2011-08-22 12:53:54

by domg472

[permalink] [raw]
Subject: [refpolicy] [ RETRY Git patch 1/1] Initial Git daemon domain. Modify git_selinux.8

Initial Git daemon domain (Revisited Fedoras' Git module). Modified git_selinux.8 to reflect changes.

Unpriv user domain and admindomain run Git daemon in the Git session domain by default. Git session domain is allowed to bind tcp sockets to Git ports.

Changes compared to initial attempt:

Change git_domain attribute to git_daemon attribute.
Removed role git_shell_r; from git.te global declarations, as it is declared in git_user_template.
Move git_system_content attribute from global declarations to git system daemon declarations.
Remove relabel interfaces as those are currently unused.
Split "rwx" interfaces into "manage" and "exec" interfaces as that is likely more usefull and "rwx" just looks unnatural.
Change git_sys_content_type_type(prefix) to git_shared_repository_file_type(type)
Change git_system_user_template to git_user_template.

Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 e9c43b1... bb426d3... M man/man8/git_selinux.8
:100644 100644 2be17d2... addc3ad... M policy/modules/roles/staff.te
:100644 100644 0f96353... 58eb890... M policy/modules/roles/sysadm.te
:100644 100644 7e9da77... 46d24e3... M policy/modules/roles/unprivuser.te
:100644 100644 54f0737... e7a135c... M policy/modules/services/git.fc
:100644 100644 458aac6... 1f3b9fd... M policy/modules/services/git.if
:100644 100644 7382f85... 55e6374... M policy/modules/services/git.te
man/man8/git_selinux.8 | 50 ++--
policy/modules/roles/staff.te | 4 +
policy/modules/roles/sysadm.te | 4 +
policy/modules/roles/unprivuser.te | 4 +
policy/modules/services/git.fc | 16 +-
policy/modules/services/git.if | 561 +++++++++++++++++++++++++++++++++++-
policy/modules/services/git.te | 185 ++++++++++++-
7 files changed, 795 insertions(+), 29 deletions(-)

diff --git a/man/man8/git_selinux.8 b/man/man8/git_selinux.8
index e9c43b1..bb426d3 100644
--- a/man/man8/git_selinux.8
+++ b/man/man8/git_selinux.8
@@ -19,83 +19,85 @@ SELinux Git policy is very flexible allowing users to setup their web services i
.PP
The following file contexts types are by default defined for Git:
.EX
-git_system_content_t
+git_sys_content_t
.EE
-- Set files with git_system_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all "Git shell" users.
+- Set files with git_sys_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all Git system users.
.EX
git_session_content_t
.EE
-- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all users. Note that "Git shell" users may not interact with this type.
+- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all Git session users. Note that Git system users may not interact with this type.
.SH BOOLEANS
SELinux policy is customizable based on least access required. Git policy is extremely flexible and has several booleans that allow you to manipulate the policy and run Git with the tightest access possible.
.PP
-Allow the Git system daemon to search user home directories so that it can find git session content. This is useful if you want the Git system daemon to host users personal repositories.
+Determine whether Git system daemon can search user home directories so that it can find Git session repository content. This is useful if you want the Git system daemon to host personal Git repository content.
.EX
sudo setsebool -P git_system_enable_homedirs 1
.EE
.PP
-Allow the Git system daemon to read system shared repositories on NFS shares.
+Determine whether Git system daemon can read any Git shared repository content on NFS shares.
.EX
sudo setsebool -P git_system_use_nfs 1
.EE
.PP
-Allow the Git system daemon to read system shared repositories on Samba shares.
+Determine whether Git system daemon can read any shared repository content on Samba shares.
.EX
sudo setsebool -P git_system_use_cifs 1
.EE
.PP
-Allow the Git session daemon to read users personal repositories on NFS mounted home directories.
+Determine whether Git session daemons can read personal repository content on NFS mounted home directories.
.EX
sudo setsebool -P use_nfs_home_dirs 1
.EE
.PP
-Allow the Git session daemon to read users personal repositories on Samba mounted home directories.
+Determine whether Git session daemons can read personal repository content on Samba mounted home directories.
.EX
sudo setsebool -P use_samba_home_dirs 1
.EE
.PP
-To also allow Git system daemon to read users personal repositories on NFS and Samba mounted home directories you must also allow the Git system daemon to search home directories so that it can find the repositories.
+To allow Git system daemon to read personal repository content on NFS and Samba mounted home directories you must also allow Git system daemon to search home directories so that it can find the personal repository content.
.EX
sudo setsebool -P git_system_enable_homedirs 1
.EE
.PP
-To allow the Git System daemon mass hosting of users personal repositories you can allow the Git daemon to listen to any unreserved ports.
+Determine whether Git session daemons can listen on any unreserved TCP ports. This is useful for mass hosting of personal repository content.
.EX
sudo setsebool -P git_session_bind_all_unreserved_ports 1
.EE
.SH GIT_SHELL
-The Git policy by default provides a restricted user environment to be used with "Git shell". This default git_shell_u SELinux user can modify and execute generic Git system content (generic system shared respositories with type git_system_content_t).
+The Git policy by default provides a restricted user environment to be used with "Git shell". The default git_shell_u SELinux user can manage and execute generic Git shared repository content (shared repository content with type git_sys_content_t).
.PP
-To add a new Linux user and map him to this Git shell user domain automatically:
+Add a new Unix user and map this user to the default Git system SELinux user automatically:
.EX
sudo useradd -Z git_shell_u joe
.EE
-.SH ADVANCED_SYSTEM_SHARED_REPOSITORY_AND GIT_SHELL_RESTRICTIONS
-Alternatively Git SELinux policy can be used to restrict "Git shell" users to git system shared repositories. The policy allows for the creation of new types of Git system content and Git shell user environment. The policy allows for delegation of types of "Git shell" environments to types of Git system content.
+.SH ADVANCED_SHARED_REPOSITORY_AND GIT_SHELL_RESTRICTIONS
+Alternatively Git SELinux policy can be used to restrict Git user types access to Git shared repository content types. The policy allows for the creation of new types of Git shared repository content and Git users. The policy allows one to specify Git user types access to Git shared repository content types. Note that any Git user is allowed to manage and execute generic Git shared repository content.
.PP
-To add a new Git system repository type, for example "project1" create a file named project1.te and add to it:
+Add a new Git shared repository content type, for example "project1". Create a file named project1.te and add to it:
.EX
policy_module(project1, 1.0.0)
-git_content_template(project1)
+type git_project1_content_t;
+git_shared_repository_files_type(git_project1_content_t)
.EE
-Next create a file named project1.fc and add a file context specification for the new repository type to it:
+Create a file named project1.fc, and add a file context specification for the new shared repository content type to it:
.EX
-/srv/git/project1\.git(/.*)? gen_context(system_u:object_r:git_project1_content_t,s0)
+/var/lib/git/project1\.git(/.*)? gen_context(system_u:object_r:git_project1_content_t,s0)
.EE
-Build a binary representation of this source policy module, load it into the policy store and restore the context of the repository:
+Build a binary representation of this source policy module, load it into the policy store and restore the context of the shared repository content:
.EX
make -f /usr/share/selinux/devel/Makefile project.pp
sudo semodule -i project1.pp
-sudo restorecon -R -v /srv/git/project1
+sudo restorecon -R -v /var/lib/git/project1.git
.EE
-To create a "Git shell" domain that can interact with this repository create a file named project1user.te in the same directory as where the source policy for the Git systemm content type is and add the following:
+Create a Git user domain that can interact with this shared repository content. Create a file named project1user.te in the same directory as where the source policy for the Git shared repository file type is and add the following:
.EX
policy_module(project1user, 1.0.0)
-git_role_template(project1user)
-git_content_delegation(project1user_t, git_project1_content_t)
+git_user_template(project1user)
+git_exec_spec_sys_content(project1user_t, git_project1_content_t)
+git_manage_spec_sys_content(project1user_t, git_project1_content_t)
gen_user(project1user_u, user, project1user_r, s0, s0)
.EE
-Build a binary representation of this source policy module, load it into the policy store and map Linux users to the new project1user_u SELinux user:
+Build a binary representation of this source policy module, load it into the policy store and map Unix users to the project1user_u SELinux user that was created:
.EX
make -f /usr/share/selinux/devel/Makefile project1user.pp
sudo semodule -i project1user.pp
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 2be17d2..addc3ad 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -27,6 +27,10 @@ optional_policy(`
')

optional_policy(`
+ git_session_role_template(staff_r, staff_t)
+')
+
+optional_policy(`
postgresql_role(staff_r, staff_t)
')

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 0f96353..58eb890 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -148,6 +148,10 @@ optional_policy(`
')

optional_policy(`
+ git_session_role_template(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
hostname_run(sysadm_t, sysadm_r)
')

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 7e9da77..46d24e3 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -17,6 +17,10 @@ optional_policy(`
')

optional_policy(`
+ git_session_role_template(user_r, user_t)
+')
+
+optional_policy(`
screen_role_template(user, user_r, user_t)
')

diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
index 54f0737..e7a135c 100644
--- a/policy/modules/services/git.fc
+++ b/policy/modules/services/git.fc
@@ -1,3 +1,15 @@
-/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
-/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
+HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t,s0)
+HOME_DIR/\.gitaliases -- gen_context(system_u:object_r:git_session_content_t,s0)
+HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t,s0)
+
+/srv/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
+
+/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
+
+/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
+
+/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
+
/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
+/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index 458aac6..1f3b9fd 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@@ -1 +1,560 @@
-## <summary>GIT revision control system</summary>
+## <summary>Fast Version Control System.</summary>
+
+########################################
+## <summary>
+## Role access for Git session daemon.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+template(`git_session_role_template',`
+ gen_require(`
+ type git_session_t, gitd_exec_t, git_session_content_t;
+ ')
+
+ ########################################
+ #
+ # Git session daemon shared declarations.
+ #
+
+ role $1 types git_session_t;
+
+ ########################################
+ #
+ # Git session daemon shared policy.
+ #
+
+ domtrans_pattern($2, gitd_exec_t, git_session_t)
+
+ allow $2 git_session_t:process { ptrace signal_perms };
+ ps_process_pattern($2, git_session_t)
+
+ allow $2 git_session_content_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 git_session_content_t:file { manage_file_perms relabel_file_perms };
+')
+
+########################################
+## <summary>
+## Make the specified type a usable
+## Git shared repository content
+## file type.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be made usable.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`git_shared_repository_files_type',`
+ gen_require(`
+ attribute git_system_content, git_content;
+ ')
+
+ typeattribute $1 git_system_content;
+ typeattribute $1 git_content;
+ files_type($1)
+')
+
+#######################################
+## <summary>
+## Template for creating Git users
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## Prefix of the user domain.
+## </summary>
+## </param>
+## <rolebase/>
+#
+template(`git_user_template',`
+ gen_require(`
+ attribute unpriv_userdomain, userdomain;
+ class context contains;
+ role system_r;
+ ')
+
+ ########################################
+ #
+ # Git daemon role shared declarations.
+ #
+
+ type $1_t, unpriv_userdomain, userdomain;
+ domain_type($1_t)
+ ubac_constrained($1_t)
+ role $1_r;
+ role $1_r types $1_t;
+ allow system_r $1_r;
+
+ ########################################
+ #
+ # Git daemon role shared policy.
+ #
+
+ allow $1_t self:context contains;
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+
+ kernel_read_system_state($1_t)
+
+ corecmd_exec_bin($1_t)
+ corecmd_bin_entry_type($1_t)
+ corecmd_shell_entry_type($1_t)
+
+ domain_interactive_fd($1_t)
+ domain_user_exemption_target($1_t)
+
+ files_dontaudit_search_home($1_t)
+
+ auth_use_nsswitch($1_t)
+
+ miscfiles_read_localization($1_t)
+
+ git_exec_generic_sys_content($1_t)
+ git_manage_generic_sys_content($1_t)
+
+ ssh_rw_stream_sockets($1_t)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1_t)
+ fs_manage_cifs_dirs($1_t)
+ fs_manage_cifs_files($1_t)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1_t)
+ fs_manage_nfs_dirs($1_t)
+ fs_manage_nfs_files($1_t)
+ ')
+')
+
+#######################################
+## <summary>
+## Execute specified Git daemon
+## shared repository content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="git_shared_repository_files_type">
+## <summary>
+## Git shared repository file type to be allowed.
+## </summary>
+## </param>
+#
+interface(`git_exec_spec_sys_content',`
+ gen_require(`
+ type $1, $2;
+ ')
+
+ exec_files_pattern($1, $2, $2)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1)
+ ')
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete
+## specified Git daemon shared
+## repository content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="git_shared_repository_files_type">
+## <summary>
+## Git shared repository file type to be allowed.
+## </summary>
+## </param>
+#
+interface(`git_manage_spec_sys_content',`
+ gen_require(`
+ type $1, $2;
+ ')
+
+ manage_dirs_pattern($1, $2, $2)
+ manage_files_pattern($1, $2, $2)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Execute all Git daemon
+## repository content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_exec_all_content',`
+ gen_require(`
+ attribute git_content;
+ ')
+
+ exec_files_pattern($1, git_content, git_content)
+ userdom_search_user_home_dirs($1)
+ files_search_var_lib($1)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_exec_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_exec_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## all Git daemon repository content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_manage_all_content',`
+ gen_require(`
+ attribute git_content;
+ ')
+
+ manage_dirs_pattern($1, git_content, git_content)
+ manage_files_pattern($1, git_content, git_content)
+ userdom_search_user_home_dirs($1)
+ files_search_var_lib($1)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Execute all Git daemon
+## shared repository content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_exec_all_sys_content',`
+ gen_require(`
+ attribute git_system_content;
+ ')
+
+ exec_files_pattern($1, git_system_content, git_system_content)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## all Git daemon shared
+## repository content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_manage_all_sys_content',`
+ gen_require(`
+ attribute git_system_content;
+ ')
+
+ manage_dirs_pattern($1, git_system_content, git_system_content)
+ manage_files_pattern($1, git_system_content, git_system_content)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Execute Git daemon generic shared
+## repository content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_exec_generic_sys_content',`
+ gen_require(`
+ type git_sys_content_t;
+ ')
+
+ exec_files_pattern($1, git_sys_content_t, git_sys_content_t)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## Git daemon generic shared
+## repository content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_manage_generic_sys_content',`
+ gen_require(`
+ type git_sys_content_t;
+ ')
+
+ manage_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
+ manage_files_pattern($1, git_sys_content_t, git_sys_content_t)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Read all Git daemon repository
+## content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_read_all_content_files',`
+ gen_require(`
+ attribute git_content;
+ ')
+
+ list_dirs_pattern($1, git_content, git_content)
+ read_files_pattern($1, git_content, git_content)
+ userdom_search_user_home_dirs($1)
+ files_search_var_lib($1)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Read Git daemon personal repository
+## content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_read_session_content_files',`
+ gen_require(`
+ type git_session_content_t;
+ ')
+
+ list_dirs_pattern($1, git_session_content_t, git_session_content_t)
+ read_files_pattern($1, git_session_content_t, git_session_content_t)
+ userdom_search_user_home_dirs($1)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ ')
+')
+
+#######################################
+## <summary>
+## Do not audit attempts to read
+## generic personal repository
+## content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`git_dontaudit_read_session_content_files',`
+ gen_require(`
+ type git_session_content_t;
+ ')
+
+ dontaudit $1 git_session_content_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read all Git daemon shared
+## repository content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_read_all_sys_content_files',`
+ gen_require(`
+ attribute git_system_content;
+ ')
+
+ list_dirs_pattern($1, git_system_content, git_system_content)
+ read_files_pattern($1, git_system_content, git_system_content)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Read Git daemon generic shared
+## repository content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_read_generic_sys_content_files',`
+ gen_require(`
+ type git_sys_content_t;
+ ')
+
+ list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
+ read_files_pattern($1, git_sys_content_t, git_sys_content_t)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ ')
+')
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index 7382f85..55e6374 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -1,8 +1,189 @@
policy_module(git, 1.0)

+## <desc>
+## <p>
+## Determine whether Git system daemon
+## can search home directories.
+## </p>
+## </desc>
+gen_tunable(git_system_enable_homedirs, false)
+
+## <desc>
+## <p>
+## Determine whether Git system daemon
+## can access cifs file systems.
+## </p>
+## </desc>
+gen_tunable(git_system_use_cifs, false)
+
+## <desc>
+## <p>
+## Determine whether Git system daemon
+## can access nfs file systems.
+## </p>
+## </desc>
+gen_tunable(git_system_use_nfs, false)
+
+########################################
+#
+# Git daemon global private declarations.
+#
+
+attribute git_daemon;
+attribute git_content;
+
+type gitd_exec_t;
+application_executable_file(gitd_exec_t)
+
+########################################
+#
+# Git system daemon private declarations.
+#
+
+attribute git_system_content;
+
+type git_system_t, git_daemon;
+inetd_service_domain(git_system_t, gitd_exec_t)
+role system_r types git_system_t;
+
+type git_sys_content_t;
+git_shared_repository_files_type(git_sys_content_t)
+
+########################################
+#
+# Git session daemon private declarations.
+#
+
+## <desc>
+## <p>
+## Determine whether Git session daemons
+## can bind tcp sockets to all unreserved ports.
+## </p>
+## </desc>
+gen_tunable(git_session_bind_all_unreserved_ports, false)
+
+type git_session_t, git_daemon;
+application_domain(git_session_t, gitd_exec_t)
+ubac_constrained(git_session_t)
+
+type git_session_content_t, git_content;
+userdom_user_home_content(git_session_content_t)
+
+########################################
+#
+# Git daemon global private policy.
+#
+
+allow git_daemon self:fifo_file rw_fifo_file_perms;
+allow git_daemon self:unix_dgram_socket create_socket_perms;
+
+kernel_read_system_state(git_daemon)
+
+corenet_all_recvfrom_netlabel(git_daemon)
+corenet_all_recvfrom_unlabeled(git_daemon)
+corenet_tcp_bind_generic_node(git_daemon)
+corenet_tcp_sendrecv_generic_if(git_daemon)
+corenet_tcp_sendrecv_generic_node(git_daemon)
+corenet_tcp_sendrecv_generic_port(git_daemon)
+corenet_tcp_bind_git_port(git_daemon)
+corenet_tcp_sendrecv_git_port(git_daemon)
+corenet_sendrecv_git_server_packets(git_daemon)
+
+corecmd_exec_bin(git_daemon)
+
+files_read_usr_files(git_daemon)
+
+fs_search_auto_mountpoints(git_daemon)
+
+auth_use_nsswitch(git_daemon)
+
+logging_send_syslog_msg(git_daemon)
+
+miscfiles_read_localization(git_daemon)
+
+optional_policy(`
+ automount_dontaudit_getattr_tmp_dirs(git_daemon)
+')
+
+########################################
+#
+# Git system daemon private policy.
+#
+
+list_dirs_pattern(git_system_t, git_content, git_content)
+read_files_pattern(git_system_t, git_content, git_content)
+files_search_var_lib(git_system_t)
+
+tunable_policy(`git_system_enable_homedirs',`
+ userdom_search_user_home_dirs(git_system_t)
+')
+
+tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
+ fs_list_nfs(git_system_t)
+ fs_read_nfs_files(git_system_t)
+')
+
+tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
+ fs_list_cifs(git_system_t)
+ fs_read_cifs_files(git_system_t)
+')
+
+tunable_policy(`git_system_use_cifs',`
+ fs_list_cifs(git_system_t)
+ fs_read_cifs_files(git_system_t)
+')
+
+tunable_policy(`git_system_use_nfs',`
+ fs_list_nfs(git_system_t)
+ fs_read_nfs_files(git_system_t)
+')
+
+########################################
+#
+# Git session daemon private policy.
+#
+
+allow git_session_t self:tcp_socket { accept listen };
+
+list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
+read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
+userdom_search_user_home_dirs(git_session_t)
+
+userdom_use_user_terminals(git_session_t)
+
+tunable_policy(`git_session_bind_all_unreserved_ports',`
+ corenet_tcp_bind_all_unreserved_ports(git_session_t)
+ corenet_tcp_sendrecv_all_ports(git_session_t)
+ corenet_sendrecv_generic_server_packets(git_session_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs(git_session_t)
+ fs_read_nfs_files(git_session_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs(git_session_t)
+ fs_read_cifs_files(git_session_t)
+')
+
+########################################
+#
+# Git CGI domain private policy.
+#
+
+optional_policy(`
+ apache_content_template(git)
+ git_read_all_content_files(httpd_git_script_t)
+ files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
+
+ auth_use_nsswitch(httpd_git_script_t)
+')
+
########################################
#
-# Declarations
+# Git system user private policy.
#

-apache_content_template(git)
+git_user_template(git_shell)
+gen_user(git_shell_u, user, git_shell_r, s0, s0)
--
1.7.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110822/47926815/attachment-0001.bin


2011-08-22 17:27:08

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ RETRY Git patch 1/1] Initial Git daemon domain. Modify git_selinux.8

On 08/22/11 08:53, Dominick Grift wrote:
> Initial Git daemon domain (Revisited Fedoras' Git module). Modified git_selinux.8 to reflect changes.
>
> Unpriv user domain and admindomain run Git daemon in the Git session domain by default. Git session domain is allowed to bind tcp sockets to Git ports.
>
> Changes compared to initial attempt:
>
> Change git_domain attribute to git_daemon attribute.
> Removed role git_shell_r; from git.te global declarations, as it is declared in git_user_template.
> Move git_system_content attribute from global declarations to git system daemon declarations.
> Remove relabel interfaces as those are currently unused.
> Split "rwx" interfaces into "manage" and "exec" interfaces as that is likely more usefull and "rwx" just looks unnatural.
> Change git_sys_content_type_type(prefix) to git_shared_repository_file_type(type)
> Change git_system_user_template to git_user_template.

This is a very large patch, it'll take a while to review. It seems like
it should be possible to split it up into more easily reviewed patches.

> Signed-off-by: Dominick Grift <[email protected]>
> ---
> :100644 100644 e9c43b1... bb426d3... M man/man8/git_selinux.8
> :100644 100644 2be17d2... addc3ad... M policy/modules/roles/staff.te
> :100644 100644 0f96353... 58eb890... M policy/modules/roles/sysadm.te
> :100644 100644 7e9da77... 46d24e3... M policy/modules/roles/unprivuser.te
> :100644 100644 54f0737... e7a135c... M policy/modules/services/git.fc
> :100644 100644 458aac6... 1f3b9fd... M policy/modules/services/git.if
> :100644 100644 7382f85... 55e6374... M policy/modules/services/git.te
> man/man8/git_selinux.8 | 50 ++--
> policy/modules/roles/staff.te | 4 +
> policy/modules/roles/sysadm.te | 4 +
> policy/modules/roles/unprivuser.te | 4 +
> policy/modules/services/git.fc | 16 +-
> policy/modules/services/git.if | 561 +++++++++++++++++++++++++++++++++++-
> policy/modules/services/git.te | 185 ++++++++++++-
> 7 files changed, 795 insertions(+), 29 deletions(-)
>
> diff --git a/man/man8/git_selinux.8 b/man/man8/git_selinux.8
> index e9c43b1..bb426d3 100644
> --- a/man/man8/git_selinux.8
> +++ b/man/man8/git_selinux.8
> @@ -19,83 +19,85 @@ SELinux Git policy is very flexible allowing users to setup their web services i
> .PP
> The following file contexts types are by default defined for Git:
> .EX
> -git_system_content_t
> +git_sys_content_t
> .EE
> -- Set files with git_system_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all "Git shell" users.
> +- Set files with git_sys_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all Git system users.
> .EX
> git_session_content_t
> .EE
> -- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all users. Note that "Git shell" users may not interact with this type.
> +- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all Git session users. Note that Git system users may not interact with this type.
> .SH BOOLEANS
> SELinux policy is customizable based on least access required. Git policy is extremely flexible and has several booleans that allow you to manipulate the policy and run Git with the tightest access possible.
> .PP
> -Allow the Git system daemon to search user home directories so that it can find git session content. This is useful if you want the Git system daemon to host users personal repositories.
> +Determine whether Git system daemon can search user home directories so that it can find Git session repository content. This is useful if you want the Git system daemon to host personal Git repository content.
> .EX
> sudo setsebool -P git_system_enable_homedirs 1
> .EE
> .PP
> -Allow the Git system daemon to read system shared repositories on NFS shares.
> +Determine whether Git system daemon can read any Git shared repository content on NFS shares.
> .EX
> sudo setsebool -P git_system_use_nfs 1
> .EE
> .PP
> -Allow the Git system daemon to read system shared repositories on Samba shares.
> +Determine whether Git system daemon can read any shared repository content on Samba shares.
> .EX
> sudo setsebool -P git_system_use_cifs 1
> .EE
> .PP
> -Allow the Git session daemon to read users personal repositories on NFS mounted home directories.
> +Determine whether Git session daemons can read personal repository content on NFS mounted home directories.
> .EX
> sudo setsebool -P use_nfs_home_dirs 1
> .EE
> .PP
> -Allow the Git session daemon to read users personal repositories on Samba mounted home directories.
> +Determine whether Git session daemons can read personal repository content on Samba mounted home directories.
> .EX
> sudo setsebool -P use_samba_home_dirs 1
> .EE
> .PP
> -To also allow Git system daemon to read users personal repositories on NFS and Samba mounted home directories you must also allow the Git system daemon to search home directories so that it can find the repositories.
> +To allow Git system daemon to read personal repository content on NFS and Samba mounted home directories you must also allow Git system daemon to search home directories so that it can find the personal repository content.
> .EX
> sudo setsebool -P git_system_enable_homedirs 1
> .EE
> .PP
> -To allow the Git System daemon mass hosting of users personal repositories you can allow the Git daemon to listen to any unreserved ports.
> +Determine whether Git session daemons can listen on any unreserved TCP ports. This is useful for mass hosting of personal repository content.
> .EX
> sudo setsebool -P git_session_bind_all_unreserved_ports 1
> .EE
> .SH GIT_SHELL
> -The Git policy by default provides a restricted user environment to be used with "Git shell". This default git_shell_u SELinux user can modify and execute generic Git system content (generic system shared respositories with type git_system_content_t).
> +The Git policy by default provides a restricted user environment to be used with "Git shell". The default git_shell_u SELinux user can manage and execute generic Git shared repository content (shared repository content with type git_sys_content_t).
> .PP
> -To add a new Linux user and map him to this Git shell user domain automatically:
> +Add a new Unix user and map this user to the default Git system SELinux user automatically:
> .EX
> sudo useradd -Z git_shell_u joe
> .EE
> -.SH ADVANCED_SYSTEM_SHARED_REPOSITORY_AND GIT_SHELL_RESTRICTIONS
> -Alternatively Git SELinux policy can be used to restrict "Git shell" users to git system shared repositories. The policy allows for the creation of new types of Git system content and Git shell user environment. The policy allows for delegation of types of "Git shell" environments to types of Git system content.
> +.SH ADVANCED_SHARED_REPOSITORY_AND GIT_SHELL_RESTRICTIONS
> +Alternatively Git SELinux policy can be used to restrict Git user types access to Git shared repository content types. The policy allows for the creation of new types of Git shared repository content and Git users. The policy allows one to specify Git user types access to Git shared repository content types. Note that any Git user is allowed to manage and execute generic Git shared repository content.
> .PP
> -To add a new Git system repository type, for example "project1" create a file named project1.te and add to it:
> +Add a new Git shared repository content type, for example "project1". Create a file named project1.te and add to it:
> .EX
> policy_module(project1, 1.0.0)
> -git_content_template(project1)
> +type git_project1_content_t;
> +git_shared_repository_files_type(git_project1_content_t)
> .EE
> -Next create a file named project1.fc and add a file context specification for the new repository type to it:
> +Create a file named project1.fc, and add a file context specification for the new shared repository content type to it:
> .EX
> -/srv/git/project1\.git(/.*)? gen_context(system_u:object_r:git_project1_content_t,s0)
> +/var/lib/git/project1\.git(/.*)? gen_context(system_u:object_r:git_project1_content_t,s0)
> .EE
> -Build a binary representation of this source policy module, load it into the policy store and restore the context of the repository:
> +Build a binary representation of this source policy module, load it into the policy store and restore the context of the shared repository content:
> .EX
> make -f /usr/share/selinux/devel/Makefile project.pp
> sudo semodule -i project1.pp
> -sudo restorecon -R -v /srv/git/project1
> +sudo restorecon -R -v /var/lib/git/project1.git
> .EE
> -To create a "Git shell" domain that can interact with this repository create a file named project1user.te in the same directory as where the source policy for the Git systemm content type is and add the following:
> +Create a Git user domain that can interact with this shared repository content. Create a file named project1user.te in the same directory as where the source policy for the Git shared repository file type is and add the following:
> .EX
> policy_module(project1user, 1.0.0)
> -git_role_template(project1user)
> -git_content_delegation(project1user_t, git_project1_content_t)
> +git_user_template(project1user)
> +git_exec_spec_sys_content(project1user_t, git_project1_content_t)
> +git_manage_spec_sys_content(project1user_t, git_project1_content_t)
> gen_user(project1user_u, user, project1user_r, s0, s0)
> .EE
> -Build a binary representation of this source policy module, load it into the policy store and map Linux users to the new project1user_u SELinux user:
> +Build a binary representation of this source policy module, load it into the policy store and map Unix users to the project1user_u SELinux user that was created:
> .EX
> make -f /usr/share/selinux/devel/Makefile project1user.pp
> sudo semodule -i project1user.pp
> diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> index 2be17d2..addc3ad 100644
> --- a/policy/modules/roles/staff.te
> +++ b/policy/modules/roles/staff.te
> @@ -27,6 +27,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + git_session_role_template(staff_r, staff_t)
> +')
> +
> +optional_policy(`
> postgresql_role(staff_r, staff_t)
> ')
>
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 0f96353..58eb890 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -148,6 +148,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + git_session_role_template(sysadm_r, sysadm_t)
> +')
> +
> +optional_policy(`
> hostname_run(sysadm_t, sysadm_r)
> ')
>
> diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> index 7e9da77..46d24e3 100644
> --- a/policy/modules/roles/unprivuser.te
> +++ b/policy/modules/roles/unprivuser.te
> @@ -17,6 +17,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + git_session_role_template(user_r, user_t)
> +')
> +
> +optional_policy(`
> screen_role_template(user, user_r, user_t)
> ')
>
> diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
> index 54f0737..e7a135c 100644
> --- a/policy/modules/services/git.fc
> +++ b/policy/modules/services/git.fc
> @@ -1,3 +1,15 @@
> -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
> -/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
> +HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t,s0)
> +HOME_DIR/\.gitaliases -- gen_context(system_u:object_r:git_session_content_t,s0)
> +HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t,s0)
> +
> +/srv/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
> +
> +/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
> +
> +/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
> +
> +/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
> +
> /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
> +/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
> +/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
> diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
> index 458aac6..1f3b9fd 100644
> --- a/policy/modules/services/git.if
> +++ b/policy/modules/services/git.if
> @@ -1 +1,560 @@
> -## <summary>GIT revision control system</summary>
> +## <summary>Fast Version Control System.</summary>
> +
> +########################################
> +## <summary>
> +## Role access for Git session daemon.
> +## </summary>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## User domain for the role.
> +## </summary>
> +## </param>
> +#
> +template(`git_session_role_template',`
> + gen_require(`
> + type git_session_t, gitd_exec_t, git_session_content_t;
> + ')
> +
> + ########################################
> + #
> + # Git session daemon shared declarations.
> + #
> +
> + role $1 types git_session_t;
> +
> + ########################################
> + #
> + # Git session daemon shared policy.
> + #
> +
> + domtrans_pattern($2, gitd_exec_t, git_session_t)
> +
> + allow $2 git_session_t:process { ptrace signal_perms };
> + ps_process_pattern($2, git_session_t)
> +
> + allow $2 git_session_content_t:dir { manage_dir_perms relabel_dir_perms };
> + allow $2 git_session_content_t:file { manage_file_perms relabel_file_perms };
> +')
> +
> +########################################
> +## <summary>
> +## Make the specified type a usable
> +## Git shared repository content
> +## file type.
> +## </summary>
> +## <param name="type">
> +## <summary>
> +## Type to be made usable.
> +## </summary>
> +## </param>
> +## <infoflow type="none"/>
> +#
> +interface(`git_shared_repository_files_type',`
> + gen_require(`
> + attribute git_system_content, git_content;
> + ')
> +
> + typeattribute $1 git_system_content;
> + typeattribute $1 git_content;
> + files_type($1)
> +')
> +
> +#######################################
> +## <summary>
> +## Template for creating Git users
> +## </summary>
> +## <param name="userdomain_prefix">
> +## <summary>
> +## Prefix of the user domain.
> +## </summary>
> +## </param>
> +## <rolebase/>
> +#
> +template(`git_user_template',`
> + gen_require(`
> + attribute unpriv_userdomain, userdomain;
> + class context contains;
> + role system_r;
> + ')
> +
> + ########################################
> + #
> + # Git daemon role shared declarations.
> + #
> +
> + type $1_t, unpriv_userdomain, userdomain;
> + domain_type($1_t)
> + ubac_constrained($1_t)
> + role $1_r;
> + role $1_r types $1_t;
> + allow system_r $1_r;
> +
> + ########################################
> + #
> + # Git daemon role shared policy.
> + #
> +
> + allow $1_t self:context contains;
> + allow $1_t self:fifo_file rw_fifo_file_perms;
> +
> + kernel_read_system_state($1_t)
> +
> + corecmd_exec_bin($1_t)
> + corecmd_bin_entry_type($1_t)
> + corecmd_shell_entry_type($1_t)
> +
> + domain_interactive_fd($1_t)
> + domain_user_exemption_target($1_t)
> +
> + files_dontaudit_search_home($1_t)
> +
> + auth_use_nsswitch($1_t)
> +
> + miscfiles_read_localization($1_t)
> +
> + git_exec_generic_sys_content($1_t)
> + git_manage_generic_sys_content($1_t)
> +
> + ssh_rw_stream_sockets($1_t)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_exec_cifs_files($1_t)
> + fs_manage_cifs_dirs($1_t)
> + fs_manage_cifs_files($1_t)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_exec_nfs_files($1_t)
> + fs_manage_nfs_dirs($1_t)
> + fs_manage_nfs_files($1_t)
> + ')
> +')
> +
> +#######################################
> +## <summary>
> +## Execute specified Git daemon
> +## shared repository content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="git_shared_repository_files_type">
> +## <summary>
> +## Git shared repository file type to be allowed.
> +## </summary>
> +## </param>
> +#
> +interface(`git_exec_spec_sys_content',`
> + gen_require(`
> + type $1, $2;
> + ')
> +
> + exec_files_pattern($1, $2, $2)
> + files_search_var_lib($1)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_exec_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_exec_nfs_files($1)
> + ')
> +')
> +
> +#######################################
> +## <summary>
> +## Create, read, write, and delete
> +## specified Git daemon shared
> +## repository content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="git_shared_repository_files_type">
> +## <summary>
> +## Git shared repository file type to be allowed.
> +## </summary>
> +## </param>
> +#
> +interface(`git_manage_spec_sys_content',`
> + gen_require(`
> + type $1, $2;
> + ')
> +
> + manage_dirs_pattern($1, $2, $2)
> + manage_files_pattern($1, $2, $2)
> + files_search_var_lib($1)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_manage_cifs_dirs($1)
> + fs_manage_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_manage_nfs_dirs($1)
> + fs_manage_nfs_files($1)
> + ')
> +')
> +
> +########################################
> +## <summary>
> +## Execute all Git daemon
> +## repository content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`git_exec_all_content',`
> + gen_require(`
> + attribute git_content;
> + ')
> +
> + exec_files_pattern($1, git_content, git_content)
> + userdom_search_user_home_dirs($1)
> + files_search_var_lib($1)
> +
> + tunable_policy(`use_nfs_home_dirs',`
> + fs_exec_nfs_files($1)
> + ')
> +
> + tunable_policy(`use_samba_home_dirs',`
> + fs_exec_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_exec_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_exec_nfs_files($1)
> + ')
> +')
> +
> +########################################
> +## <summary>
> +## Create, read, write, and delete
> +## all Git daemon repository content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`git_manage_all_content',`
> + gen_require(`
> + attribute git_content;
> + ')
> +
> + manage_dirs_pattern($1, git_content, git_content)
> + manage_files_pattern($1, git_content, git_content)
> + userdom_search_user_home_dirs($1)
> + files_search_var_lib($1)
> +
> + tunable_policy(`use_nfs_home_dirs',`
> + fs_manage_nfs_dirs($1)
> + fs_manage_nfs_files($1)
> + ')
> +
> + tunable_policy(`use_samba_home_dirs',`
> + fs_manage_cifs_dirs($1)
> + fs_manage_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_manage_cifs_dirs($1)
> + fs_manage_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_manage_nfs_dirs($1)
> + fs_manage_nfs_files($1)
> + ')
> +')
> +
> +########################################
> +## <summary>
> +## Execute all Git daemon
> +## shared repository content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`git_exec_all_sys_content',`
> + gen_require(`
> + attribute git_system_content;
> + ')
> +
> + exec_files_pattern($1, git_system_content, git_system_content)
> + files_search_var_lib($1)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_exec_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_exec_nfs_files($1)
> + ')
> +')
> +
> +########################################
> +## <summary>
> +## Create, read, write, and delete
> +## all Git daemon shared
> +## repository content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`git_manage_all_sys_content',`
> + gen_require(`
> + attribute git_system_content;
> + ')
> +
> + manage_dirs_pattern($1, git_system_content, git_system_content)
> + manage_files_pattern($1, git_system_content, git_system_content)
> + files_search_var_lib($1)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_manage_cifs_dirs($1)
> + fs_manage_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_manage_nfs_dirs($1)
> + fs_manage_nfs_files($1)
> + ')
> +')
> +
> +########################################
> +## <summary>
> +## Execute Git daemon generic shared
> +## repository content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`git_exec_generic_sys_content',`
> + gen_require(`
> + type git_sys_content_t;
> + ')
> +
> + exec_files_pattern($1, git_sys_content_t, git_sys_content_t)
> + files_search_var_lib($1)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_exec_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_exec_nfs_files($1)
> + ')
> +')
> +
> +########################################
> +## <summary>
> +## Create, read, write, and delete
> +## Git daemon generic shared
> +## repository content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`git_manage_generic_sys_content',`
> + gen_require(`
> + type git_sys_content_t;
> + ')
> +
> + manage_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
> + manage_files_pattern($1, git_sys_content_t, git_sys_content_t)
> + files_search_var_lib($1)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_manage_cifs_dirs($1)
> + fs_manage_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_manage_nfs_dirs($1)
> + fs_manage_nfs_files($1)
> + ')
> +')
> +
> +########################################
> +## <summary>
> +## Read all Git daemon repository
> +## content files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`git_read_all_content_files',`
> + gen_require(`
> + attribute git_content;
> + ')
> +
> + list_dirs_pattern($1, git_content, git_content)
> + read_files_pattern($1, git_content, git_content)
> + userdom_search_user_home_dirs($1)
> + files_search_var_lib($1)
> +
> + tunable_policy(`use_nfs_home_dirs',`
> + fs_list_nfs($1)
> + fs_read_nfs_files($1)
> + ')
> +
> + tunable_policy(`use_samba_home_dirs',`
> + fs_list_cifs($1)
> + fs_read_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_list_cifs($1)
> + fs_read_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_list_nfs($1)
> + fs_read_nfs_files($1)
> + ')
> +')
> +
> +########################################
> +## <summary>
> +## Read Git daemon personal repository
> +## content files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`git_read_session_content_files',`
> + gen_require(`
> + type git_session_content_t;
> + ')
> +
> + list_dirs_pattern($1, git_session_content_t, git_session_content_t)
> + read_files_pattern($1, git_session_content_t, git_session_content_t)
> + userdom_search_user_home_dirs($1)
> +
> + tunable_policy(`use_nfs_home_dirs',`
> + fs_list_nfs($1)
> + fs_read_nfs_files($1)
> + ')
> +
> + tunable_policy(`use_samba_home_dirs',`
> + fs_list_cifs($1)
> + fs_read_cifs_files($1)
> + ')
> +')
> +
> +#######################################
> +## <summary>
> +## Do not audit attempts to read
> +## generic personal repository
> +## content files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`git_dontaudit_read_session_content_files',`
> + gen_require(`
> + type git_session_content_t;
> + ')
> +
> + dontaudit $1 git_session_content_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Read all Git daemon shared
> +## repository content files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`git_read_all_sys_content_files',`
> + gen_require(`
> + attribute git_system_content;
> + ')
> +
> + list_dirs_pattern($1, git_system_content, git_system_content)
> + read_files_pattern($1, git_system_content, git_system_content)
> + files_search_var_lib($1)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_list_cifs($1)
> + fs_read_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_list_nfs($1)
> + fs_read_nfs_files($1)
> + ')
> +')
> +
> +########################################
> +## <summary>
> +## Read Git daemon generic shared
> +## repository content files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`git_read_generic_sys_content_files',`
> + gen_require(`
> + type git_sys_content_t;
> + ')
> +
> + list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
> + read_files_pattern($1, git_sys_content_t, git_sys_content_t)
> + files_search_var_lib($1)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_list_cifs($1)
> + fs_read_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_list_nfs($1)
> + fs_read_nfs_files($1)
> + ')
> +')
> diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
> index 7382f85..55e6374 100644
> --- a/policy/modules/services/git.te
> +++ b/policy/modules/services/git.te
> @@ -1,8 +1,189 @@
> policy_module(git, 1.0)
>
> +## <desc>
> +## <p>
> +## Determine whether Git system daemon
> +## can search home directories.
> +## </p>
> +## </desc>
> +gen_tunable(git_system_enable_homedirs, false)
> +
> +## <desc>
> +## <p>
> +## Determine whether Git system daemon
> +## can access cifs file systems.
> +## </p>
> +## </desc>
> +gen_tunable(git_system_use_cifs, false)
> +
> +## <desc>
> +## <p>
> +## Determine whether Git system daemon
> +## can access nfs file systems.
> +## </p>
> +## </desc>
> +gen_tunable(git_system_use_nfs, false)
> +
> +########################################
> +#
> +# Git daemon global private declarations.
> +#
> +
> +attribute git_daemon;
> +attribute git_content;
> +
> +type gitd_exec_t;
> +application_executable_file(gitd_exec_t)
> +
> +########################################
> +#
> +# Git system daemon private declarations.
> +#
> +
> +attribute git_system_content;
> +
> +type git_system_t, git_daemon;
> +inetd_service_domain(git_system_t, gitd_exec_t)
> +role system_r types git_system_t;
> +
> +type git_sys_content_t;
> +git_shared_repository_files_type(git_sys_content_t)
> +
> +########################################
> +#
> +# Git session daemon private declarations.
> +#
> +
> +## <desc>
> +## <p>
> +## Determine whether Git session daemons
> +## can bind tcp sockets to all unreserved ports.
> +## </p>
> +## </desc>
> +gen_tunable(git_session_bind_all_unreserved_ports, false)
> +
> +type git_session_t, git_daemon;
> +application_domain(git_session_t, gitd_exec_t)
> +ubac_constrained(git_session_t)
> +
> +type git_session_content_t, git_content;
> +userdom_user_home_content(git_session_content_t)
> +
> +########################################
> +#
> +# Git daemon global private policy.
> +#
> +
> +allow git_daemon self:fifo_file rw_fifo_file_perms;
> +allow git_daemon self:unix_dgram_socket create_socket_perms;
> +
> +kernel_read_system_state(git_daemon)
> +
> +corenet_all_recvfrom_netlabel(git_daemon)
> +corenet_all_recvfrom_unlabeled(git_daemon)
> +corenet_tcp_bind_generic_node(git_daemon)
> +corenet_tcp_sendrecv_generic_if(git_daemon)
> +corenet_tcp_sendrecv_generic_node(git_daemon)
> +corenet_tcp_sendrecv_generic_port(git_daemon)
> +corenet_tcp_bind_git_port(git_daemon)
> +corenet_tcp_sendrecv_git_port(git_daemon)
> +corenet_sendrecv_git_server_packets(git_daemon)
> +
> +corecmd_exec_bin(git_daemon)
> +
> +files_read_usr_files(git_daemon)
> +
> +fs_search_auto_mountpoints(git_daemon)
> +
> +auth_use_nsswitch(git_daemon)
> +
> +logging_send_syslog_msg(git_daemon)
> +
> +miscfiles_read_localization(git_daemon)
> +
> +optional_policy(`
> + automount_dontaudit_getattr_tmp_dirs(git_daemon)
> +')
> +
> +########################################
> +#
> +# Git system daemon private policy.
> +#
> +
> +list_dirs_pattern(git_system_t, git_content, git_content)
> +read_files_pattern(git_system_t, git_content, git_content)
> +files_search_var_lib(git_system_t)
> +
> +tunable_policy(`git_system_enable_homedirs',`
> + userdom_search_user_home_dirs(git_system_t)
> +')
> +
> +tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
> + fs_list_nfs(git_system_t)
> + fs_read_nfs_files(git_system_t)
> +')
> +
> +tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
> + fs_list_cifs(git_system_t)
> + fs_read_cifs_files(git_system_t)
> +')
> +
> +tunable_policy(`git_system_use_cifs',`
> + fs_list_cifs(git_system_t)
> + fs_read_cifs_files(git_system_t)
> +')
> +
> +tunable_policy(`git_system_use_nfs',`
> + fs_list_nfs(git_system_t)
> + fs_read_nfs_files(git_system_t)
> +')
> +
> +########################################
> +#
> +# Git session daemon private policy.
> +#
> +
> +allow git_session_t self:tcp_socket { accept listen };
> +
> +list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
> +read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
> +userdom_search_user_home_dirs(git_session_t)
> +
> +userdom_use_user_terminals(git_session_t)
> +
> +tunable_policy(`git_session_bind_all_unreserved_ports',`
> + corenet_tcp_bind_all_unreserved_ports(git_session_t)
> + corenet_tcp_sendrecv_all_ports(git_session_t)
> + corenet_sendrecv_generic_server_packets(git_session_t)
> +')
> +
> +tunable_policy(`use_nfs_home_dirs',`
> + fs_list_nfs(git_session_t)
> + fs_read_nfs_files(git_session_t)
> +')
> +
> +tunable_policy(`use_samba_home_dirs',`
> + fs_list_cifs(git_session_t)
> + fs_read_cifs_files(git_session_t)
> +')
> +
> +########################################
> +#
> +# Git CGI domain private policy.
> +#
> +
> +optional_policy(`
> + apache_content_template(git)
> + git_read_all_content_files(httpd_git_script_t)
> + files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
> +
> + auth_use_nsswitch(httpd_git_script_t)
> +')
> +
> ########################################
> #
> -# Declarations
> +# Git system user private policy.
> #
>
> -apache_content_template(git)
> +git_user_template(git_shell)
> +gen_user(git_shell_u, user, git_shell_r, s0, s0)

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2011-08-23 13:13:34

by domg472

[permalink] [raw]
Subject: [refpolicy] [ RETRY Git patch 1/1] Initial Git daemon domain. Modify git_selinux.8

On Mon, Aug 22, 2011 at 01:27:08PM -0400, Christopher J. PeBenito wrote:

> This is a very large patch, it'll take a while to review. It seems like
> it should be possible to split it up into more easily reviewed patches.

Yes i need to split it up as much as i can. I also see things in this current patch that would never be acceptable in refpolicy, so i just need to deal with that the hard way. Expect a new version soon.


>
> > Signed-off-by: Dominick Grift <[email protected]>
> > ---
> > :100644 100644 e9c43b1... bb426d3... M man/man8/git_selinux.8
> > :100644 100644 2be17d2... addc3ad... M policy/modules/roles/staff.te
> > :100644 100644 0f96353... 58eb890... M policy/modules/roles/sysadm.te
> > :100644 100644 7e9da77... 46d24e3... M policy/modules/roles/unprivuser.te
> > :100644 100644 54f0737... e7a135c... M policy/modules/services/git.fc
> > :100644 100644 458aac6... 1f3b9fd... M policy/modules/services/git.if
> > :100644 100644 7382f85... 55e6374... M policy/modules/services/git.te
> > man/man8/git_selinux.8 | 50 ++--
> > policy/modules/roles/staff.te | 4 +
> > policy/modules/roles/sysadm.te | 4 +
> > policy/modules/roles/unprivuser.te | 4 +
> > policy/modules/services/git.fc | 16 +-
> > policy/modules/services/git.if | 561 +++++++++++++++++++++++++++++++++++-
> > policy/modules/services/git.te | 185 ++++++++++++-
> > 7 files changed, 795 insertions(+), 29 deletions(-)
> >
> > diff --git a/man/man8/git_selinux.8 b/man/man8/git_selinux.8
> > index e9c43b1..bb426d3 100644
> > --- a/man/man8/git_selinux.8
> > +++ b/man/man8/git_selinux.8
> > @@ -19,83 +19,85 @@ SELinux Git policy is very flexible allowing users to setup their web services i
> > .PP
> > The following file contexts types are by default defined for Git:
> > .EX
> > -git_system_content_t
> > +git_sys_content_t
> > .EE
> > -- Set files with git_system_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all "Git shell" users.
> > +- Set files with git_sys_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all Git system users.
> > .EX
> > git_session_content_t
> > .EE
> > -- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all users. Note that "Git shell" users may not interact with this type.
> > +- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all Git session users. Note that Git system users may not interact with this type.
> > .SH BOOLEANS
> > SELinux policy is customizable based on least access required. Git policy is extremely flexible and has several booleans that allow you to manipulate the policy and run Git with the tightest access possible.
> > .PP
> > -Allow the Git system daemon to search user home directories so that it can find git session content. This is useful if you want the Git system daemon to host users personal repositories.
> > +Determine whether Git system daemon can search user home directories so that it can find Git session repository content. This is useful if you want the Git system daemon to host personal Git repository content.
> > .EX
> > sudo setsebool -P git_system_enable_homedirs 1
> > .EE
> > .PP
> > -Allow the Git system daemon to read system shared repositories on NFS shares.
> > +Determine whether Git system daemon can read any Git shared repository content on NFS shares.
> > .EX
> > sudo setsebool -P git_system_use_nfs 1
> > .EE
> > .PP
> > -Allow the Git system daemon to read system shared repositories on Samba shares.
> > +Determine whether Git system daemon can read any shared repository content on Samba shares.
> > .EX
> > sudo setsebool -P git_system_use_cifs 1
> > .EE
> > .PP
> > -Allow the Git session daemon to read users personal repositories on NFS mounted home directories.
> > +Determine whether Git session daemons can read personal repository content on NFS mounted home directories.
> > .EX
> > sudo setsebool -P use_nfs_home_dirs 1
> > .EE
> > .PP
> > -Allow the Git session daemon to read users personal repositories on Samba mounted home directories.
> > +Determine whether Git session daemons can read personal repository content on Samba mounted home directories.
> > .EX
> > sudo setsebool -P use_samba_home_dirs 1
> > .EE
> > .PP
> > -To also allow Git system daemon to read users personal repositories on NFS and Samba mounted home directories you must also allow the Git system daemon to search home directories so that it can find the repositories.
> > +To allow Git system daemon to read personal repository content on NFS and Samba mounted home directories you must also allow Git system daemon to search home directories so that it can find the personal repository content.
> > .EX
> > sudo setsebool -P git_system_enable_homedirs 1
> > .EE
> > .PP
> > -To allow the Git System daemon mass hosting of users personal repositories you can allow the Git daemon to listen to any unreserved ports.
> > +Determine whether Git session daemons can listen on any unreserved TCP ports. This is useful for mass hosting of personal repository content.
> > .EX
> > sudo setsebool -P git_session_bind_all_unreserved_ports 1
> > .EE
> > .SH GIT_SHELL
> > -The Git policy by default provides a restricted user environment to be used with "Git shell". This default git_shell_u SELinux user can modify and execute generic Git system content (generic system shared respositories with type git_system_content_t).
> > +The Git policy by default provides a restricted user environment to be used with "Git shell". The default git_shell_u SELinux user can manage and execute generic Git shared repository content (shared repository content with type git_sys_content_t).
> > .PP
> > -To add a new Linux user and map him to this Git shell user domain automatically:
> > +Add a new Unix user and map this user to the default Git system SELinux user automatically:
> > .EX
> > sudo useradd -Z git_shell_u joe
> > .EE
> > -.SH ADVANCED_SYSTEM_SHARED_REPOSITORY_AND GIT_SHELL_RESTRICTIONS
> > -Alternatively Git SELinux policy can be used to restrict "Git shell" users to git system shared repositories. The policy allows for the creation of new types of Git system content and Git shell user environment. The policy allows for delegation of types of "Git shell" environments to types of Git system content.
> > +.SH ADVANCED_SHARED_REPOSITORY_AND GIT_SHELL_RESTRICTIONS
> > +Alternatively Git SELinux policy can be used to restrict Git user types access to Git shared repository content types. The policy allows for the creation of new types of Git shared repository content and Git users. The policy allows one to specify Git user types access to Git shared repository content types. Note that any Git user is allowed to manage and execute generic Git shared repository content.
> > .PP
> > -To add a new Git system repository type, for example "project1" create a file named project1.te and add to it:
> > +Add a new Git shared repository content type, for example "project1". Create a file named project1.te and add to it:
> > .EX
> > policy_module(project1, 1.0.0)
> > -git_content_template(project1)
> > +type git_project1_content_t;
> > +git_shared_repository_files_type(git_project1_content_t)
> > .EE
> > -Next create a file named project1.fc and add a file context specification for the new repository type to it:
> > +Create a file named project1.fc, and add a file context specification for the new shared repository content type to it:
> > .EX
> > -/srv/git/project1\.git(/.*)? gen_context(system_u:object_r:git_project1_content_t,s0)
> > +/var/lib/git/project1\.git(/.*)? gen_context(system_u:object_r:git_project1_content_t,s0)
> > .EE
> > -Build a binary representation of this source policy module, load it into the policy store and restore the context of the repository:
> > +Build a binary representation of this source policy module, load it into the policy store and restore the context of the shared repository content:
> > .EX
> > make -f /usr/share/selinux/devel/Makefile project.pp
> > sudo semodule -i project1.pp
> > -sudo restorecon -R -v /srv/git/project1
> > +sudo restorecon -R -v /var/lib/git/project1.git
> > .EE
> > -To create a "Git shell" domain that can interact with this repository create a file named project1user.te in the same directory as where the source policy for the Git systemm content type is and add the following:
> > +Create a Git user domain that can interact with this shared repository content. Create a file named project1user.te in the same directory as where the source policy for the Git shared repository file type is and add the following:
> > .EX
> > policy_module(project1user, 1.0.0)
> > -git_role_template(project1user)
> > -git_content_delegation(project1user_t, git_project1_content_t)
> > +git_user_template(project1user)
> > +git_exec_spec_sys_content(project1user_t, git_project1_content_t)
> > +git_manage_spec_sys_content(project1user_t, git_project1_content_t)
> > gen_user(project1user_u, user, project1user_r, s0, s0)
> > .EE
> > -Build a binary representation of this source policy module, load it into the policy store and map Linux users to the new project1user_u SELinux user:
> > +Build a binary representation of this source policy module, load it into the policy store and map Unix users to the project1user_u SELinux user that was created:
> > .EX
> > make -f /usr/share/selinux/devel/Makefile project1user.pp
> > sudo semodule -i project1user.pp
> > diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> > index 2be17d2..addc3ad 100644
> > --- a/policy/modules/roles/staff.te
> > +++ b/policy/modules/roles/staff.te
> > @@ -27,6 +27,10 @@ optional_policy(`
> > ')
> >
> > optional_policy(`
> > + git_session_role_template(staff_r, staff_t)
> > +')
> > +
> > +optional_policy(`
> > postgresql_role(staff_r, staff_t)
> > ')
> >
> > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> > index 0f96353..58eb890 100644
> > --- a/policy/modules/roles/sysadm.te
> > +++ b/policy/modules/roles/sysadm.te
> > @@ -148,6 +148,10 @@ optional_policy(`
> > ')
> >
> > optional_policy(`
> > + git_session_role_template(sysadm_r, sysadm_t)
> > +')
> > +
> > +optional_policy(`
> > hostname_run(sysadm_t, sysadm_r)
> > ')
> >
> > diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> > index 7e9da77..46d24e3 100644
> > --- a/policy/modules/roles/unprivuser.te
> > +++ b/policy/modules/roles/unprivuser.te
> > @@ -17,6 +17,10 @@ optional_policy(`
> > ')
> >
> > optional_policy(`
> > + git_session_role_template(user_r, user_t)
> > +')
> > +
> > +optional_policy(`
> > screen_role_template(user, user_r, user_t)
> > ')
> >
> > diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
> > index 54f0737..e7a135c 100644
> > --- a/policy/modules/services/git.fc
> > +++ b/policy/modules/services/git.fc
> > @@ -1,3 +1,15 @@
> > -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
> > -/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
> > +HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t,s0)
> > +HOME_DIR/\.gitaliases -- gen_context(system_u:object_r:git_session_content_t,s0)
> > +HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t,s0)
> > +
> > +/srv/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
> > +
> > +/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
> > +
> > +/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
> > +
> > +/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
> > +
> > /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
> > +/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
> > +/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
> > diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
> > index 458aac6..1f3b9fd 100644
> > --- a/policy/modules/services/git.if
> > +++ b/policy/modules/services/git.if
> > @@ -1 +1,560 @@
> > -## <summary>GIT revision control system</summary>
> > +## <summary>Fast Version Control System.</summary>
> > +
> > +########################################
> > +## <summary>
> > +## Role access for Git session daemon.
> > +## </summary>
> > +## <param name="role">
> > +## <summary>
> > +## Role allowed access.
> > +## </summary>
> > +## </param>
> > +## <param name="domain">
> > +## <summary>
> > +## User domain for the role.
> > +## </summary>
> > +## </param>
> > +#
> > +template(`git_session_role_template',`
> > + gen_require(`
> > + type git_session_t, gitd_exec_t, git_session_content_t;
> > + ')
> > +
> > + ########################################
> > + #
> > + # Git session daemon shared declarations.
> > + #
> > +
> > + role $1 types git_session_t;
> > +
> > + ########################################
> > + #
> > + # Git session daemon shared policy.
> > + #
> > +
> > + domtrans_pattern($2, gitd_exec_t, git_session_t)
> > +
> > + allow $2 git_session_t:process { ptrace signal_perms };
> > + ps_process_pattern($2, git_session_t)
> > +
> > + allow $2 git_session_content_t:dir { manage_dir_perms relabel_dir_perms };
> > + allow $2 git_session_content_t:file { manage_file_perms relabel_file_perms };
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Make the specified type a usable
> > +## Git shared repository content
> > +## file type.
> > +## </summary>
> > +## <param name="type">
> > +## <summary>
> > +## Type to be made usable.
> > +## </summary>
> > +## </param>
> > +## <infoflow type="none"/>
> > +#
> > +interface(`git_shared_repository_files_type',`
> > + gen_require(`
> > + attribute git_system_content, git_content;
> > + ')
> > +
> > + typeattribute $1 git_system_content;
> > + typeattribute $1 git_content;
> > + files_type($1)
> > +')
> > +
> > +#######################################
> > +## <summary>
> > +## Template for creating Git users
> > +## </summary>
> > +## <param name="userdomain_prefix">
> > +## <summary>
> > +## Prefix of the user domain.
> > +## </summary>
> > +## </param>
> > +## <rolebase/>
> > +#
> > +template(`git_user_template',`
> > + gen_require(`
> > + attribute unpriv_userdomain, userdomain;
> > + class context contains;
> > + role system_r;
> > + ')
> > +
> > + ########################################
> > + #
> > + # Git daemon role shared declarations.
> > + #
> > +
> > + type $1_t, unpriv_userdomain, userdomain;
> > + domain_type($1_t)
> > + ubac_constrained($1_t)
> > + role $1_r;
> > + role $1_r types $1_t;
> > + allow system_r $1_r;
> > +
> > + ########################################
> > + #
> > + # Git daemon role shared policy.
> > + #
> > +
> > + allow $1_t self:context contains;
> > + allow $1_t self:fifo_file rw_fifo_file_perms;
> > +
> > + kernel_read_system_state($1_t)
> > +
> > + corecmd_exec_bin($1_t)
> > + corecmd_bin_entry_type($1_t)
> > + corecmd_shell_entry_type($1_t)
> > +
> > + domain_interactive_fd($1_t)
> > + domain_user_exemption_target($1_t)
> > +
> > + files_dontaudit_search_home($1_t)
> > +
> > + auth_use_nsswitch($1_t)
> > +
> > + miscfiles_read_localization($1_t)
> > +
> > + git_exec_generic_sys_content($1_t)
> > + git_manage_generic_sys_content($1_t)
> > +
> > + ssh_rw_stream_sockets($1_t)
> > +
> > + tunable_policy(`git_system_use_cifs',`
> > + fs_exec_cifs_files($1_t)
> > + fs_manage_cifs_dirs($1_t)
> > + fs_manage_cifs_files($1_t)
> > + ')
> > +
> > + tunable_policy(`git_system_use_nfs',`
> > + fs_exec_nfs_files($1_t)
> > + fs_manage_nfs_dirs($1_t)
> > + fs_manage_nfs_files($1_t)
> > + ')
> > +')
> > +
> > +#######################################
> > +## <summary>
> > +## Execute specified Git daemon
> > +## shared repository content.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +## <param name="git_shared_repository_files_type">
> > +## <summary>
> > +## Git shared repository file type to be allowed.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`git_exec_spec_sys_content',`
> > + gen_require(`
> > + type $1, $2;
> > + ')
> > +
> > + exec_files_pattern($1, $2, $2)
> > + files_search_var_lib($1)
> > +
> > + tunable_policy(`git_system_use_cifs',`
> > + fs_exec_cifs_files($1)
> > + ')
> > +
> > + tunable_policy(`git_system_use_nfs',`
> > + fs_exec_nfs_files($1)
> > + ')
> > +')
> > +
> > +#######################################
> > +## <summary>
> > +## Create, read, write, and delete
> > +## specified Git daemon shared
> > +## repository content.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +## <param name="git_shared_repository_files_type">
> > +## <summary>
> > +## Git shared repository file type to be allowed.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`git_manage_spec_sys_content',`
> > + gen_require(`
> > + type $1, $2;
> > + ')
> > +
> > + manage_dirs_pattern($1, $2, $2)
> > + manage_files_pattern($1, $2, $2)
> > + files_search_var_lib($1)
> > +
> > + tunable_policy(`git_system_use_cifs',`
> > + fs_manage_cifs_dirs($1)
> > + fs_manage_cifs_files($1)
> > + ')
> > +
> > + tunable_policy(`git_system_use_nfs',`
> > + fs_manage_nfs_dirs($1)
> > + fs_manage_nfs_files($1)
> > + ')
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Execute all Git daemon
> > +## repository content.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`git_exec_all_content',`
> > + gen_require(`
> > + attribute git_content;
> > + ')
> > +
> > + exec_files_pattern($1, git_content, git_content)
> > + userdom_search_user_home_dirs($1)
> > + files_search_var_lib($1)
> > +
> > + tunable_policy(`use_nfs_home_dirs',`
> > + fs_exec_nfs_files($1)
> > + ')
> > +
> > + tunable_policy(`use_samba_home_dirs',`
> > + fs_exec_cifs_files($1)
> > + ')
> > +
> > + tunable_policy(`git_system_use_cifs',`
> > + fs_exec_cifs_files($1)
> > + ')
> > +
> > + tunable_policy(`git_system_use_nfs',`
> > + fs_exec_nfs_files($1)
> > + ')
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Create, read, write, and delete
> > +## all Git daemon repository content.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`git_manage_all_content',`
> > + gen_require(`
> > + attribute git_content;
> > + ')
> > +
> > + manage_dirs_pattern($1, git_content, git_content)
> > + manage_files_pattern($1, git_content, git_content)
> > + userdom_search_user_home_dirs($1)
> > + files_search_var_lib($1)
> > +
> > + tunable_policy(`use_nfs_home_dirs',`
> > + fs_manage_nfs_dirs($1)
> > + fs_manage_nfs_files($1)
> > + ')
> > +
> > + tunable_policy(`use_samba_home_dirs',`
> > + fs_manage_cifs_dirs($1)
> > + fs_manage_cifs_files($1)
> > + ')
> > +
> > + tunable_policy(`git_system_use_cifs',`
> > + fs_manage_cifs_dirs($1)
> > + fs_manage_cifs_files($1)
> > + ')
> > +
> > + tunable_policy(`git_system_use_nfs',`
> > + fs_manage_nfs_dirs($1)
> > + fs_manage_nfs_files($1)
> > + ')
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Execute all Git daemon
> > +## shared repository content.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`git_exec_all_sys_content',`
> > + gen_require(`
> > + attribute git_system_content;
> > + ')
> > +
> > + exec_files_pattern($1, git_system_content, git_system_content)
> > + files_search_var_lib($1)
> > +
> > + tunable_policy(`git_system_use_cifs',`
> > + fs_exec_cifs_files($1)
> > + ')
> > +
> > + tunable_policy(`git_system_use_nfs',`
> > + fs_exec_nfs_files($1)
> > + ')
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Create, read, write, and delete
> > +## all Git daemon shared
> > +## repository content.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`git_manage_all_sys_content',`
> > + gen_require(`
> > + attribute git_system_content;
> > + ')
> > +
> > + manage_dirs_pattern($1, git_system_content, git_system_content)
> > + manage_files_pattern($1, git_system_content, git_system_content)
> > + files_search_var_lib($1)
> > +
> > + tunable_policy(`git_system_use_cifs',`
> > + fs_manage_cifs_dirs($1)
> > + fs_manage_cifs_files($1)
> > + ')
> > +
> > + tunable_policy(`git_system_use_nfs',`
> > + fs_manage_nfs_dirs($1)
> > + fs_manage_nfs_files($1)
> > + ')
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Execute Git daemon generic shared
> > +## repository content.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`git_exec_generic_sys_content',`
> > + gen_require(`
> > + type git_sys_content_t;
> > + ')
> > +
> > + exec_files_pattern($1, git_sys_content_t, git_sys_content_t)
> > + files_search_var_lib($1)
> > +
> > + tunable_policy(`git_system_use_cifs',`
> > + fs_exec_cifs_files($1)
> > + ')
> > +
> > + tunable_policy(`git_system_use_nfs',`
> > + fs_exec_nfs_files($1)
> > + ')
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Create, read, write, and delete
> > +## Git daemon generic shared
> > +## repository content.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`git_manage_generic_sys_content',`
> > + gen_require(`
> > + type git_sys_content_t;
> > + ')
> > +
> > + manage_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
> > + manage_files_pattern($1, git_sys_content_t, git_sys_content_t)
> > + files_search_var_lib($1)
> > +
> > + tunable_policy(`git_system_use_cifs',`
> > + fs_manage_cifs_dirs($1)
> > + fs_manage_cifs_files($1)
> > + ')
> > +
> > + tunable_policy(`git_system_use_nfs',`
> > + fs_manage_nfs_dirs($1)
> > + fs_manage_nfs_files($1)
> > + ')
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Read all Git daemon repository
> > +## content files.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`git_read_all_content_files',`
> > + gen_require(`
> > + attribute git_content;
> > + ')
> > +
> > + list_dirs_pattern($1, git_content, git_content)
> > + read_files_pattern($1, git_content, git_content)
> > + userdom_search_user_home_dirs($1)
> > + files_search_var_lib($1)
> > +
> > + tunable_policy(`use_nfs_home_dirs',`
> > + fs_list_nfs($1)
> > + fs_read_nfs_files($1)
> > + ')
> > +
> > + tunable_policy(`use_samba_home_dirs',`
> > + fs_list_cifs($1)
> > + fs_read_cifs_files($1)
> > + ')
> > +
> > + tunable_policy(`git_system_use_cifs',`
> > + fs_list_cifs($1)
> > + fs_read_cifs_files($1)
> > + ')
> > +
> > + tunable_policy(`git_system_use_nfs',`
> > + fs_list_nfs($1)
> > + fs_read_nfs_files($1)
> > + ')
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Read Git daemon personal repository
> > +## content files.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`git_read_session_content_files',`
> > + gen_require(`
> > + type git_session_content_t;
> > + ')
> > +
> > + list_dirs_pattern($1, git_session_content_t, git_session_content_t)
> > + read_files_pattern($1, git_session_content_t, git_session_content_t)
> > + userdom_search_user_home_dirs($1)
> > +
> > + tunable_policy(`use_nfs_home_dirs',`
> > + fs_list_nfs($1)
> > + fs_read_nfs_files($1)
> > + ')
> > +
> > + tunable_policy(`use_samba_home_dirs',`
> > + fs_list_cifs($1)
> > + fs_read_cifs_files($1)
> > + ')
> > +')
> > +
> > +#######################################
> > +## <summary>
> > +## Do not audit attempts to read
> > +## generic personal repository
> > +## content files.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain to not audit.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`git_dontaudit_read_session_content_files',`
> > + gen_require(`
> > + type git_session_content_t;
> > + ')
> > +
> > + dontaudit $1 git_session_content_t:file read_file_perms;
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Read all Git daemon shared
> > +## repository content files.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`git_read_all_sys_content_files',`
> > + gen_require(`
> > + attribute git_system_content;
> > + ')
> > +
> > + list_dirs_pattern($1, git_system_content, git_system_content)
> > + read_files_pattern($1, git_system_content, git_system_content)
> > + files_search_var_lib($1)
> > +
> > + tunable_policy(`git_system_use_cifs',`
> > + fs_list_cifs($1)
> > + fs_read_cifs_files($1)
> > + ')
> > +
> > + tunable_policy(`git_system_use_nfs',`
> > + fs_list_nfs($1)
> > + fs_read_nfs_files($1)
> > + ')
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Read Git daemon generic shared
> > +## repository content files.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`git_read_generic_sys_content_files',`
> > + gen_require(`
> > + type git_sys_content_t;
> > + ')
> > +
> > + list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
> > + read_files_pattern($1, git_sys_content_t, git_sys_content_t)
> > + files_search_var_lib($1)
> > +
> > + tunable_policy(`git_system_use_cifs',`
> > + fs_list_cifs($1)
> > + fs_read_cifs_files($1)
> > + ')
> > +
> > + tunable_policy(`git_system_use_nfs',`
> > + fs_list_nfs($1)
> > + fs_read_nfs_files($1)
> > + ')
> > +')
> > diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
> > index 7382f85..55e6374 100644
> > --- a/policy/modules/services/git.te
> > +++ b/policy/modules/services/git.te
> > @@ -1,8 +1,189 @@
> > policy_module(git, 1.0)
> >
> > +## <desc>
> > +## <p>
> > +## Determine whether Git system daemon
> > +## can search home directories.
> > +## </p>
> > +## </desc>
> > +gen_tunable(git_system_enable_homedirs, false)
> > +
> > +## <desc>
> > +## <p>
> > +## Determine whether Git system daemon
> > +## can access cifs file systems.
> > +## </p>
> > +## </desc>
> > +gen_tunable(git_system_use_cifs, false)
> > +
> > +## <desc>
> > +## <p>
> > +## Determine whether Git system daemon
> > +## can access nfs file systems.
> > +## </p>
> > +## </desc>
> > +gen_tunable(git_system_use_nfs, false)
> > +
> > +########################################
> > +#
> > +# Git daemon global private declarations.
> > +#
> > +
> > +attribute git_daemon;
> > +attribute git_content;
> > +
> > +type gitd_exec_t;
> > +application_executable_file(gitd_exec_t)
> > +
> > +########################################
> > +#
> > +# Git system daemon private declarations.
> > +#
> > +
> > +attribute git_system_content;
> > +
> > +type git_system_t, git_daemon;
> > +inetd_service_domain(git_system_t, gitd_exec_t)
> > +role system_r types git_system_t;
> > +
> > +type git_sys_content_t;
> > +git_shared_repository_files_type(git_sys_content_t)
> > +
> > +########################################
> > +#
> > +# Git session daemon private declarations.
> > +#
> > +
> > +## <desc>
> > +## <p>
> > +## Determine whether Git session daemons
> > +## can bind tcp sockets to all unreserved ports.
> > +## </p>
> > +## </desc>
> > +gen_tunable(git_session_bind_all_unreserved_ports, false)
> > +
> > +type git_session_t, git_daemon;
> > +application_domain(git_session_t, gitd_exec_t)
> > +ubac_constrained(git_session_t)
> > +
> > +type git_session_content_t, git_content;
> > +userdom_user_home_content(git_session_content_t)
> > +
> > +########################################
> > +#
> > +# Git daemon global private policy.
> > +#
> > +
> > +allow git_daemon self:fifo_file rw_fifo_file_perms;
> > +allow git_daemon self:unix_dgram_socket create_socket_perms;
> > +
> > +kernel_read_system_state(git_daemon)
> > +
> > +corenet_all_recvfrom_netlabel(git_daemon)
> > +corenet_all_recvfrom_unlabeled(git_daemon)
> > +corenet_tcp_bind_generic_node(git_daemon)
> > +corenet_tcp_sendrecv_generic_if(git_daemon)
> > +corenet_tcp_sendrecv_generic_node(git_daemon)
> > +corenet_tcp_sendrecv_generic_port(git_daemon)
> > +corenet_tcp_bind_git_port(git_daemon)
> > +corenet_tcp_sendrecv_git_port(git_daemon)
> > +corenet_sendrecv_git_server_packets(git_daemon)
> > +
> > +corecmd_exec_bin(git_daemon)
> > +
> > +files_read_usr_files(git_daemon)
> > +
> > +fs_search_auto_mountpoints(git_daemon)
> > +
> > +auth_use_nsswitch(git_daemon)
> > +
> > +logging_send_syslog_msg(git_daemon)
> > +
> > +miscfiles_read_localization(git_daemon)
> > +
> > +optional_policy(`
> > + automount_dontaudit_getattr_tmp_dirs(git_daemon)
> > +')
> > +
> > +########################################
> > +#
> > +# Git system daemon private policy.
> > +#
> > +
> > +list_dirs_pattern(git_system_t, git_content, git_content)
> > +read_files_pattern(git_system_t, git_content, git_content)
> > +files_search_var_lib(git_system_t)
> > +
> > +tunable_policy(`git_system_enable_homedirs',`
> > + userdom_search_user_home_dirs(git_system_t)
> > +')
> > +
> > +tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
> > + fs_list_nfs(git_system_t)
> > + fs_read_nfs_files(git_system_t)
> > +')
> > +
> > +tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
> > + fs_list_cifs(git_system_t)
> > + fs_read_cifs_files(git_system_t)
> > +')
> > +
> > +tunable_policy(`git_system_use_cifs',`
> > + fs_list_cifs(git_system_t)
> > + fs_read_cifs_files(git_system_t)
> > +')
> > +
> > +tunable_policy(`git_system_use_nfs',`
> > + fs_list_nfs(git_system_t)
> > + fs_read_nfs_files(git_system_t)
> > +')
> > +
> > +########################################
> > +#
> > +# Git session daemon private policy.
> > +#
> > +
> > +allow git_session_t self:tcp_socket { accept listen };
> > +
> > +list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
> > +read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
> > +userdom_search_user_home_dirs(git_session_t)
> > +
> > +userdom_use_user_terminals(git_session_t)
> > +
> > +tunable_policy(`git_session_bind_all_unreserved_ports',`
> > + corenet_tcp_bind_all_unreserved_ports(git_session_t)
> > + corenet_tcp_sendrecv_all_ports(git_session_t)
> > + corenet_sendrecv_generic_server_packets(git_session_t)
> > +')
> > +
> > +tunable_policy(`use_nfs_home_dirs',`
> > + fs_list_nfs(git_session_t)
> > + fs_read_nfs_files(git_session_t)
> > +')
> > +
> > +tunable_policy(`use_samba_home_dirs',`
> > + fs_list_cifs(git_session_t)
> > + fs_read_cifs_files(git_session_t)
> > +')
> > +
> > +########################################
> > +#
> > +# Git CGI domain private policy.
> > +#
> > +
> > +optional_policy(`
> > + apache_content_template(git)
> > + git_read_all_content_files(httpd_git_script_t)
> > + files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
> > +
> > + auth_use_nsswitch(httpd_git_script_t)
> > +')
> > +
> > ########################################
> > #
> > -# Declarations
> > +# Git system user private policy.
> > #
> >
> > -apache_content_template(git)
> > +git_user_template(git_shell)
> > +gen_user(git_shell_u, user, git_shell_r, s0, s0)
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110823/5a8e03c8/attachment-0001.bin