Hi,
I just wanted to let you know, that I wrote an SeLinux policy for the
git daemon. If anyone could be so kind and comment on my draft? You can
find it here: git://http://www.neuhalfen.name/git-selinux.git
Beware: This is the whole git-repository, roughly 25MB
FYI: The post below went to the git mailinglist, so there are a few
posts as well.
Jens
-------- Forwarded Message --------
> From: Jens Neuhalfen <[email protected]>
> To: git at vger.kernel.org
> Subject: SeLinux integration
> Date: Sun, 17 Aug 2008 12:44:22 +0200
>
> Hi,
>
> I wrote an SeLinux policy and an init.d script for the git-daemon
> and now seek for comments and improvements.
>
> The scripts were tested on my Centos 5.2 box and an older version had
> been tested on FC 9.
>
> Features:
> * multiple configuration files for the init.d script
> * selinux support for git daemon
> * seboolean (git_daemon_update_repository) that forces git-daemon
> into strict read-only mode when set to false
>
> TODO
> * The policy and the accompanying init.d script still lack
> documentation
> * see selinux/BUGS and initd/BUGS
>
> Feel free to pull from my repository and comment. If the everything is
> 'good' I will send patches to the list, so that SeLinux support can be
> integrated into the main repository.
>
>
> git://http://www.neuhalfen.name/git-selinux.git
>
>
> Jens
>
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
For everyone's convenience I already have the repo checked out and have
attached his three policy template files. I think they have tpl at the
end because the build system is supposed to substitute something in but
it only seems to be the case with respect to the fc file.
Dave
-------------- next part --------------
@@GITD-GITDAEMON@@ -- gen_context(system_u:object_r:git-daemon_exec_t,s0)
@@GITD-INITSCRIPT@@ -- gen_context(system_u:object_r:git-daemon_script_exec_t,s0)
@@GITD-BASEPATH@@(/[^/].+)* gen_context(system_u:object_r:git-daemon_rw_t,s0)
@@GITD-PIDDIR@@ gen_context(system_u:object_r:git-daemon_var_run_t,s0)
# /var/log/git-daemon -- gen_context(system_u:object_r:git-daemon_var_log_t,s0)
-------------- next part --------------
## <summary>policy for git-daemon</summary>
########################################
## <summary>
## Execute a domain transition to run git-daemon.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`git-daemon_domtrans',`
gen_require(`
type git-daemon_t;
type git-daemon_exec_t;
')
domtrans_pattern($1,git-daemon_exec_t,git-daemon_t)
')
########################################
## <summary>
## Execute git-daemon server in the git-daemon domain.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`git-daemon_script_domtrans',`
gen_require(`
type git-daemon_script_exec_t;
')
init_script_domtrans_spec($1,git-daemon_script_exec_t)
')
########################################
## <summary>
## Do not audit attempts to read,
## git-daemon tmp files
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`git-daemon_dontaudit_read_tmp_files',`
gen_require(`
type git-daemon_tmp_t;
')
dontaudit $1 git-daemon_tmp_t:file read_file_perms;
')
########################################
## <summary>
## Allow domain to read, git-daemon tmp files
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`git-daemon_read_tmp_files',`
gen_require(`
type git-daemon_tmp_t;
')
allow $1 git-daemon_tmp_t:file read_file_perms;
')
########################################
## <summary>
## Allow domain to manage git-daemon tmp files
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`git-daemon_manage_tmp',`
gen_require(`
type git-daemon_tmp_t;
')
manage_dirs_pattern($1,git-daemon_tmp_t,git-daemon_tmp_t)
manage_files_pattern($1,git-daemon_tmp_t,git-daemon_tmp_t)
manage_lnk_files_pattern($1,git-daemon_tmp_t,git-daemon_tmp_t)
')
########################################
## <summary>
## Search git-daemon rw directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`git-daemon_search_rw_dir',`
gen_require(`
type git-daemon_rw_t;
')
allow $1 git-daemon_rw_t:dir search_dir_perms;
files_search_rw($1)
')
########################################
## <summary>
## Read git-daemon rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`git-daemon_read_rw_files',`
gen_require(`
type git-daemon_rw_t;
')
allow $1 git-daemon_rw_t:file r_file_perms;
allow $1 git-daemon_rw_t:dir list_dir_perms;
files_search_rw($1)
')
########################################
## <summary>
## Create, read, write, and delete
## git-daemon rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`git-daemon_manage_rw_files',`
gen_require(`
type git-daemon_rw_t;
')
allow $1 git-daemon_rw_t:file manage_file_perms;
allow $1 git-daemon_rw_t:dir rw_dir_perms;
')
########################################
## <summary>
## Manage git-daemon rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`git-daemon_manage_rw',`
gen_require(`
type git-daemon_rw_t;
')
manage_dirs_pattern($1,git-daemon_rw_t,git-daemon_rw_t)
manage_files_pattern($1,git-daemon_rw_t,git-daemon_rw_t)
manage_lnk_files_pattern($1,git-daemon_rw_t,git-daemon_rw_t)
')
########################################
## <summary>
## All of the rules required to administrate
## an git-daemon environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the git-daemon domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/>
#
interface(`git-daemon_admin',`
gen_require(`
type git-daemon_t;
')
allow $1 git-daemon_t:process { ptrace signal_perms getattr };
read_files_pattern($1, git-daemon_t, git-daemon_t)
gen_require(`
type git-daemon_script_exec_t;
')
# Allow git-daemon_t to restart the service
git-daemon_script_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 git-daemon_script_exec_t system_r;
allow $2 system_r;
git-daemon_manage_tmp($1)
git-daemon_manage_rw($1)
')
-------------- next part --------------
policy_module(git-daemon,1.0.13)
########################################
#
# Declarations
#
type git-daemon_t;
type git-daemon_exec_t;
init_daemon_domain(git-daemon_t, git-daemon_exec_t)
type git-daemon_script_exec_t;
init_script_type(git-daemon_script_exec_t)
type git-daemon_tmp_t;
files_tmp_file(git-daemon_tmp_t)
#type git-daemon_var_log_t;
#logging_log_file(git-daemon_var_log_t)
type git-daemon_var_run_t;
files_pid_file(git-daemon_var_run_t)
manage_files_pattern(git-daemon_t,git-daemon_var_run_t,git-daemon_var_run_t)
type git-daemon_rw_t;
files_type(git-daemon_rw_t)
type git-daemon_port_t;
corenet_port(git-daemon_port_t)
########################################
#
# git-daemon tuneables
#
#
# Read or Read/Write access to our data-files?
gen_tunable(git_daemon_update_repository,false)
########################################
#
# git-daemon helper
#
require {
type unconfined_t;
};
# Direktes ausfuehren der Skripte ohne run_init
domain_auto_trans(unconfined_t, git-daemon_exec_t, git-daemon_t)
domain_entry_file(git-daemon_t, git-daemon_exec_t)
#######################################
#
# git-daemon local policy
#
# Init script handling TODO check, if we really want that, optionally make it a boolean
domain_use_interactive_fds(git-daemon_t)
# internal communication is often done using fifo and unix sockets.
allow git-daemon_t self:fifo_file rw_file_perms;
allow git-daemon_t self:unix_stream_socket create_stream_socket_perms;
files_read_etc_files(git-daemon_t)
libs_use_ld_so(git-daemon_t)
libs_use_shared_libs(git-daemon_t)
miscfiles_read_localization(git-daemon_t)
# Temporary files (if any)
allow git-daemon_t git-daemon_tmp_t:file manage_file_perms;
allow git-daemon_t git-daemon_tmp_t:dir create_dir_perms;
files_tmp_file(git-daemon_tmp_t)
files_tmp_filetrans(git-daemon_t,git-daemon_tmp_t, { file dir })
#
# Networking
#
sysnet_dns_name_resolve(git-daemon_t)
# anybody can talk to us
corenet_all_recvfrom_unlabeled(git-daemon_t)
#
# we act as anetwork server that listens on tcp/udp git-daemon_port_t
#
# tcp
allow git-daemon_t self:tcp_socket create_stream_socket_perms;
corenet_tcp_sendrecv_all_if(git-daemon_t)
corenet_tcp_sendrecv_all_nodes(git-daemon_t)
corenet_tcp_sendrecv_all_ports(git-daemon_t)
corenet_tcp_bind_all_nodes(git-daemon_t)
allow git-daemon_t git-daemon_port_t:tcp_socket name_bind;
allow git-daemon_t git-daemon_port_t:tcp_socket name_connect;
# udp
allow git-daemon_t self:udp_socket { create_socket_perms listen };
corenet_udp_sendrecv_all_if(git-daemon_t)
corenet_udp_sendrecv_all_nodes(git-daemon_t)
corenet_udp_sendrecv_all_ports(git-daemon_t)
allow git-daemon_t git-daemon_port_t:udp_socket name_bind;
corenet_udp_bind_all_nodes(git-daemon_t)
#
# Logging
#
logging_send_syslog_msg(git-daemon_t)
#logging_send_audit_msgs(git-daemon_t)
#
# Read or Read/Write access to our data-files?
tunable_policy(`git_daemon_update_repository',`
manage_dirs_pattern(git-daemon_t,git-daemon_rw_t,git-daemon_rw_t)
manage_files_pattern(git-daemon_t,git-daemon_rw_t,git-daemon_rw_t)
manage_lnk_files_pattern(git-daemon_t,git-daemon_rw_t,git-daemon_rw_t)
',`
read_files_pattern(git-daemon_t,git-daemon_rw_t,git-daemon_rw_t)
read_lnk_files_pattern(git-daemon_t,git-daemon_rw_t,git-daemon_rw_t)
list_dirs_pattern(git-daemon_t,git-daemon_rw_t,git-daemon_rw_t)
');
#
# Evtl. Hooks Skripte ausfuehren
exec_files_pattern(git-daemon_t,git-daemon_rw_t,git-daemon_rw_t)
# Some random data is always handy
dev_read_urand(git-daemon_t)
# Allow git to execute basic commands
corecmd_exec_bin(git-daemon_t)
#
# git-daemon needs to change uid/gid to drop privileges
#
allow git-daemon_t self:capability setgid;
allow git-daemon_t self:capability setuid;
Hi,
Hi Dave, thank you for providing that.
> For everyone's convenience I already have the repo checked out and have
> attached his three policy template files. I think they have tpl at the
> end because the build system is supposed to substitute something in but
> it only seems to be the case with respect to the fc file.
>
Dave is absolutely right, the tpl extension means "template" and is used
by the build system.
There are some points, where I need some help/ideas/..
- I guess the interface can be significantly slimmed down.
- Can/should I use Interface methods form the te file? From a
sw-engeneering standpoint I would use "subroutine" macros in the
te-file
Please do not hesitate to "style-correct" me, as I want to write good
gode (not just barely working code)
Jens
> Dave
>
On Mon, 2008-08-18 at 17:37 +0200, Jens Neuhalfen wrote:
> Hi,
>
>
> Hi Dave, thank you for providing that.
>
> > For everyone's convenience I already have the repo checked out and have
> > attached his three policy template files. I think they have tpl at the
> > end because the build system is supposed to substitute something in but
> > it only seems to be the case with respect to the fc file.
> >
>
> Dave is absolutely right, the tpl extension means "template" and is used
> by the build system.
>
> There are some points, where I need some help/ideas/..
> - I guess the interface can be significantly slimmed down.
> - Can/should I use Interface methods form the te file? From a
> sw-engeneering standpoint I would use "subroutine" macros in the
> te-file
>
>
> Please do not hesitate to "style-correct" me, as I want to write good
> gode (not just barely working code)
>
> Jens
>
>
>
>
> > Dave
> >
I'm sure Chris and Dan will have better comments than I do but initially
there are a couple of things that I see. The first is you might want to
shorten git-daemon to gitd and replace git_daemon with gitd as well in
interface names. Also since you will probably want this merged into
reference policy you will want to make sure all of the comments are in
English. I see a couple of comments in German through the .te file. I am
not a policy guru so I can't speak to the usage of interfaces and
patterns so I will leave that to Dan and Chris. One question though is
how did you derive this policy. Did you use the run gitd then run the
logs through audit2allow approach?
Dave
Hi Dave,
>
> I'm sure Chris and Dan will have better comments than I do but initially
> there are a couple of things that I see. The first is you might want to
> shorten git-daemon to gitd and replace git_daemon with gitd as well in
> interface names. Also since you will probably want this merged into
That sounds like a good idea.
> reference policy you will want to make sure all of the comments are in
> English. I see a couple of comments in German through the .te file. I am
hm. Ignore them ;-) Documentation is definitely lacking. I hope to write
something that is worth the name description around next weekend.
> not a policy guru so I can't speak to the usage of interfaces and
> patterns so I will leave that to Dan and Chris. One question though is
> how did you derive this policy. Did you use the run gitd then run the
> logs through audit2allow approach?
I started to write it on my Fedora 9 system. The skeleton was generated
by one of the policygen tools. After that I borrowed from other policies
and the include-files.
audit2allow -R was definitely helpful. To be honest, without it I would
not have started to write the policy at all. All the macros and
interfaces are *there* but you'll only find them, if you already know,
what you want to do ("So, I need *read* access to that *file*. Lets run
grep on the sourcecode".) BTW: More inline-documentation would really be
helpful. Most people, including me, are not that familiar with the
difference between "read directory" and "search directory" and this
uncertainty can be frustrating.
>
> Dave
Jens
On Mon, 2008-08-18 at 18:09 +0200, Jens Neuhalfen wrote:
> Hi Dave,
>
>
> >
> > I'm sure Chris and Dan will have better comments than I do but initially
> > there are a couple of things that I see. The first is you might want to
> > shorten git-daemon to gitd and replace git_daemon with gitd as well in
> > interface names. Also since you will probably want this merged into
>
> That sounds like a good idea.
>
> > reference policy you will want to make sure all of the comments are in
> > English. I see a couple of comments in German through the .te file. I am
>
> hm. Ignore them ;-) Documentation is definitely lacking. I hope to write
> something that is worth the name description around next weekend.
>
> > not a policy guru so I can't speak to the usage of interfaces and
> > patterns so I will leave that to Dan and Chris. One question though is
> > how did you derive this policy. Did you use the run gitd then run the
> > logs through audit2allow approach?
>
> I started to write it on my Fedora 9 system. The skeleton was generated
> by one of the policygen tools. After that I borrowed from other policies
> and the include-files.
>
> audit2allow -R was definitely helpful. To be honest, without it I would
> not have started to write the policy at all. All the macros and
> interfaces are *there* but you'll only find them, if you already know,
> what you want to do ("So, I need *read* access to that *file*. Lets run
> grep on the sourcecode".) BTW: More inline-documentation would really be
> helpful. Most people, including me, are not that familiar with the
> difference between "read directory" and "search directory" and this
> uncertainty can be frustrating.
Did you look at the git daemon policy that was posted to selinux list
earlier this month?
http://marc.info/?l=selinux&m=121796492817877&w=2
--
Stephen Smalley
National Security Agency
>>
Hi Stephen,
> Did you look at the git daemon policy that was posted to selinux list
> earlier this month?
> http://marc.info/?l=selinux&m=121796492817877&w=2
d'oh! When a quick google did not turn up any meaningfull results, I
started to code 'my' policy. Bad timing.
I'll take a look at Dominicks policy as it looks quite sophisticated
at first glance.
Thanks for pointing me to the post,
Jens
>
>
> --
> Stephen Smalley
> National Security Agency
On Mon, 2008-08-18 at 20:05 +0200, Jens Neuhalfen wrote:
> I'll take a look at Dominicks policy as it looks quite sophisticated
> at first glance.
>
> Thanks for pointing me to the post,
>
> Jens
Hi, my git-daemon policy is a version that should be integrated into
refpolicy. It works really well except that the
git_daemon_read_git_daemon_system_content(httpd) should be tunable and
optional.
My version also has policy for git-shell users. However you will need to
create a git-shell userdomain for it. Which is not hard to do: just call
git_daemon_git_user_template(mygituser) or similar. It also required a
default context for your gitshelluser which you can copy
from /etc/selinux/targeted/contexts/users/guest_u
If you have any comments or suggestions about my policy please let me
know. You can also catch my on irc , irc.freenode.org #selinux and
#fedora-selinux
--
Dominick Grift <[email protected]>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20080819/1d87d272/attachment.bin