing or
> >>> to be created. Hopefully the next commit should explain why this attribute makes sense.
> >>>
> >>> Signed-off-by: Dominick Grift <domg472@gmail.com>
> >>> ---
> >>> :100644 100644 7314ecb... c005782... M	policy/modules/services/git.fc
> >>> :100644 100644 f1466e1... 83356f2... M	policy/modules/services/git.if
> >>> :100644 100644 7040bf6... 8602887... M	policy/modules/services/git.te
> >>>  policy/modules/services/git.fc |    4 ++-
> >>>  policy/modules/services/git.if |   46 ++++++++++++++++++++++++++++++++++++++++
> >>>  policy/modules/services/git.te |   11 +++++++-
> >>>  3 files changed, 58 insertions(+), 3 deletions(-)
> >>>
> >>> diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
> >>> index 7314ecb..c005782 100644
> >>> --- a/policy/modules/services/git.fc
> >>> +++ b/policy/modules/services/git.fc
> >>> @@ -2,8 +2,10 @@ HOME_DIR/public_git(/.*)?	gen_context(system_u:object_r:git_user_content_t,s0)
> >>>  
> >>>  /usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t,s0)
> >>>  
> >>> -/var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
> >>> +/var/cache/cgit(/.*)?	gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
> >>>  
> >>>  /var/lib/git(/.*)?	gen_context(system_u:object_r:git_sys_content_t,s0)
> >>>  
> >>>  /var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
> >>> +/var/www/git(/.*)?	gen_context(system_u:object_r:httpd_git_content_t,s0)
> >>> +/var/www/git/gitweb.cgi	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
> >>> diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
> >>> index f1466e1..83356f2 100644
> >>> --- a/policy/modules/services/git.if
> >>> +++ b/policy/modules/services/git.if
> >>> @@ -40,6 +40,52 @@ template(`git_session_role_template',`
> >>>  
> >>>  ########################################
> >>>  ## <summary>
> >>> +##	Read all Git daemon repository
> >>> +##	content.
> >>> +## </summary>
> >>> +## <param name="domain">
> >>> +##	<summary>
> >>> +##	Domain allowed access.
> >>> +##	</summary>
> >>> +## </param>
> >>> +#
> >>> +interface(`git_read_all_content',`
> >>> +	gen_require(`
> >>> +		attribute git_content;
> >>> +	')
> >>> +
> >>> +	list_dirs_pattern($1, git_content, git_content)
> >>> +	read_files_pattern($1, git_content, git_content)
> >>> +	userdom_search_user_home_dirs($1)
> >>> +	files_search_var_lib($1)
> >>> +
> >>> +	tunable_policy(`use_nfs_home_dirs',`
> >>> +		fs_read_nfs_files($1)
> >>> +	',`
> >>> +		fs_dontaudit_read_nfs_files($1)
> >>> +	')
> >>> +
> >>> +	tunable_policy(`use_samba_home_dirs',`
> >>> +		fs_read_cifs_files($1)
> >>> +	',`
> >>> +		fs_dontaudit_read_cifs_files($1)
> >>> +	')
> >>> +
> >>> +	tunable_policy(`git_system_use_cifs',`
> >>> +		fs_read_cifs_files($1)
> >>> +	',`
> >>> +		fs_dontaudit_read_cifs_files($1)
> >>> +	')
> >>> +
> >>> +	tunable_policy(`git_system_use_nfs',`
> >>> +		fs_read_nfs_files($1)
> >>> +	',`
> >>> +		fs_dontaudit_read_nfs_files($1)
> >>> +	')
> >>> +')
> >>> +
> >>> +########################################
> >>> +## <summary>
> >>>  ##	Execute Git daemon generic shared
> >>>  ##	repository content files.
> >>>  ## </summary>
> >>> diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
> >>> index 7040bf6..8602887 100644
> >>> --- a/policy/modules/services/git.te
> >>> +++ b/policy/modules/services/git.te
> >>> @@ -5,6 +5,7 @@ policy_module(git, 1.0)
> >>>  # Git daemon global declarations
> >>>  #
> >>>  
> >>> +attribute git_content;
> >>>  attribute git_daemon;
> >>>  
> >>>  type gitd_exec_t;
> >>> @@ -18,7 +19,7 @@ type git_session_t, git_daemon;
> >>>  application_domain(git_session_t, gitd_exec_t)
> >>>  ubac_constrained(git_session_t)
> >>>  
> >>> -type git_user_content_t;
> >>> +type git_user_content_t, git_content;
> >>>  userdom_user_home_content(git_user_content_t)
> >>>  
> >>>  ########################################
> >>> @@ -54,7 +55,7 @@ type git_system_t, git_daemon;
> >>>  typealias git_system_t alias gitd_t;
> >>>  inetd_service_domain(git_system_t, gitd_exec_t)
> >>>  
> >>> -type git_sys_content_t;
> >>> +type git_sys_content_t, git_content;
> >>>  files_type(git_sys_content_t)
> >>>  
> >>>  ########################################
> >>> @@ -155,3 +156,9 @@ tunable_policy(`git_system_use_nfs',`
> >>>  #
> >>>  
> >>>  apache_content_template(git)
> >>> +
> >>> +files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
> >>> +
> >>> +auth_use_nsswitch(httpd_git_script_t)
> >>> +
> >>> +git_read_all_content(httpd_git_script_t)
> >>
> >>
> >> -- 
> >> Chris PeBenito
> >> Tresys Technology, LLC
> >> www.tresys.com | oss.tresys.com
> >>
> >>
> >> _______________________________________________
> >> refpolicy mailing list
> >> refpolicy at oss.tresys.com
> >> http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110830/fcd8fabd/attachment.bin 

[refpolicy] [ v3 PATCH 4/8] Git session daemon

[Dominick Grift]

On Tue, Aug 30, 2011 at 09:50:48AM -0400, Christopher J. PeBenito wrote:
> On 08/26/11 11:30, Dominick Grift wrote:
> > On Fri, Aug 26, 2011 at 09:33:54AM -0400, Christopher J. PeBenito wrote:
> >> On 08/24/11 08:35, Dominick Grift wrote:
> >>> Wait! Theres more. Besides running Git daemon as a inetd service domain, unprivileged users can also
> >>> run Git daemon by executing /usr/libexec/git-core/git-daemon from a shell to allow it to
> >>> read and serve their Git personal repositories in ~/public_git. It in large parts does the same
> >>> as Git daemon run by inetd but there are some differences. Most notably is the network access
> >>> that the Git session daemon requires to listen on the Git port for service.
> >>>
> >>> The Git system daemon does not need this because inetd takes care of the network for it.
> >>> Another difference is that Git session daemon can only read and serve users Git personal
> >>> repositories, where Git system daemon can, if configured, read and serve both shared as well
> >>> as personal repositories. Since much of the policy is common to both session and
> >>> system, we declared a git_daemon attribute and assigned that to both the Git system and
> >>> session daemons. This allows use to write policy that both daemon have in common once.
> >>> Leaving the policy as compact as possible. So now we have two Git daemon domains, one
> >>> session domain started by unprivileged users and one system domain started by inetd.
> >>>
> >>> Fix: since we renamed gitd_t to git_system_t, add alias.
> >>> Change back gitd_use_nfs, gitd_use_cifs to git_system_use_nfs and git_system_use_cifs respectively
> >>
> >> Perhaps I missed something, but how did it make sense to separate out
> >> the content types from this patch?
> > 
> > The git_user_content_t has no relation to git session per se. 
> > 
> > in the git.fc file there is a context spec for HOME_DIR/\public_git(/.*)? ...
> > this means all login users will get content at ~/public_git labeled git_user_content_t, whether they call git_session_role_template or not.
> > So they need to be able to manage that. what if a user creates ~/pubic_git, and administrator runs filefiles relabel or restorecon -R -v /home? then ~/public_git will get relabeled to git_user_content_t and that user can no longer interact with it.
> > 
> > By splitting the git_user_content_t type from the git session t policy we make it more flexible.
> > 
> > administrator may want to allow git system domain to read and service ~/public_git even though the user owning it is not allowed to run git session in the git session domain.
> > 
> > in short git_user_content_t and git_session_t arent strictly related. I was hoping the descriptions accompanying the patches would make that clear
> 
> NAK.  See my other email about this.  To summarize, I think its overengineered
> to have the content w/o session.

Really? apache module has httpd_user_content_t with out a user session (yes you can run httpd_t as a session daemon)
Anyways, duly noted. I can do what you want.

> 
> >> I'm confused why its renaming things from previous patches.  Why not
> >> create it right in the first place?
> > 
> > I initially started with gitd_t rather than git_system_t because that made sense at that stage. There was no git_session_t yet at that point. Besides, what does it matter i created an alias to git_system_t in the patch that introduce git session t
> 
> So, in other words, these patches reflect how your development flow went.  In
> the future please try to clean up submissions, as these type of changes make it
> confusing for review.

I think i did right. I think that if i have the git daemon domain type git_system_t in my first patch my might have complained about that name. I anticipated that and called it gitd_t instead for that reason only.

Anyways, sure i can do what you want and call it git_system_t from the get go.

> >> git_session_role_template() isn't creating any types, so it should be
> >> renamed to git_session_role().  Or in light of the previous patches,
> >> git_role().
> > 
> > Ok that pretty minor and i can just submit a patch to apply that after the other applicable patches are submitted.
> 
> Thats fine.
> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110830/83289e3d/attachment.bin 

[refpolicy] [ v3 PATCH 2/8] Git personal repositories

[Dominick Grift]

On Tue, Aug 30, 2011 at 09:37:17AM -0400, Christopher J. PeBenito wrote:
> On 08/26/11 09:30, Dominick Grift wrote:
> > On Fri, Aug 26, 2011 at 09:18:33AM -0400, Christopher J. PeBenito wrote:
> >> On 08/24/11 08:35, Dominick Grift wrote:
> >>> Git inetd service domain can also be configured to read and serve Git personal repositories in the user home directories.
> >>> We would not want Git inetd service domain to be able to read and serve generic or heavens forbid all
> >>> user home content, and therefore a new type for Git personal repositories is declared.
> >>>
> >>> By default Git inetd service domain expects these personal repositories to be in dgrift/public_git.
> >>> It is kind of like apaches userdirs functionality. Git inetd service domain, does not have to be configured to
> >>> read and serve personal repositories, and so we make the policy for this functionality tunable.
> >>>
> >>> We also allow administrators to tune the policy to allow Git inetd service domain to read and serve personal
> >>> repositories on NFS and/or CIFS shares. We added a file context that specifies that public_git
> >>> directories in any user home directory should be labeled with the personal repository file type.
> >>> That means that all login users should be allowed to relabel and manage the git_user_content_t personal
> >>> repository type. Did you know that users might also need to execute some of the Git personal
> >>> repository content. It is not obvious but in some cases users need to be able to execute the Git
> >>> hooks scripts in their personal repositories. For example the might have a script that runs after the user
> >>> commits/pushes for example via ssh (git push ssh://joe at localhost/public_git/joes_personal_repository.git. So we
> >>> also allow all login users to execute Git shared repository files.
> 
> >>> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> >>> index c6d3cc8..2dc8697 100644
> >>> --- a/policy/modules/system/userdomain.if
> >>> +++ b/policy/modules/system/userdomain.if
> >>> @@ -188,6 +188,10 @@ interface(`userdom_ro_home_role',`
> >>>  		fs_dontaudit_list_cifs($2)
> >>>  		fs_dontaudit_read_cifs_files($2)
> >>>  	')
> >>> +
> >>> +	optional_policy(`
> >>> +		git_read_user_content($2)
> >>> +	')
> >>>  ')
> >>>  
> >>>  #######################################
> >>> @@ -267,6 +271,11 @@ interface(`userdom_manage_home_role',`
> >>>  		fs_dontaudit_manage_cifs_dirs($2)
> >>>  		fs_dontaudit_manage_cifs_files($2)
> >>>  	')
> >>> +
> >>> +	optional_policy(`
> >>> +		git_manage_user_content($2)
> >>> +		git_relabel_user_content($2)
> >>> +	')
> >>>  ')
> >>>  
> >>>  #######################################
> >>> @@ -789,6 +798,10 @@ template(`userdom_login_user_template', `
> >>>  	')
> >>>  
> >>>  	optional_policy(`
> >>> +		git_exec_user_content_files($1_t)
> >>> +	')
> >>> +
> >>> +	optional_policy(`
> >>>  		kerberos_use($1_t)
> >>>  	')
> >>
> >> All of these content rules seem like it should be in a git_role()
> >> interface, which would be invoked from the various role.te files.
> > 
> > Why do you think that?
> > 
> > i will explain why i think not:
> > 
> > 1. the file context spec. labels all ~/pubic_git type git_user_content_t, whether the user calls git_role_template or not.
> > 2. sysadm can decide to allow git system daemon to host personal repositories of users that arent allowed to run the git session daemon in the git session domain.
> 
> For the first two, they absolutely do not belong there.  Those interfaces are
> providing general user home directory access.  For the last, it makes more sense
> for that access to go with the other git rules for users.  If you're saying that
> users should have git content types w/o any other git policy, I'd say thats
> overengineered.  MCS would seem more appropriate in that case.

I can't say that i agree, since apache also have httpd user content types without a httpd session domain, but ok

I can rebase my patch set with the requested changes as soon as we have figured out a way to deal with git_shell user domains and custom shared repository types, see my latest RFC email about that.

We could also do it the easy way and not support Type enforcement shared repository isolation and not support user domain tailored to git shell users.

Instead opt to just settle for using guest_t for git shell and using mcs to limit what guest_t domain can access what git shared repository.

Not my prefered solution but it would make the policy much simpler ( yet harder for admins to grasp )

> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110830/d18e20b7/attachment.bin 

[refpolicy] [ v3 PATCH 4/8] Git session daemon

[Christopher J. PeBenito]

On 08/30/11 13:20, Dominick Grift wrote:
> On Tue, Aug 30, 2011 at 09:50:48AM -0400, Christopher J. PeBenito wrote:
>> On 08/26/11 11:30, Dominick Grift wrote:
>>> On Fri, Aug 26, 2011 at 09:33:54AM -0400, Christopher J. PeBenito wrote:
>>>> On 08/24/11 08:35, Dominick Grift wrote:
>>>>> Wait! Theres more. Besides running Git daemon as a inetd service domain, unprivileged users can also
>>>>> run Git daemon by executing /usr/libexec/git-core/git-daemon from a shell to allow it to
>>>>> read and serve their Git personal repositories in ~/public_git. It in large parts does the same
>>>>> as Git daemon run by inetd but there are some differences. Most notably is the network access
>>>>> that the Git session daemon requires to listen on the Git port for service.
>>>>>
>>>>> The Git system daemon does not need this because inetd takes care of the network for it.
>>>>> Another difference is that Git session daemon can only read and serve users Git personal
>>>>> repositories, where Git system daemon can, if configured, read and serve both shared as well
>>>>> as personal repositories. Since much of the policy is common to both session and
>>>>> system, we declared a git_daemon attribute and assigned that to both the Git system and
>>>>> session daemons. This allows use to write policy that both daemon have in common once.
>>>>> Leaving the policy as compact as possible. So now we have two Git daemon domains, one
>>>>> session domain started by unprivileged users and one system domain started by inetd.
>>>>>
>>>>> Fix: since we renamed gitd_t to git_system_t, add alias.
>>>>> Change back gitd_use_nfs, gitd_use_cifs to git_system_use_nfs and git_system_use_cifs respectively
>>>>
>>>> Perhaps I missed something, but how did it make sense to separate out
>>>> the content types from this patch?
>>>
>>> The git_user_content_t has no relation to git session per se. 
>>>
>>> in the git.fc file there is a context spec for HOME_DIR/\public_git(/.*)? ...
>>> this means all login users will get content at ~/public_git labeled git_user_content_t, whether they call git_session_role_template or not.
>>> So they need to be able to manage that. what if a user creates ~/pubic_git, and administrator runs filefiles relabel or restorecon -R -v /home? then ~/public_git will get relabeled to git_user_content_t and that user can no longer interact with it.
>>>
>>> By splitting the git_user_content_t type from the git session t policy we make it more flexible.
>>>
>>> administrator may want to allow git system domain to read and service ~/public_git even though the user owning it is not allowed to run git session in the git session domain.
>>>
>>> in short git_user_content_t and git_session_t arent strictly related. I was hoping the descriptions accompanying the patches would make that clear
>>
>> NAK.  See my other email about this.  To summarize, I think its overengineered
>> to have the content w/o session.
> 
> Really? apache module has httpd_user_content_t with out a user session (yes you can run httpd_t as a session daemon)

This gets into a slippery slope.  You can pretty much argue that just about a user could run just about any service out of their home directory.  Its infeasible to constrain all services like this, especially in a general way.  This makes me think that the session git might not be necessary.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [ v3 PATCH 5/8] Gitweb, cgit and the git_content attribute

[Christopher J. PeBenito]

On 08/30/11 13:15, Dominick Grift wrote:
> On Tue, Aug 30, 2011 at 09:23:51AM -0400, Christopher J. PeBenito wrote:
>> On 08/26/11 12:14, Dominick Grift wrote:
>>> On Fri, Aug 26, 2011 at 09:35:45AM -0400, Christopher J. PeBenito wrote:
>>>> On 08/24/11 08:35, Dominick Grift wrote:
>>>>> Cgit and gitweb are both cgi web applications that run in the httpd_git_script_t apache CGI domain.
>>>>> The policy in this commit was taken from Fedora. It is well tested i believe.
>>>>> These web applications display Git repositories. And they Should be able to read any Git
>>>>> repository whether shared or personal. We implemented another attribute for it called git_content.
>>>>
>>>> Really all repos?  It seems like access to user repos should be tunable.
>>>
>>> I guess it could be tunable but is it really worth that? i mean these git webapps are made to read git content. thats their sole purpose. We could
>>> +implement a tunable for access to git_user_content_t but it seems a bit overdone.
>>
>> I understand what you're saying, I'm just thinking that there could be a server
>> that has several "system" repos, but have personal user dev repos that shouldn't
>> be exported.
> 
> Ok if you want it that way i can do that to. I can't say i agree. I would call this over engineering. You can configure git to specify which repositories to export and we also have good old dac.

I might agree that it was overengineering except that system and user repos have different trust and integrity levels, otherwise they'd be the same type.  So if you don't trust your users, you might want to enforce that the system daemon can't touch user repos nor risk mixing of system and user repos.  Alternatively, you could argue that user repos are more sensitive than system repos, and you might not want to allow them to be exported.

>>> But if you want it tunable it will be my please to submit a follow up patch to fix this or a replacement.
>>>
>>> By the way i already mentioned this but this httpd cgi domains should be in httpd.te. because it makes for example the git module dependent on the
>>> +apache module whilst, git can work fine without httpd.
>>
>> You could put that all in an optional.
> 
> You cannot make a file context specification optional.
> 
> if you make an apache content template call optional, for example:
> 
> optional_policy(`
> apache_content_template(git)
> ')
> 
> /var/www/cgi-bin/git\.pl -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
> 
> Than it is effectively not optional, because if you decide to disable or de-install the apache module, then the git module will blow up due to the type used in the file context file specification (httpd_git_script_exec_t)
> 
> it should be in the apache module instead.

A valid point.  I guess you have to make it unconditional.  Or move it into a separate module.  I can live with that.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [ v3 PATCH 4/8] Git session daemon

[Dominick Grift]

On Wed, Aug 31, 2011 at 10:36:58AM -0400, Christopher J. PeBenito wrote:
> On 08/30/11 13:20, Dominick Grift wrote:
> > On Tue, Aug 30, 2011 at 09:50:48AM -0400, Christopher J. PeBenito wrote:
> >> On 08/26/11 11:30, Dominick Grift wrote:
> >>> On Fri, Aug 26, 2011 at 09:33:54AM -0400, Christopher J. PeBenito wrote:
> >>>> On 08/24/11 08:35, Dominick Grift wrote:
> >>>>> Wait! Theres more. Besides running Git daemon as a inetd service domain, unprivileged users can also
> >>>>> run Git daemon by executing /usr/libexec/git-core/git-daemon from a shell to allow it to
> >>>>> read and serve their Git personal repositories in ~/public_git. It in large parts does the same
> >>>>> as Git daemon run by inetd but there are some differences. Most notably is the network access
> >>>>> that the Git session daemon requires to listen on the Git port for service.
> >>>>>
> >>>>> The Git system daemon does not need this because inetd takes care of the network for it.
> >>>>> Another difference is that Git session daemon can only read and serve users Git personal
> >>>>> repositories, where Git system daemon can, if configured, read and serve both shared as well
> >>>>> as personal repositories. Since much of the policy is common to both session and
> >>>>> system, we declared a git_daemon attribute and assigned that to both the Git system and
> >>>>> session daemons. This allows use to write policy that both daemon have in common once.
> >>>>> Leaving the policy as compact as possible. So now we have two Git daemon domains, one
> >>>>> session domain started by unprivileged users and one system domain started by inetd.
> >>>>>
> >>>>> Fix: since we renamed gitd_t to git_system_t, add alias.
> >>>>> Change back gitd_use_nfs, gitd_use_cifs to git_system_use_nfs and git_system_use_cifs respectively
> >>>>
> >>>> Perhaps I missed something, but how did it make sense to separate out
> >>>> the content types from this patch?
> >>>
> >>> The git_user_content_t has no relation to git session per se. 
> >>>
> >>> in the git.fc file there is a context spec for HOME_DIR/\public_git(/.*)? ...
> >>> this means all login users will get content at ~/public_git labeled git_user_content_t, whether they call git_session_role_template or not.
> >>> So they need to be able to manage that. what if a user creates ~/pubic_git, and administrator runs filefiles relabel or restorecon -R -v /home? then ~/public_git will get relabeled to git_user_content_t and that user can no longer interact with it.
> >>>
> >>> By splitting the git_user_content_t type from the git session t policy we make it more flexible.
> >>>
> >>> administrator may want to allow git system domain to read and service ~/public_git even though the user owning it is not allowed to run git session in the git session domain.
> >>>
> >>> in short git_user_content_t and git_session_t arent strictly related. I was hoping the descriptions accompanying the patches would make that clear
> >>
> >> NAK.  See my other email about this.  To summarize, I think its overengineered
> >> to have the content w/o session.
> > 
> > Really? apache module has httpd_user_content_t with out a user session (yes you can run httpd_t as a session daemon)
> 
> This gets into a slippery slope.  You can pretty much argue that just about a user could run just about any service out of their home directory.  Its infeasible to constrain all services like this, especially in a general way.  This makes me think that the session git might not be necessary.

I guess that depends on ones vision. Integrity is integrity for me. I am using SELinux policy tuned strict. I want some integrity in the user space.

Yes you probably could run git -daemon and or apache as session in the user domain. You would need to set user_tcp_server. Yet this provides no integrity in the user space. E.g. git-daemon or apache will be able to serve my ssh private key, will be able to mess with my processes etc etc.

I am going to step back right here because we keep arguing over some fundamental different views.

> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110831/fb338146/attachment.bin 

[refpolicy] [ v3 PATCH 4/8] Git session daemon

[Christopher J. PeBenito]

On 08/31/11 10:49, Dominick Grift wrote:
> On Wed, Aug 31, 2011 at 10:36:58AM -0400, Christopher J. PeBenito wrote:
>> On 08/30/11 13:20, Dominick Grift wrote:
>>> On Tue, Aug 30, 2011 at 09:50:48AM -0400, Christopher J. PeBenito wrote:
>>>> On 08/26/11 11:30, Dominick Grift wrote:
>>>>> On Fri, Aug 26, 2011 at 09:33:54AM -0400, Christopher J. PeBenito wrote:
>>>>>> On 08/24/11 08:35, Dominick Grift wrote:
>>>>>>> Wait! Theres more. Besides running Git daemon as a inetd service domain, unprivileged users can also
>>>>>>> run Git daemon by executing /usr/libexec/git-core/git-daemon from a shell to allow it to
>>>>>>> read and serve their Git personal repositories in ~/public_git. It in large parts does the same
>>>>>>> as Git daemon run by inetd but there are some differences. Most notably is the network access
>>>>>>> that the Git session daemon requires to listen on the Git port for service.
>>>>>>>
>>>>>>> The Git system daemon does not need this because inetd takes care of the network for it.
>>>>>>> Another difference is that Git session daemon can only read and serve users Git personal
>>>>>>> repositories, where Git system daemon can, if configured, read and serve both shared as well
>>>>>>> as personal repositories. Since much of the policy is common to both session and
>>>>>>> system, we declared a git_daemon attribute and assigned that to both the Git system and
>>>>>>> session daemons. This allows use to write policy that both daemon have in common once.
>>>>>>> Leaving the policy as compact as possible. So now we have two Git daemon domains, one
>>>>>>> session domain started by unprivileged users and one system domain started by inetd.
>>>>>>>
>>>>>>> Fix: since we renamed gitd_t to git_system_t, add alias.
>>>>>>> Change back gitd_use_nfs, gitd_use_cifs to git_system_use_nfs and git_system_use_cifs respectively
>>>>>>
>>>>>> Perhaps I missed something, but how did it make sense to separate out
>>>>>> the content types from this patch?
>>>>>
>>>>> The git_user_content_t has no relation to git session per se. 
>>>>>
>>>>> in the git.fc file there is a context spec for HOME_DIR/\public_git(/.*)? ...
>>>>> this means all login users will get content at ~/public_git labeled git_user_content_t, whether they call git_session_role_template or not.
>>>>> So they need to be able to manage that. what if a user creates ~/pubic_git, and administrator runs filefiles relabel or restorecon -R -v /home? then ~/public_git will get relabeled to git_user_content_t and that user can no longer interact with it.
>>>>>
>>>>> By splitting the git_user_content_t type from the git session t policy we make it more flexible.
>>>>>
>>>>> administrator may want to allow git system domain to read and service ~/public_git even though the user owning it is not allowed to run git session in the git session domain.
>>>>>
>>>>> in short git_user_content_t and git_session_t arent strictly related. I was hoping the descriptions accompanying the patches would make that clear
>>>>
>>>> NAK.  See my other email about this.  To summarize, I think its overengineered
>>>> to have the content w/o session.
>>>
>>> Really? apache module has httpd_user_content_t with out a user session (yes you can run httpd_t as a session daemon)
>>
>> This gets into a slippery slope.  You can pretty much argue that just about a user could run just about any service out of their home directory.  Its infeasible to constrain all services like this, especially in a general way.  This makes me think that the session git might not be necessary.
> 
> I guess that depends on ones vision. Integrity is integrity for me. I am using SELinux policy tuned strict. I want some integrity in the user space.
> 
> Yes you probably could run git -daemon and or apache as session in the user domain. You would need to set user_tcp_server. Yet this provides no integrity in the user space. E.g. git-daemon or apache will be able to serve my ssh private key, will be able to mess with my processes etc etc.
> 
> I am going to step back right here because we keep arguing over some fundamental different views.

I'm not sure that these are fundamentally different views, I think its a question of pragmatism.  Of course, if it were an ideal world, I'd be happy to have a policy that fully enforces every little security goal.  Except for cases where users can only log in through the git shell or scponly, users tend to be quite variable on what they do, making it increasingly difficult to constrain.  The more you try to constrain, the unhappier users start to get, and then they might disable SELinux in response.  As maintainer, I have to balance the strength of the policy vs the complexity of the policy vs. the usefulness of the policy.  I've drawn a line in the sand that says users running system services (eg apache, samba, ftp) out of their home dir is probably not something worth covering in the policy.  If you want to do that, CIL will make it easy, since the policy writer can clone, for example, ftpd_t  into user_ftpd_t and tweak it to be runnable by user_t and export only user ftp f
iles.

To try to summarize my current positions on the contended portions of this patch set:

1. users running gitd service out of their home dirs probably isn't worth including
2. it doesn't make sense to have content types except for cases where the repos are actually exported
3. git shell can be supported, but for now I think that the template should go in the git module.  We can consider a more general template to handle this and stuff like scponly (are there other examples?) once those are understood better.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [ v3 PATCH 4/8] Git session daemon

[Dominick Grift]

On Wed, Aug 31, 2011 at 11:14:42AM -0400, Christopher J. PeBenito wrote:
> On 08/31/11 10:49, Dominick Grift wrote:
> > On Wed, Aug 31, 2011 at 10:36:58AM -0400, Christopher J. PeBenito wrote:
> >> On 08/30/11 13:20, Dominick Grift wrote:
> >>> On Tue, Aug 30, 2011 at 09:50:48AM -0400, Christopher J. PeBenito wrote:
> >>>> On 08/26/11 11:30, Dominick Grift wrote:
> >>>>> On Fri, Aug 26, 2011 at 09:33:54AM -0400, Christopher J. PeBenito wrote:
> >>>>>> On 08/24/11 08:35, Dominick Grift wrote:
> >>>>>>> Wait! Theres more. Besides running Git daemon as a inetd service domain, unprivileged users can also
> >>>>>>> run Git daemon by executing /usr/libexec/git-core/git-daemon from a shell to allow it to
> >>>>>>> read and serve their Git personal repositories in ~/public_git. It in large parts does the same
> >>>>>>> as Git daemon run by inetd but there are some differences. Most notably is the network access
> >>>>>>> that the Git session daemon requires to listen on the Git port for service.
> >>>>>>>
> >>>>>>> The Git system daemon does not need this because inetd takes care of the network for it.
> >>>>>>> Another difference is that Git session daemon can only read and serve users Git personal
> >>>>>>> repositories, where Git system daemon can, if configured, read and serve both shared as well
> >>>>>>> as personal repositories. Since much of the policy is common to both session and
> >>>>>>> system, we declared a git_daemon attribute and assigned that to both the Git system and
> >>>>>>> session daemons. This allows use to write policy that both daemon have in common once.
> >>>>>>> Leaving the policy as compact as possible. So now we have two Git daemon domains, one
> >>>>>>> session domain started by unprivileged users and one system domain started by inetd.
> >>>>>>>
> >>>>>>> Fix: since we renamed gitd_t to git_system_t, add alias.
> >>>>>>> Change back gitd_use_nfs, gitd_use_cifs to git_system_use_nfs and git_system_use_cifs respectively
> >>>>>>
> >>>>>> Perhaps I missed something, but how did it make sense to separate out
> >>>>>> the content types from this patch?
> >>>>>
> >>>>> The git_user_content_t has no relation to git session per se. 
> >>>>>
> >>>>> in the git.fc file there is a context spec for HOME_DIR/\public_git(/.*)? ...
> >>>>> this means all login users will get content at ~/public_git labeled git_user_content_t, whether they call git_session_role_template or not.
> >>>>> So they need to be able to manage that. what if a user creates ~/pubic_git, and administrator runs filefiles relabel or restorecon -R -v /home? then ~/public_git will get relabeled to git_user_content_t and that user can no longer interact with it.
> >>>>>
> >>>>> By splitting the git_user_content_t type from the git session t policy we make it more flexible.
> >>>>>
> >>>>> administrator may want to allow git system domain to read and service ~/public_git even though the user owning it is not allowed to run git session in the git session domain.
> >>>>>
> >>>>> in short git_user_content_t and git_session_t arent strictly related. I was hoping the descriptions accompanying the patches would make that clear
> >>>>
> >>>> NAK.  See my other email about this.  To summarize, I think its overengineered
> >>>> to have the content w/o session.
> >>>
> >>> Really? apache module has httpd_user_content_t with out a user session (yes you can run httpd_t as a session daemon)
> >>
> >> This gets into a slippery slope.  You can pretty much argue that just about a user could run just about any service out of their home directory.  Its infeasible to constrain all services like this, especially in a general way.  This makes me think that the session git might not be necessary.
> > 
> > I guess that depends on ones vision. Integrity is integrity for me. I am using SELinux policy tuned strict. I want some integrity in the user space.
> > 
> > Yes you probably could run git -daemon and or apache as session in the user domain. You would need to set user_tcp_server. Yet this provides no integrity in the user space. E.g. git-daemon or apache will be able to serve my ssh private key, will be able to mess with my processes etc etc.
> > 
> > I am going to step back right here because we keep arguing over some fundamental different views.
> 
> I'm not sure that these are fundamentally different views, I think its a question of pragmatism.  Of course, if it were an ideal world, I'd be happy to have a policy that fully enforces every little security goal.  Except for cases where users can only log in through the git shell or scponly, users tend to be quite variable on what they do, making it increasingly difficult to constrain.  The more you try to constrain, the unhappier users start to get, and then they might disable SELinux in response.  As maintainer, I have to balance the strength of the policy vs the complexity of the policy vs. the usefulness of the policy.  I've drawn a line in the sand that says users running system services (eg apache, samba, ftp) out of their home dir is probably not something worth covering in the policy.  If you want to do that, CIL will make it easy, since the policy writer can clone, for example, ftpd_t  into user_ftpd_t and tweak it to be runnable by user_t and export only user ftp f
> iles.

I think ican counter this just by saying that administrators that map users to confined domains choose integrity. Administrators that "are unhappy with constraints" will map their users to unconfined_t, as per default.

In my v6 patch i removed support for git shell which simplefied policy a great deal.

> 
> To try to summarize my current positions on the contended portions of this patch set:
> 
> 1. users running gitd service out of their home dirs probably isn't worth including

I just dont agree, sorry

For the audience that do not like these constraints we already made great sacrifice by mapping unix users to the unconfined_u by default. So by default git session are already run unconfined (unconstrained)

Its the audience that does value integrity in the user space that i designed the git_role for. It is "hidden". Administrator has to explicitly map users to either user_u , staff_u or sysadm_u to be able to run git sessions constrained. Admins that map their unix users to confined user domain expect strict policy, i think that is safe to asume. 

And even then, in my v6 patch, admin has to toggle git_session_user to allow any of the confined users to transition to the git session domain. So if git_session user is off then staff_u , user_u and sysadm_u run git-daemon in their user domain, and then git-daemon can export ~/.ssh if they so please.

What you are saying is, we'll just ignore this functionality for strict users, its not worth it.

There are people actually trying to use confined domains in their daily lives. We need to support it, not ignore it. These people want integrity in the user space.

I am representing the people that do value integrity on the desktop, and my v6 patch shows that i am willing to compromize a great deal.

> 2. it doesn't make sense to have content types except for cases where the repos are actually exported

In my v6 patch there are only two content type system content and user content.( i have removed the interfaces that allow one to create new content types )  I do not understand to context of your statement above.

> 3. git shell can be supported, but for now I think that the template should go in the git module.  We can consider a more general template to handle this and stuff like scponly (are there other examples?) once those are understood better.

In my v6 patch i removed support for git_shell, not because i agree with you but just because i want to put this behind me. We can later maybe consider git shell support and/or support for other content types.

> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110831/fbcbf6f9/attachment-0001.bin