2011-08-23 16:35:05

by domg472

[permalink] [raw]
Subject: [refpolicy] [ PATCH 0/8] Git daemon policy


config/appconfig-mcs/git_shell_u_default_contexts | 2 +
config/appconfig-mls/git_shell_u_default_contexts | 2 +
.../git_shell_u_default_contexts | 2 +
policy/modules/kernel/domain.te | 2 +-
policy/modules/roles/git_shell.fc | 1 +
policy/modules/roles/git_shell.if | 50 +++
policy/modules/roles/git_shell.te | 15 +
policy/modules/roles/staff.te | 4 +
policy/modules/roles/sysadm.te | 4 +
policy/modules/roles/unprivuser.te | 4 +
policy/modules/services/git.fc | 12 +-
policy/modules/services/git.if | 365 ++++++++++++++++++++
policy/modules/services/git.te | 178 ++++++++++-
policy/modules/system/userdomain.if | 76 ++++
14 files changed, 713 insertions(+), 4 deletions(-)

Here it is. Split into pieces as small as i can get them. I hope you can work with this.


2011-08-23 16:35:06

by domg472

[permalink] [raw]
Subject: [refpolicy] [ PATCH 1/8] Git inetd service domain and a primage Git shared repository type

Create a Git inetd service domain and create a primary shared repository file type.

Quote from the Git daemon manual page: "git-daemon - A really simple server for git repositories".

This really is no joke. This policy allows Git inetd service domain to read and serve Git shared
repositories located in /var/lib/git. This implementation allows administrators to tune the policy to
allow Git inetd service domain to read and serve Git shared repositories on NFS and/or CIFS shares.

Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 54f0737... 164d2bf... M policy/modules/services/git.fc
:100644 100644 7382f85... 7766253... M policy/modules/services/git.te
policy/modules/services/git.fc | 6 +++-
policy/modules/services/git.te | 64 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 69 insertions(+), 1 deletions(-)

diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
index 54f0737..164d2bf 100644
--- a/policy/modules/services/git.fc
+++ b/policy/modules/services/git.fc
@@ -1,3 +1,7 @@
+/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
+
/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
-/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
+
+/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
+
/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index 7382f85..7766253 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -5,4 +5,68 @@ policy_module(git, 1.0)
# Declarations
#

+## <desc>
+## <p>
+## Determine whether Git daemon
+## can access cifs file systems.
+## </p>
+## </desc>
+gen_tunable(gitd_use_cifs, false)
+
+## <desc>
+## <p>
+## Determine whether Git daemon
+## can access nfs file systems.
+## </p>
+## </desc>
+gen_tunable(gitd_use_nfs, false)
+
+type gitd_t;
+type gitd_exec_t;
+inetd_service_domain(gitd_t, gitd_exec_t)
+
+type git_sys_content_t;
+files_type(git_sys_content_t)
+
+########################################
+#
+# Local policy
+#
+
+allow gitd_t self:fifo_file rw_fifo_file_perms;
+allow gitd_t self:unix_dgram_socket create_socket_perms;
+
+list_dirs_pattern(gitd_t, git_sys_content_t, git_sys_content_t)
+read_files_pattern(gitd_t, git_sys_content_t, git_sys_content_t)
+files_search_var_lib(gitd_t)
+
+kernel_read_system_state(gitd_t)
+
+corecmd_exec_bin(gitd_t)
+
+files_read_usr_files(gitd_t)
+
+auth_use_nsswitch(gitd_t)
+
+logging_send_syslog_msg(gitd_t)
+
+miscfiles_read_localization(gitd_t)
+
+tunable_policy(`gitd_use_cifs',`
+ fs_read_cifs_files(gitd_t)
+',`
+ fs_dontaudit_read_cifs_files(gitd_t)
+')
+
+tunable_policy(`gitd_use_nfs',`
+ fs_read_nfs_files(gitd_t)
+',`
+ fs_dontaudit_read_nfs_files(gitd_t)
+')
+
+########################################
+#
+# Git apache CGI domain
+#
+
apache_content_template(git)
--
1.7.1

2011-08-23 16:35:07

by domg472

[permalink] [raw]
Subject: [refpolicy] [ PATCH 2/8] Git personal repositories

Git inetd service domain can also be configured to read and serve Git personal repositories in the user home directories.
We would not want Git inetd service domain to be able to read and serve generic or heavens forbid all
user home content, and therefore a new type for Git personal repositories is declared.

By default Git inetd service domain expects these personal repositories to be in dgrift/public_git.
It is kind of like apaches userdirs functionality. Git inetd service domain, does not have to be configured to
read and serve personal repositories, and so we make the policy for this functionality tunable.

We also allow administrators to tune the policy to allow Git inetd service domain to read and serve personal
repositories on NFS and/or CIFS shares. We added a file context that specifies that public_git
directories in any user home directory should be labeled with the personal repository file type.
That means that all login users should be allowed to relabel and manage the git_user_content_t personal
repository type. Did you know that users might also need to execute some of the Git personal
repository content. It is not obvious but in some cases users need to be able to execute the Git
hooks scripts in their personal repositories. For example the might have a script that runs after the user
commits/pushes for example via ssh (git push ssh://joe at localhost/public_git/joes_personal_repository.git. So we
also allow all login users to execute Git shared repository files.

Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 164d2bf... 7314ecb... M policy/modules/services/git.fc
:100644 100644 458aac6... 4da6875... M policy/modules/services/git.if
:100644 100644 7766253... 6c8e672... M policy/modules/services/git.te
:100644 100644 c6d3cc8... 2dc8697... M policy/modules/system/userdomain.if
policy/modules/services/git.fc | 2 +
policy/modules/services/git.if | 119 +++++++++++++++++++++++++++++++++++
policy/modules/services/git.te | 31 +++++++++-
policy/modules/system/userdomain.if | 13 ++++
4 files changed, 163 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
index 164d2bf..7314ecb 100644
--- a/policy/modules/services/git.fc
+++ b/policy/modules/services/git.fc
@@ -1,3 +1,5 @@
+HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0)
+
/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)

/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index 458aac6..4da6875 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@@ -1 +1,120 @@
## <summary>GIT revision control system</summary>
+
+########################################
+## <summary>
+## Execute Git daemon personal
+## repository content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_exec_user_content_files',`
+ gen_require(`
+ type git_user_content_t;
+ ')
+
+ exec_files_pattern($1, git_user_content_t, git_user_content_t)
+ userdom_search_user_home_dirs($1)
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_exec_cifs_files($1)
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_exec_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## Git daemon personal repository content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_manage_user_content',`
+ gen_require(`
+ type git_user_content_t;
+ ')
+
+ manage_dirs_pattern($1, git_user_content_t, git_user_content_t)
+ manage_files_pattern($1, git_user_content_t, git_user_content_t)
+ userdom_search_user_home_dirs($1)
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ',`
+ fs_dontaudit_manage_cifs_dirs($1)
+ fs_dontaudit_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ',`
+ fs_dontaudit_manage_nfs_dirs($1)
+ fs_dontaudit_manage_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Read Git daemon personal repository
+## content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_read_user_content',`
+ gen_require(`
+ type git_user_content_t;
+ ')
+
+ list_dirs_pattern($1, git_user_content_t, git_user_content_t)
+ read_files_pattern($1, git_user_content_t, git_user_content_t)
+ userdom_search_user_home_dirs($1)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files($1)
+ ',`
+ fs_dontaudit_read_cifs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files($1)
+ ',`
+ fs_dontaudit_read_cifs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Relabel Git daemon personal
+## repository content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_relabel_user_content',`
+ gen_require(`
+ type git_user_content_t;
+ ')
+
+ relabel_dirs_pattern($1, git_user_content_t, git_user_content_t)
+ relabel_files_pattern($1, git_user_content_t, git_user_content_t)
+ userdom_search_user_home_dirs($1)
+')
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index 7766253..6c8e672 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -8,6 +8,14 @@ policy_module(git, 1.0)
## <desc>
## <p>
## Determine whether Git daemon
+## can search home directories.
+## </p>
+## </desc>
+gen_tunable(gitd_enable_homedirs, false)
+
+## <desc>
+## <p>
+## Determine whether Git daemon
## can access cifs file systems.
## </p>
## </desc>
@@ -28,6 +36,9 @@ inetd_service_domain(gitd_t, gitd_exec_t)
type git_sys_content_t;
files_type(git_sys_content_t)

+type git_user_content_t;
+userdom_user_home_content(git_user_content_t)
+
########################################
#
# Local policy
@@ -36,8 +47,8 @@ files_type(git_sys_content_t)
allow gitd_t self:fifo_file rw_fifo_file_perms;
allow gitd_t self:unix_dgram_socket create_socket_perms;

-list_dirs_pattern(gitd_t, git_sys_content_t, git_sys_content_t)
-read_files_pattern(gitd_t, git_sys_content_t, git_sys_content_t)
+list_dirs_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
+read_files_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
files_search_var_lib(gitd_t)

kernel_read_system_state(gitd_t)
@@ -52,6 +63,22 @@ logging_send_syslog_msg(gitd_t)

miscfiles_read_localization(gitd_t)

+tunable_policy(`gitd_enable_homedirs',`
+ userdom_search_user_home_dirs(gitd_t)
+')
+
+tunable_policy(`gitd_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_files(gitd_t)
+',`
+ fs_dontaudit_read_nfs_files(gitd_t)
+')
+
+tunable_policy(`gitd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(gitd_t)
+',`
+ fs_dontaudit_read_cifs_files(gitd_t)
+')
+
tunable_policy(`gitd_use_cifs',`
fs_read_cifs_files(gitd_t)
',`
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index c6d3cc8..2dc8697 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -188,6 +188,10 @@ interface(`userdom_ro_home_role',`
fs_dontaudit_list_cifs($2)
fs_dontaudit_read_cifs_files($2)
')
+
+ optional_policy(`
+ git_read_user_content($2)
+ ')
')

#######################################
@@ -267,6 +271,11 @@ interface(`userdom_manage_home_role',`
fs_dontaudit_manage_cifs_dirs($2)
fs_dontaudit_manage_cifs_files($2)
')
+
+ optional_policy(`
+ git_manage_user_content($2)
+ git_relabel_user_content($2)
+ ')
')

#######################################
@@ -789,6 +798,10 @@ template(`userdom_login_user_template', `
')

optional_policy(`
+ git_exec_user_content_files($1_t)
+ ')
+
+ optional_policy(`
kerberos_use($1_t)
')

--
1.7.1

2011-08-23 16:35:09

by domg472

[permalink] [raw]
Subject: [refpolicy] [ PATCH 4/8] Git session daemon

Wait! Theres more. Besides running Git daemon as a inetd service domain, unprivileged users can also
run Git daemon by executing /usr/libexec/git-core/git-daemon from a shell to allow it to
read and serve their Git personal repositories in ~/public_git. It in large parts does the same
as Git daemon run by inetd but there are some differences. Most notably is the network access
that the Git session daemon requires to listen on the Git port for service.

The Git system daemon does not need this because inetd takes care of the network for it.
Another difference is that Git session daemon can only read and serve users Git personal
repositories, where Git system daemon can, if configured, read and serve both shared as well
as personal repositories. Since much of the policy is common to both session and
system, we declared a git_daemon attribute and assigned that to both the Git system and
session daemons. This allows use to write policy that both daemon have in common once.
Leaving the policy as compact as possible. So now we have two Git daemon domains, one
session domain started by unprivileged users and one system domain started by inetd.

Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 2be17d2... 17fc624... M policy/modules/roles/staff.te
:100644 100644 0f96353... 7461e65... M policy/modules/roles/sysadm.te
:100644 100644 7e9da77... 52156cd... M policy/modules/roles/unprivuser.te
:100644 100644 aba9c7b... f1466e1... M policy/modules/services/git.if
:100644 100644 6c8e672... 34d6529... M policy/modules/services/git.te
policy/modules/roles/staff.te | 4 +
policy/modules/roles/sysadm.te | 4 +
policy/modules/roles/unprivuser.te | 4 +
policy/modules/services/git.if | 38 ++++++++++
policy/modules/services/git.te | 133 +++++++++++++++++++++++++----------
5 files changed, 145 insertions(+), 38 deletions(-)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 2be17d2..17fc624 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -89,6 +89,10 @@ ifndef(`distro_redhat',`
')

optional_policy(`
+ git_session_role_template(staff_r, staff_t)
+ ')
+
+ optional_policy(`
gnome_role(staff_r, staff_t)
')

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 0f96353..7461e65 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -438,6 +438,10 @@ ifndef(`distro_redhat',`
')

optional_policy(`
+ git_session_role_template(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
gnome_role(sysadm_r, sysadm_t)
')

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 7e9da77..52156cd 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -62,6 +62,10 @@ ifndef(`distro_redhat',`
')

optional_policy(`
+ git_session_role_template(user_r, user_t)
+ ')
+
+ optional_policy(`
gnome_role(user_r, user_t)
')

diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index aba9c7b..f1466e1 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@@ -2,6 +2,44 @@

########################################
## <summary>
+## Role access for Git session daemon.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+template(`git_session_role_template',`
+ gen_require(`
+ type git_session_t, gitd_exec_t;
+ ')
+
+ ########################################
+ #
+ # Git session daemon shared declarations
+ #
+
+ role $1 types git_session_t;
+
+ ########################################
+ #
+ # Git session daemon shared policy
+ #
+
+ domtrans_pattern($2, gitd_exec_t, git_session_t)
+
+ allow $2 git_session_t:process { ptrace signal_perms };
+ ps_process_pattern($2, git_session_t)
+')
+
+########################################
+## <summary>
## Execute Git daemon generic shared
## repository content files.
## </summary>
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index 6c8e672..34d6529 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -2,93 +2,150 @@ policy_module(git, 1.0)

########################################
#
-# Declarations
+# Git daemon global declarations
+#
+
+attribute git_daemon;
+
+type gitd_exec_t;
+
+########################################
+#
+# Git session daemon declarations
+#
+
+type git_session_t, git_daemon;
+application_domain(git_session_t, gitd_exec_t)
+ubac_constrained(git_session_t)
+
+type git_user_content_t;
+userdom_user_home_content(git_user_content_t)
+
+########################################
+#
+# Git system daemon declarations
#

## <desc>
## <p>
-## Determine whether Git daemon
+## Determine whether Git system daemon
## can search home directories.
## </p>
## </desc>
-gen_tunable(gitd_enable_homedirs, false)
+gen_tunable(git_system_enable_homedirs, false)

## <desc>
## <p>
-## Determine whether Git daemon
+## Determine whether Git system daemon
## can access cifs file systems.
## </p>
## </desc>
-gen_tunable(gitd_use_cifs, false)
+gen_tunable(git_system_use_cifs, false)

## <desc>
## <p>
-## Determine whether Git daemon
+## Determine whether Git system daemon
## can access nfs file systems.
## </p>
## </desc>
-gen_tunable(gitd_use_nfs, false)
+gen_tunable(git_system_use_nfs, false)

-type gitd_t;
-type gitd_exec_t;
-inetd_service_domain(gitd_t, gitd_exec_t)
+type git_system_t, git_daemon;
+inetd_service_domain(git_system_t, gitd_exec_t)

type git_sys_content_t;
files_type(git_sys_content_t)

-type git_user_content_t;
-userdom_user_home_content(git_user_content_t)
+########################################
+#
+# Git daemon global policy
+#
+
+allow git_daemon self:fifo_file rw_fifo_file_perms;
+allow git_daemon self:unix_dgram_socket create_socket_perms;
+
+kernel_read_system_state(git_daemon)
+
+corecmd_exec_bin(git_daemon)
+
+files_read_usr_files(git_daemon)
+
+auth_use_nsswitch(git_daemon)
+
+logging_send_syslog_msg(git_daemon)
+
+miscfiles_read_localization(git_daemon)

########################################
#
-# Local policy
+# Git session daemon policy
#

-allow gitd_t self:fifo_file rw_fifo_file_perms;
-allow gitd_t self:unix_dgram_socket create_socket_perms;
+allow git_session_t self:tcp_socket { accept listen };

-list_dirs_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
-read_files_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
-files_search_var_lib(gitd_t)
+list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
+read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
+userdom_search_user_home_dirs(git_session_t)

-kernel_read_system_state(gitd_t)
+corenet_all_recvfrom_netlabel(git_session_t)
+corenet_all_recvfrom_unlabeled(git_session_t)
+corenet_tcp_bind_generic_node(git_session_t)
+corenet_tcp_sendrecv_generic_if(git_session_t)
+corenet_tcp_sendrecv_generic_node(git_session_t)
+corenet_tcp_sendrecv_generic_port(git_session_t)
+corenet_tcp_bind_git_port(git_session_t)
+corenet_tcp_sendrecv_git_port(git_session_t)
+corenet_sendrecv_git_server_packets(git_session_t)

-corecmd_exec_bin(gitd_t)
+userdom_use_user_terminals(git_session_t)

-files_read_usr_files(gitd_t)
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(git_session_t)
+',`
+ fs_dontaudit_read_nfs_files(git_session_t)
+')

-auth_use_nsswitch(gitd_t)
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(git_session_t)
+',`
+ fs_dontaudit_read_cifs_files(git_session_t)
+')

-logging_send_syslog_msg(gitd_t)
+########################################
+#
+# Git system daemon policy
+#

-miscfiles_read_localization(gitd_t)
+list_dirs_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
+read_files_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
+files_search_var_lib(git_system_t)

-tunable_policy(`gitd_enable_homedirs',`
- userdom_search_user_home_dirs(gitd_t)
+tunable_policy(`git_system_enable_homedirs',`
+ userdom_search_user_home_dirs(git_system_t)
')

-tunable_policy(`gitd_enable_homedirs && use_nfs_home_dirs',`
- fs_read_nfs_files(gitd_t)
+tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_files(git_system_t)
',`
- fs_dontaudit_read_nfs_files(gitd_t)
+ fs_dontaudit_read_nfs_files(git_system_t)
')

-tunable_policy(`gitd_enable_homedirs && use_samba_home_dirs',`
- fs_read_cifs_files(gitd_t)
+tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(git_system_t)
',`
- fs_dontaudit_read_cifs_files(gitd_t)
+ fs_dontaudit_read_cifs_files(git_system_t)
')

-tunable_policy(`gitd_use_cifs',`
- fs_read_cifs_files(gitd_t)
+tunable_policy(`git_system_use_cifs',`
+ fs_read_cifs_files(git_system_t)
',`
- fs_dontaudit_read_cifs_files(gitd_t)
+ fs_dontaudit_read_cifs_files(git_system_t)
')

-tunable_policy(`gitd_use_nfs',`
- fs_read_nfs_files(gitd_t)
+tunable_policy(`git_system_use_nfs',`
+ fs_read_nfs_files(git_system_t)
',`
- fs_dontaudit_read_nfs_files(gitd_t)
+ fs_dontaudit_read_nfs_files(git_system_t)
')

########################################
--
1.7.1

2011-08-23 16:35:08

by domg472

[permalink] [raw]
Subject: [refpolicy] [ PATCH 3/8] Git shell users

Did you know that there is a Git shell in /usr/bin/git-shell, and did you know that you can use that
together with OpenSSH to commit to shared repositories? Heck you can even commit to shared repositories
using OpenSSH with a plain bash shell, but the Git shell is much cooler. A user domain solely for the
purpose of commiting to shared repositories needs much less privileges that the least privilege
userdom_base_user_template provides.

Git shell users do not need pty's, execmem or many other privileges provided by the base_user_template.
Therefore we implement a template just for Git shell users, and we create a Git shell role, so that
administrators can easily map their Unix logins to the Git shell SELinux user.

This Git shell user domain is allowed to manage and execute (primary) shared repositories.

Signed-off-by: Dominick Grift <[email protected]>
---
:000000 100644 0000000... 2d9c6bc... A config/appconfig-mcs/git_shell_u_default_contexts
:000000 100644 0000000... 875f0eb... A config/appconfig-mls/git_shell_u_default_contexts
:000000 100644 0000000... bfbd788... A config/appconfig-standard/git_shell_u_default_contexts
:000000 100644 0000000... 601a7b0... A policy/modules/roles/git_shell.fc
:000000 100644 0000000... c6d9896... A policy/modules/roles/git_shell.if
:000000 100644 0000000... 60cc456... A policy/modules/roles/git_shell.te
:100644 100644 4da6875... aba9c7b... M policy/modules/services/git.if
:100644 100644 2dc8697... 5c30b4b... M policy/modules/system/userdomain.if
config/appconfig-mcs/git_shell_u_default_contexts | 2 +
config/appconfig-mls/git_shell_u_default_contexts | 2 +
.../git_shell_u_default_contexts | 2 +
policy/modules/roles/git_shell.fc | 1 +
policy/modules/roles/git_shell.if | 50 +++++++++++++++
policy/modules/roles/git_shell.te | 15 +++++
policy/modules/services/git.if | 67 ++++++++++++++++++++
policy/modules/system/userdomain.if | 63 ++++++++++++++++++
8 files changed, 202 insertions(+), 0 deletions(-)

diff --git a/config/appconfig-mcs/git_shell_u_default_contexts b/config/appconfig-mcs/git_shell_u_default_contexts
new file mode 100644
index 0000000..2d9c6bc
--- /dev/null
+++ b/config/appconfig-mcs/git_shell_u_default_contexts
@@ -0,0 +1,2 @@
+git_shell_r:git_shell_t:s0 git_shell_r:git_shell_t:s0
+system_r:sshd_t:s0 git_shell_r:git_shell_t:s0
diff --git a/config/appconfig-mls/git_shell_u_default_contexts b/config/appconfig-mls/git_shell_u_default_contexts
new file mode 100644
index 0000000..875f0eb
--- /dev/null
+++ b/config/appconfig-mls/git_shell_u_default_contexts
@@ -0,0 +1,2 @@
+git_r:git_t:s0 git_r:git_t:s0
+system_r:sshd_t:s0 git_r:git_t:s0
diff --git a/config/appconfig-standard/git_shell_u_default_contexts b/config/appconfig-standard/git_shell_u_default_contexts
new file mode 100644
index 0000000..bfbd788
--- /dev/null
+++ b/config/appconfig-standard/git_shell_u_default_contexts
@@ -0,0 +1,2 @@
+git_shell_r:git_shell_t git_shell_r:git_shell_t
+system_r:sshd_t git_shell_r:git_shell_t
diff --git a/policy/modules/roles/git_shell.fc b/policy/modules/roles/git_shell.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/git_shell.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/git_shell.if b/policy/modules/roles/git_shell.if
new file mode 100644
index 0000000..c6d9896
--- /dev/null
+++ b/policy/modules/roles/git_shell.if
@@ -0,0 +1,50 @@
+## <summary>Git shell user role.</summary>
+
+########################################
+## <summary>
+## Change to the git shell role.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`git_shell_role_change',`
+ gen_require(`
+ role git_shell_r;
+ ')
+
+ allow $1 git_shell_r;
+')
+
+########################################
+## <summary>
+## Change from the git shell role.
+## </summary>
+## <desc>
+## <p>
+## Change from the git shell role to
+## the specified role.
+## </p>
+## <p>
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`git_shell_role_change_to',`
+ gen_require(`
+ role git_shell_r;
+ ')
+
+ allow git_shell_r $1;
+')
diff --git a/policy/modules/roles/git_shell.te b/policy/modules/roles/git_shell.te
new file mode 100644
index 0000000..60cc456
--- /dev/null
+++ b/policy/modules/roles/git_shell.te
@@ -0,0 +1,15 @@
+policy_module(git_shell, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+userdom_git_user_template(git_user)
+
+########################################
+#
+# Local policy
+#
+
+#gen_user(git_shell_u,, git_shell_r, s0, s0)
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index 4da6875..aba9c7b 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@@ -2,6 +2,73 @@

########################################
## <summary>
+## Execute Git daemon generic shared
+## repository content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_exec_generic_sys_content_files',`
+ gen_require(`
+ type git_sys_content_t;
+ ')
+
+ exec_files_pattern($1, git_sys_content_t, git_sys_content_t)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## Git daemon generic shared
+## repository content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_manage_generic_sys_content',`
+ gen_require(`
+ type git_sys_content_t;
+ ')
+
+ manage_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
+ manage_files_pattern($1, git_sys_content_t, git_sys_content_t)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ',`
+ fs_dontaudit_manage_cifs_dirs($1)
+ fs_dontaudit_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ',`
+ fs_dontaudit_manage_nfs_dirs($1)
+ fs_dontaudit_manage_nfs_files($1)
+ ')
+')
+
+
+########################################
+## <summary>
## Execute Git daemon personal
## repository content files.
## </summary>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 2dc8697..5c30b4b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2,6 +2,69 @@

#######################################
## <summary>
+## Template for creating Git users.
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## Prefix of the user domain.
+## </summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_git_user_template',`
+ gen_require(`
+ attribute unpriv_userdomain, userdomain;
+ class context contains;
+ role system_r;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_t, unpriv_userdomain, userdomain;
+ domain_type($1_t)
+ ubac_constrained($1_t)
+ role $1_r;
+ role $1_r types $1_t;
+ allow system_r $1_r;
+
+ ########################################
+ #
+ # Local policy
+ #
+
+ allow $1_t self:context contains;
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+
+ kernel_read_system_state($1_t)
+
+ corecmd_exec_bin($1_t)
+ corecmd_bin_entry_type($1_t)
+ corecmd_shell_entry_type($1_t)
+
+ domain_interactive_fd($1_t)
+ domain_user_exemption_target($1_t)
+
+ files_dontaudit_list_non_security($1_t)
+ files_dontaudit_getattr_non_security_files($1_t)
+ files_dontaudit_getattr_non_security_symlinks($1_t)
+ files_dontaudit_getattr_non_security_pipes($1_t)
+ files_dontaudit_getattr_non_security_sockets($1_t)
+
+ auth_use_nsswitch($1_t)
+
+ miscfiles_read_localization($1_t)
+
+ git_exec_generic_sys_content_files($1_t)
+ git_manage_generic_sys_content($1_t)
+
+ ssh_rw_stream_sockets($1_t)
+')
+
+#######################################
+## <summary>
## The template containing the most basic rules common to all users.
## </summary>
## <desc>
--
1.7.1

2011-08-23 16:35:10

by domg472

[permalink] [raw]
Subject: [refpolicy] [ PATCH 5/8] Gitweb, cgit and the git_content attribute

Cgit and gitweb are both cgi web applications that run in the httpd_git_script_t apache CGI domain.
The policy in this commit was taken from Fedora. It is well tested i believe.
These web applications display Git repositories. And they Should be able to read any Git
repository whether shared or personal. We implemented another attribute for it called git_content.
This attribute will be assigned to any and all Git repository content types, either existing or
to be created. Hopefully the next commit should explain why this attribute makes sense.

Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 7314ecb... c005782... M policy/modules/services/git.fc
:100644 100644 f1466e1... 4bc674a... M policy/modules/services/git.if
:100644 100644 34d6529... acf2f81... M policy/modules/services/git.te
policy/modules/services/git.fc | 4 ++-
policy/modules/services/git.if | 47 +++++++++++++++++++++++++++++++++++++++-
policy/modules/services/git.te | 11 +++++++-
3 files changed, 58 insertions(+), 4 deletions(-)

diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
index 7314ecb..c005782 100644
--- a/policy/modules/services/git.fc
+++ b/policy/modules/services/git.fc
@@ -2,8 +2,10 @@ HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0)

/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)

-/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
+/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)

/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)

/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
+/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index f1466e1..4bc674a 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@@ -40,6 +40,52 @@ template(`git_session_role_template',`

########################################
## <summary>
+## Read all Git daemon repository
+## content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_read_all_content',`
+ gen_require(`
+ attribute git_content;
+ ')
+
+ list_dirs_pattern($1, git_content, git_content)
+ read_files_pattern($1, git_content, git_content)
+ userdom_search_user_home_dirs($1)
+ files_search_var_lib($1)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files($1)
+ ',`
+ fs_dontaudit_read_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files($1)
+ ',`
+ fs_dontaudit_read_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_read_cifs_files($1)
+ ',`
+ fs_dontaudit_read_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_read_nfs_files($1)
+ ',`
+ fs_dontaudit_read_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
## Execute Git daemon generic shared
## repository content files.
## </summary>
@@ -104,7 +150,6 @@ interface(`git_manage_generic_sys_content',`
')
')

-
########################################
## <summary>
## Execute Git daemon personal
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index 34d6529..acf2f81 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -5,6 +5,7 @@ policy_module(git, 1.0)
# Git daemon global declarations
#

+attribute git_content;
attribute git_daemon;

type gitd_exec_t;
@@ -18,7 +19,7 @@ type git_session_t, git_daemon;
application_domain(git_session_t, gitd_exec_t)
ubac_constrained(git_session_t)

-type git_user_content_t;
+type git_user_content_t, git_content;
userdom_user_home_content(git_user_content_t)

########################################
@@ -53,7 +54,7 @@ gen_tunable(git_system_use_nfs, false)
type git_system_t, git_daemon;
inetd_service_domain(git_system_t, gitd_exec_t)

-type git_sys_content_t;
+type git_sys_content_t, git_content;
files_type(git_sys_content_t)

########################################
@@ -154,3 +155,9 @@ tunable_policy(`git_system_use_nfs',`
#

apache_content_template(git)
+
+files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
+
+auth_use_nsswitch(httpd_git_script_t)
+
+git_read_all_content(httpd_git_script_t)
--
1.7.1

2011-08-23 16:35:11

by domg472

[permalink] [raw]
Subject: [refpolicy] [ PATCH 6/8] Git shared repository separation and custom shared repository types

In my previous commit i promised i would try to explain the use of the git_content attribute.
It is a attribute to asign to existing and to be create shared and private repository types.

In this commit we are using this attribute to allow Git system daemon to read and serve any
repository content. We do this because the userdom_git_user_template allows use to provides
administrators with advanced type enforcement possibility to restrict access to
various types of shared repository. In this commit we created the
git_shared_content_template.

This template allows for easy creation of new shared repository types.
We also created git_manage_spec_shared_content and git_exec_spec_shared_content_files interfaces.
This allows us to make a connection between Git user domain and Git shared repository content
types. These interfaces and templates allow administrators to create new Git user domains
and allow the various Git user domains access to specified Git shared repositories.

This allows administrators to employ Type enforcement for shared repository and Git user separation.
We also created a attribute called git_system_content that is assigned to all types derived from the
prefix that the git_shared_content_template expects. This might be handy if some one later wants a
given Git user domain to have access to any shared repository type and not just the primary
git_sys_content_t repository type.

Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 4bc674a... 5979237... M policy/modules/services/git.if
:100644 100644 acf2f81... 47900be... M policy/modules/services/git.te
policy/modules/services/git.if | 96 ++++++++++++++++++++++++++++++++++++++++
policy/modules/services/git.te | 9 ++--
2 files changed, 101 insertions(+), 4 deletions(-)

diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index 4bc674a..5979237 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@@ -40,6 +40,102 @@ template(`git_session_role_template',`

########################################
## <summary>
+## Create a set of derived types for
+## Git daemon shared repository content.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`git_shared_content_template',`
+ gen_require(`
+ attribute git_system_content, git_content;
+ ')
+
+ type git_$1_content_t, git_system_content, git_content;
+ files_type(git_$1_content_t)
+')
+
+#######################################
+## <summary>
+## Execute specified Git daemon
+## shared repository content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## Type to allow access to.
+## </summary>
+## </param>
+#
+interface(`git_exec_spec_shared_content_files',`
+ gen_require(`
+ type $1, $2;
+ ')
+
+ exec_files_pattern($1, $2, $2)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1)
+ ')
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete
+## specified Git daemon shared
+## repository content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## Type to allow access to.
+## </summary>
+## </param>
+#
+interface(`git_manage_spec_shared_content',`
+ gen_require(`
+ type $1, $2;
+ ')
+
+ manage_dirs_pattern($1, $2, $2)
+ manage_files_pattern($1, $2, $2)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ',`
+ fs_dontaudit_manage_cifs_dirs($1)
+ fs_dontaudit_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ',`
+ fs_dontaudit_manage_nfs_dirs($1)
+ fs_dontaudit_manage_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
## Read all Git daemon repository
## content.
## </summary>
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index acf2f81..47900be 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -51,11 +51,12 @@ gen_tunable(git_system_use_cifs, false)
## </desc>
gen_tunable(git_system_use_nfs, false)

+attribute git_system_content;
+
type git_system_t, git_daemon;
inetd_service_domain(git_system_t, gitd_exec_t)

-type git_sys_content_t, git_content;
-files_type(git_sys_content_t)
+git_shared_content_template(sys)

########################################
#
@@ -117,8 +118,8 @@ tunable_policy(`use_samba_home_dirs',`
# Git system daemon policy
#

-list_dirs_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
-read_files_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
+list_dirs_pattern(git_system_t, git_content, git_content)
+read_files_pattern(git_system_t, git_content, git_content)
files_search_var_lib(git_system_t)

tunable_policy(`git_system_enable_homedirs',`
--
1.7.1

2011-08-23 16:35:12

by domg472

[permalink] [raw]
Subject: [refpolicy] [ PATCH 7/8] Git session daemons binding TCP sockets to unreserved ports

Assume you own this big shell hosting company and you want to allow your customers to be able to
serve their Git personal repositories to their discretion. You might end up with hundreds
of instances of Git session daemons. They cannot all bind TCP sockets to a single Git port.

This functionality allows the administrator to tune the policy to allow Git session daemons to
bind TCP sockets to any unreserved port.

Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 47900be... c086a69... M policy/modules/services/git.te
policy/modules/services/git.te | 14 ++++++++++++++
1 files changed, 14 insertions(+), 0 deletions(-)

diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index 47900be..c086a69 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -15,6 +15,14 @@ type gitd_exec_t;
# Git session daemon declarations
#

+## <desc>
+## <p>
+## Determine whether Git session daemons
+## can bind tcp sockets to all unreserved ports.
+## </p>
+## </desc>
+gen_tunable(git_session_tcp_bind_all_unreserved_ports, false)
+
type git_session_t, git_daemon;
application_domain(git_session_t, gitd_exec_t)
ubac_constrained(git_session_t)
@@ -101,6 +109,12 @@ corenet_sendrecv_git_server_packets(git_session_t)

userdom_use_user_terminals(git_session_t)

+tunable_policy(`git_session_tcp_bind_all_unreserved_ports',`
+ corenet_tcp_bind_all_unreserved_ports(git_session_t)
+ corenet_tcp_sendrecv_all_ports(git_session_t)
+ corenet_sendrecv_generic_server_packets(git_session_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(git_session_t)
',`
--
1.7.1

2011-08-23 16:35:13

by domg472

[permalink] [raw]
Subject: [refpolicy] [ PATCH 8/8] I am not sure about this but it might prove useful for NIS?

Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 c086a69... 35a5b33... M policy/modules/services/git.te
policy/modules/services/git.te | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index c086a69..35a5b33 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -80,12 +80,18 @@ corecmd_exec_bin(git_daemon)

files_read_usr_files(git_daemon)

+fs_search_auto_mountpoints(git_daemon)
+
auth_use_nsswitch(git_daemon)

logging_send_syslog_msg(git_daemon)

miscfiles_read_localization(git_daemon)

+optional_policy(`
+ automount_dontaudit_getattr_tmp_dirs(git_daemon)
+')
+
########################################
#
# Git session daemon policy
--
1.7.1