2011-08-22 21:23:59

by domg472

[permalink] [raw]
Subject: [refpolicy] [ v2 Git patch 1/1] Initial Git daemon domain. Modify git_selinux.8

Initial Git daemon domain. git_selinux.8 modified to reflect changes.

Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 e9c43b1... bb426d3... M man/man8/git_selinux.8
:100644 100644 2be17d2... addc3ad... M policy/modules/roles/staff.te
:100644 100644 0f96353... 58eb890... M policy/modules/roles/sysadm.te
:100644 100644 7e9da77... 46d24e3... M policy/modules/roles/unprivuser.te
:100644 100644 54f0737... 1b38b13... M policy/modules/services/git.fc
:100644 100644 458aac6... b9e4a98... M policy/modules/services/git.if
:100644 100644 7382f85... 86a207a... M policy/modules/services/git.te
man/man8/git_selinux.8 | 50 ++--
policy/modules/roles/staff.te | 4 +
policy/modules/roles/sysadm.te | 4 +
policy/modules/roles/unprivuser.te | 4 +
policy/modules/services/git.fc | 14 +-
policy/modules/services/git.if | 566 +++++++++++++++++++++++++++++++++++-
policy/modules/services/git.te | 183 ++++++++++++-
7 files changed, 796 insertions(+), 29 deletions(-)

diff --git a/man/man8/git_selinux.8 b/man/man8/git_selinux.8
index e9c43b1..bb426d3 100644
--- a/man/man8/git_selinux.8
+++ b/man/man8/git_selinux.8
@@ -19,83 +19,85 @@ SELinux Git policy is very flexible allowing users to setup their web services i
.PP
The following file contexts types are by default defined for Git:
.EX
-git_system_content_t
+git_sys_content_t
.EE
-- Set files with git_system_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all "Git shell" users.
+- Set files with git_sys_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all Git system users.
.EX
git_session_content_t
.EE
-- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all users. Note that "Git shell" users may not interact with this type.
+- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all Git session users. Note that Git system users may not interact with this type.
.SH BOOLEANS
SELinux policy is customizable based on least access required. Git policy is extremely flexible and has several booleans that allow you to manipulate the policy and run Git with the tightest access possible.
.PP
-Allow the Git system daemon to search user home directories so that it can find git session content. This is useful if you want the Git system daemon to host users personal repositories.
+Determine whether Git system daemon can search user home directories so that it can find Git session repository content. This is useful if you want the Git system daemon to host personal Git repository content.
.EX
sudo setsebool -P git_system_enable_homedirs 1
.EE
.PP
-Allow the Git system daemon to read system shared repositories on NFS shares.
+Determine whether Git system daemon can read any Git shared repository content on NFS shares.
.EX
sudo setsebool -P git_system_use_nfs 1
.EE
.PP
-Allow the Git system daemon to read system shared repositories on Samba shares.
+Determine whether Git system daemon can read any shared repository content on Samba shares.
.EX
sudo setsebool -P git_system_use_cifs 1
.EE
.PP
-Allow the Git session daemon to read users personal repositories on NFS mounted home directories.
+Determine whether Git session daemons can read personal repository content on NFS mounted home directories.
.EX
sudo setsebool -P use_nfs_home_dirs 1
.EE
.PP
-Allow the Git session daemon to read users personal repositories on Samba mounted home directories.
+Determine whether Git session daemons can read personal repository content on Samba mounted home directories.
.EX
sudo setsebool -P use_samba_home_dirs 1
.EE
.PP
-To also allow Git system daemon to read users personal repositories on NFS and Samba mounted home directories you must also allow the Git system daemon to search home directories so that it can find the repositories.
+To allow Git system daemon to read personal repository content on NFS and Samba mounted home directories you must also allow Git system daemon to search home directories so that it can find the personal repository content.
.EX
sudo setsebool -P git_system_enable_homedirs 1
.EE
.PP
-To allow the Git System daemon mass hosting of users personal repositories you can allow the Git daemon to listen to any unreserved ports.
+Determine whether Git session daemons can listen on any unreserved TCP ports. This is useful for mass hosting of personal repository content.
.EX
sudo setsebool -P git_session_bind_all_unreserved_ports 1
.EE
.SH GIT_SHELL
-The Git policy by default provides a restricted user environment to be used with "Git shell". This default git_shell_u SELinux user can modify and execute generic Git system content (generic system shared respositories with type git_system_content_t).
+The Git policy by default provides a restricted user environment to be used with "Git shell". The default git_shell_u SELinux user can manage and execute generic Git shared repository content (shared repository content with type git_sys_content_t).
.PP
-To add a new Linux user and map him to this Git shell user domain automatically:
+Add a new Unix user and map this user to the default Git system SELinux user automatically:
.EX
sudo useradd -Z git_shell_u joe
.EE
-.SH ADVANCED_SYSTEM_SHARED_REPOSITORY_AND GIT_SHELL_RESTRICTIONS
-Alternatively Git SELinux policy can be used to restrict "Git shell" users to git system shared repositories. The policy allows for the creation of new types of Git system content and Git shell user environment. The policy allows for delegation of types of "Git shell" environments to types of Git system content.
+.SH ADVANCED_SHARED_REPOSITORY_AND GIT_SHELL_RESTRICTIONS
+Alternatively Git SELinux policy can be used to restrict Git user types access to Git shared repository content types. The policy allows for the creation of new types of Git shared repository content and Git users. The policy allows one to specify Git user types access to Git shared repository content types. Note that any Git user is allowed to manage and execute generic Git shared repository content.
.PP
-To add a new Git system repository type, for example "project1" create a file named project1.te and add to it:
+Add a new Git shared repository content type, for example "project1". Create a file named project1.te and add to it:
.EX
policy_module(project1, 1.0.0)
-git_content_template(project1)
+type git_project1_content_t;
+git_shared_repository_files_type(git_project1_content_t)
.EE
-Next create a file named project1.fc and add a file context specification for the new repository type to it:
+Create a file named project1.fc, and add a file context specification for the new shared repository content type to it:
.EX
-/srv/git/project1\.git(/.*)? gen_context(system_u:object_r:git_project1_content_t,s0)
+/var/lib/git/project1\.git(/.*)? gen_context(system_u:object_r:git_project1_content_t,s0)
.EE
-Build a binary representation of this source policy module, load it into the policy store and restore the context of the repository:
+Build a binary representation of this source policy module, load it into the policy store and restore the context of the shared repository content:
.EX
make -f /usr/share/selinux/devel/Makefile project.pp
sudo semodule -i project1.pp
-sudo restorecon -R -v /srv/git/project1
+sudo restorecon -R -v /var/lib/git/project1.git
.EE
-To create a "Git shell" domain that can interact with this repository create a file named project1user.te in the same directory as where the source policy for the Git systemm content type is and add the following:
+Create a Git user domain that can interact with this shared repository content. Create a file named project1user.te in the same directory as where the source policy for the Git shared repository file type is and add the following:
.EX
policy_module(project1user, 1.0.0)
-git_role_template(project1user)
-git_content_delegation(project1user_t, git_project1_content_t)
+git_user_template(project1user)
+git_exec_spec_sys_content(project1user_t, git_project1_content_t)
+git_manage_spec_sys_content(project1user_t, git_project1_content_t)
gen_user(project1user_u, user, project1user_r, s0, s0)
.EE
-Build a binary representation of this source policy module, load it into the policy store and map Linux users to the new project1user_u SELinux user:
+Build a binary representation of this source policy module, load it into the policy store and map Unix users to the project1user_u SELinux user that was created:
.EX
make -f /usr/share/selinux/devel/Makefile project1user.pp
sudo semodule -i project1user.pp
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 2be17d2..addc3ad 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -27,6 +27,10 @@ optional_policy(`
')

optional_policy(`
+ git_session_role_template(staff_r, staff_t)
+')
+
+optional_policy(`
postgresql_role(staff_r, staff_t)
')

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 0f96353..58eb890 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -148,6 +148,10 @@ optional_policy(`
')

optional_policy(`
+ git_session_role_template(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
hostname_run(sysadm_t, sysadm_r)
')

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 7e9da77..46d24e3 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -17,6 +17,10 @@ optional_policy(`
')

optional_policy(`
+ git_session_role_template(user_r, user_t)
+')
+
+optional_policy(`
screen_role_template(user, user_r, user_t)
')

diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
index 54f0737..1b38b13 100644
--- a/policy/modules/services/git.fc
+++ b/policy/modules/services/git.fc
@@ -1,3 +1,13 @@
-/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
-/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
+HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t,s0)
+
+/srv/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
+
+/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
+
+/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
+
+/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
+
/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
+/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index 458aac6..b9e4a98 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@@ -1 +1,565 @@
-## <summary>GIT revision control system</summary>
+## <summary>Fast Version Control System.</summary>
+
+########################################
+## <summary>
+## Role access for Git session daemon.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+template(`git_session_role_template',`
+ gen_require(`
+ type git_session_t, gitd_exec_t, git_session_content_t;
+ ')
+
+ ########################################
+ #
+ # Git session daemon shared declarations.
+ #
+
+ role $1 types git_session_t;
+
+ ########################################
+ #
+ # Git session daemon shared policy.
+ #
+
+ domtrans_pattern($2, gitd_exec_t, git_session_t)
+
+ allow $2 git_session_t:process { ptrace signal_perms };
+ ps_process_pattern($2, git_session_t)
+
+ allow $2 git_session_content_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 git_session_content_t:file { manage_file_perms relabel_file_perms };
+')
+
+########################################
+## <summary>
+## Make the specified type a usable
+## Git shared repository content
+## file type.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be made usable.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`git_shared_repository_files_type',`
+ gen_require(`
+ attribute git_system_content, git_content;
+ ')
+
+ typeattribute $1 git_system_content;
+ typeattribute $1 git_content;
+ files_type($1)
+')
+
+#######################################
+## <summary>
+## Template for creating Git users.
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## Prefix of the user domain.
+## </summary>
+## </param>
+## <rolebase/>
+#
+template(`git_user_template',`
+ gen_require(`
+ attribute unpriv_userdomain, userdomain;
+ class context contains;
+ role system_r;
+ ')
+
+ ########################################
+ #
+ # Git daemon role shared declarations.
+ #
+
+ type $1_t, unpriv_userdomain, userdomain;
+ domain_type($1_t)
+ ubac_constrained($1_t)
+ role $1_r;
+ role $1_r types $1_t;
+ allow system_r $1_r;
+
+ ########################################
+ #
+ # Git daemon role shared policy.
+ #
+
+ allow $1_t self:context contains;
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+
+ kernel_read_system_state($1_t)
+
+ corecmd_exec_bin($1_t)
+ corecmd_bin_entry_type($1_t)
+ corecmd_shell_entry_type($1_t)
+
+ domain_interactive_fd($1_t)
+ domain_user_exemption_target($1_t)
+
+ files_dontaudit_search_home($1_t)
+
+ auth_use_nsswitch($1_t)
+
+ miscfiles_read_localization($1_t)
+
+ git_exec_generic_sys_content($1_t)
+ git_manage_generic_sys_content($1_t)
+
+ ssh_rw_stream_sockets($1_t)
+
+ # If you forget to set the git user login shell to git-shell,
+ # then bash will be looking for .bashrc, but this access is not required
+ # and it is not desired.
+ userdom_dontaudit_search_user_home_dirs($1_t)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1_t)
+ fs_manage_cifs_dirs($1_t)
+ fs_manage_cifs_files($1_t)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1_t)
+ fs_manage_nfs_dirs($1_t)
+ fs_manage_nfs_files($1_t)
+ ')
+')
+
+#######################################
+## <summary>
+## Execute specified Git daemon
+## shared repository content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="git_shared_repository_files_type">
+## <summary>
+## Git shared repository file type to be allowed.
+## </summary>
+## </param>
+#
+interface(`git_exec_spec_sys_content',`
+ gen_require(`
+ type $1, $2;
+ ')
+
+ exec_files_pattern($1, $2, $2)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1)
+ ')
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete
+## specified Git daemon shared
+## repository content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="git_shared_repository_files_type">
+## <summary>
+## Git shared repository file type to be allowed.
+## </summary>
+## </param>
+#
+interface(`git_manage_spec_sys_content',`
+ gen_require(`
+ type $1, $2;
+ ')
+
+ manage_dirs_pattern($1, $2, $2)
+ manage_files_pattern($1, $2, $2)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Execute all Git daemon
+## repository content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_exec_all_content',`
+ gen_require(`
+ attribute git_content;
+ ')
+
+ exec_files_pattern($1, git_content, git_content)
+ userdom_search_user_home_dirs($1)
+ files_search_var_lib($1)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_exec_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_exec_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## all Git daemon repository content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_manage_all_content',`
+ gen_require(`
+ attribute git_content;
+ ')
+
+ manage_dirs_pattern($1, git_content, git_content)
+ manage_files_pattern($1, git_content, git_content)
+ userdom_search_user_home_dirs($1)
+ files_search_var_lib($1)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Execute all Git daemon
+## shared repository content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_exec_all_sys_content',`
+ gen_require(`
+ attribute git_system_content;
+ ')
+
+ exec_files_pattern($1, git_system_content, git_system_content)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## all Git daemon shared
+## repository content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_manage_all_sys_content',`
+ gen_require(`
+ attribute git_system_content;
+ ')
+
+ manage_dirs_pattern($1, git_system_content, git_system_content)
+ manage_files_pattern($1, git_system_content, git_system_content)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Execute Git daemon generic shared
+## repository content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_exec_generic_sys_content',`
+ gen_require(`
+ type git_sys_content_t;
+ ')
+
+ exec_files_pattern($1, git_sys_content_t, git_sys_content_t)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## Git daemon generic shared
+## repository content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_manage_generic_sys_content',`
+ gen_require(`
+ type git_sys_content_t;
+ ')
+
+ manage_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
+ manage_files_pattern($1, git_sys_content_t, git_sys_content_t)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Read all Git daemon repository
+## content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_read_all_content_files',`
+ gen_require(`
+ attribute git_content;
+ ')
+
+ list_dirs_pattern($1, git_content, git_content)
+ read_files_pattern($1, git_content, git_content)
+ userdom_search_user_home_dirs($1)
+ files_search_var_lib($1)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Read Git daemon personal repository
+## content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_read_session_content_files',`
+ gen_require(`
+ type git_session_content_t;
+ ')
+
+ list_dirs_pattern($1, git_session_content_t, git_session_content_t)
+ read_files_pattern($1, git_session_content_t, git_session_content_t)
+ userdom_search_user_home_dirs($1)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ ')
+')
+
+#######################################
+## <summary>
+## Do not audit attempts to read
+## generic personal repository
+## content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`git_dontaudit_read_session_content_files',`
+ gen_require(`
+ type git_session_content_t;
+ ')
+
+ dontaudit $1 git_session_content_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read all Git daemon shared
+## repository content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_read_all_sys_content_files',`
+ gen_require(`
+ attribute git_system_content;
+ ')
+
+ list_dirs_pattern($1, git_system_content, git_system_content)
+ read_files_pattern($1, git_system_content, git_system_content)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Read Git daemon generic shared
+## repository content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_read_generic_sys_content_files',`
+ gen_require(`
+ type git_sys_content_t;
+ ')
+
+ list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
+ read_files_pattern($1, git_sys_content_t, git_sys_content_t)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ ')
+')
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index 7382f85..86a207a 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -2,7 +2,186 @@ policy_module(git, 1.0)

########################################
#
-# Declarations
+# Git daemon global private declarations.
#

-apache_content_template(git)
+attribute git_daemon;
+attribute git_content;
+
+type gitd_exec_t;
+
+########################################
+#
+# Git system daemon private declarations.
+#
+
+## <desc>
+## <p>
+## Determine whether Git system daemon
+## can search home directories.
+## </p>
+## </desc>
+gen_tunable(git_system_enable_homedirs, false)
+
+## <desc>
+## <p>
+## Determine whether Git system daemon
+## can access cifs file systems.
+## </p>
+## </desc>
+gen_tunable(git_system_use_cifs, false)
+
+## <desc>
+## <p>
+## Determine whether Git system daemon
+## can access nfs file systems.
+## </p>
+## </desc>
+gen_tunable(git_system_use_nfs, false)
+
+attribute git_system_content;
+
+type git_system_t, git_daemon;
+inetd_service_domain(git_system_t, gitd_exec_t)
+
+type git_sys_content_t;
+git_shared_repository_files_type(git_sys_content_t)
+
+########################################
+#
+# Git session daemon private declarations.
+#
+
+## <desc>
+## <p>
+## Determine whether Git session daemons
+## can bind tcp sockets to all unreserved ports.
+## </p>
+## </desc>
+gen_tunable(git_session_bind_all_unreserved_ports, false)
+
+type git_session_t, git_daemon;
+application_domain(git_session_t, gitd_exec_t)
+ubac_constrained(git_session_t)
+
+type git_session_content_t, git_content;
+userdom_user_home_content(git_session_content_t)
+
+########################################
+#
+# Git daemon global private policy.
+#
+
+allow git_daemon self:fifo_file rw_fifo_file_perms;
+allow git_daemon self:unix_dgram_socket create_socket_perms;
+
+kernel_read_system_state(git_daemon)
+
+corecmd_exec_bin(git_daemon)
+
+files_read_usr_files(git_daemon)
+
+fs_search_auto_mountpoints(git_daemon)
+
+auth_use_nsswitch(git_daemon)
+
+logging_send_syslog_msg(git_daemon)
+
+miscfiles_read_localization(git_daemon)
+
+optional_policy(`
+ automount_dontaudit_getattr_tmp_dirs(git_daemon)
+')
+
+########################################
+#
+# Git system daemon private policy.
+#
+
+list_dirs_pattern(git_system_t, git_content, git_content)
+read_files_pattern(git_system_t, git_content, git_content)
+files_search_var_lib(git_system_t)
+
+tunable_policy(`git_system_enable_homedirs',`
+ userdom_search_user_home_dirs(git_system_t)
+')
+
+tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
+ fs_list_nfs(git_system_t)
+ fs_read_nfs_files(git_system_t)
+')
+
+tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
+ fs_list_cifs(git_system_t)
+ fs_read_cifs_files(git_system_t)
+')
+
+tunable_policy(`git_system_use_cifs',`
+ fs_list_cifs(git_system_t)
+ fs_read_cifs_files(git_system_t)
+')
+
+tunable_policy(`git_system_use_nfs',`
+ fs_list_nfs(git_system_t)
+ fs_read_nfs_files(git_system_t)
+')
+
+########################################
+#
+# Git session daemon private policy.
+#
+
+allow git_session_t self:tcp_socket { accept listen };
+
+list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
+read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
+userdom_search_user_home_dirs(git_session_t)
+
+corenet_all_recvfrom_netlabel(git_session_t)
+corenet_all_recvfrom_unlabeled(git_session_t)
+corenet_tcp_bind_generic_node(git_session_t)
+corenet_tcp_sendrecv_generic_if(git_session_t)
+corenet_tcp_sendrecv_generic_node(git_session_t)
+corenet_tcp_sendrecv_generic_port(git_session_t)
+corenet_tcp_bind_git_port(git_session_t)
+corenet_tcp_sendrecv_git_port(git_session_t)
+corenet_sendrecv_git_server_packets(git_session_t)
+
+userdom_use_user_terminals(git_session_t)
+
+tunable_policy(`git_session_bind_all_unreserved_ports',`
+ corenet_tcp_bind_all_unreserved_ports(git_session_t)
+ corenet_tcp_sendrecv_all_ports(git_session_t)
+ corenet_sendrecv_generic_server_packets(git_session_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs(git_session_t)
+ fs_read_nfs_files(git_session_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs(git_session_t)
+ fs_read_cifs_files(git_session_t)
+')
+
+########################################
+#
+# Git CGI domain private policy.
+#
+
+optional_policy(`
+ apache_content_template(git)
+ git_read_all_content_files(httpd_git_script_t)
+ files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
+
+ auth_use_nsswitch(httpd_git_script_t)
+')
+
+########################################
+#
+# Git system user private policy.
+#
+
+git_user_template(git_shell)
+gen_user(git_shell_u, user, git_shell_r, s0, s0)
--
1.7.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110822/7932eee4/attachment-0001.bin


2011-08-22 22:45:06

by domg472

[permalink] [raw]
Subject: [refpolicy] [ v2 Git patch 1/1] Initial Git daemon domain. Modify git_selinux.8

So lets walk through/review this patch. This patch is not as big as it seems.

Comments in line:

> diff --git a/man/man8/git_selinux.8 b/man/man8/git_selinux.8

Man page was already merged into refpolicy. I just modified it to reflect the changes i made. The man page should speak for itself

> diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> index 2be17d2..addc3ad 100644
> --- a/policy/modules/roles/staff.te
> +++ b/policy/modules/roles/staff.te
> @@ -27,6 +27,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + git_session_role_template(staff_r, staff_t)
> +')
> +
> +optional_policy(`

When staff_u:staff_r:staff_t runs /usr/libexec/git-core/git-daemon (gitd_exec_t) then domain transition to git_session_t ( Git session daemon )

One can run git-daemon as an unprivileged user to host personal repositories ( e.g. ~/public_git )

> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 0f96353..58eb890 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -148,6 +148,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + git_session_role_template(sysadm_r, sysadm_t)
> +')
> +
> +optional_policy(`

Same as above but for sysadm_t

> diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> index 7e9da77..46d24e3 100644
> --- a/policy/modules/roles/unprivuser.te
> +++ b/policy/modules/roles/unprivuser.te
> @@ -17,6 +17,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + git_session_role_template(user_r, user_t)
> +')
> +
> +optional_policy(`

Same as above but for user_t

> diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
> index 54f0737..1b38b13 100644
> --- a/policy/modules/services/git.fc
> +++ b/policy/modules/services/git.fc
> @@ -1,3 +1,13 @@
> -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
> -/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
> +HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t,s0)

This is the location for personal git repositories (git_session_content)

> +/srv/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)

Alternate location for shared git repository (git_system_content)

> +/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)

The Git daemon executable file (gitd_exec_t)

> +/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)

Cgit cgi script cache location.

> +/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)

Default location for Git shared repositories as configured by /etc/xinetd.d/git

> /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
> +/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
> +/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)

gitweb and cgit CGI executable files and content.

> diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
> index 458aac6..b9e4a98 100644
> --- a/policy/modules/services/git.if
> +++ b/policy/modules/services/git.if
> @@ -1 +1,565 @@
> -## <summary>GIT revision control system</summary>
> +## <summary>Fast Version Control System.</summary>
> +
> +########################################
> +## <summary>
> +## Role access for Git session daemon.
> +## </summary>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## User domain for the role.
> +## </summary>
> +## </param>
> +#
> +template(`git_session_role_template',`
> + gen_require(`
> + type git_session_t, gitd_exec_t, git_session_content_t;
> + ')
> +
> + ########################################
> + #
> + # Git session daemon shared declarations.
> + #
> +
> + role $1 types git_session_t;
> +
> + ########################################
> + #
> + # Git session daemon shared policy.
> + #
> +
> + domtrans_pattern($2, gitd_exec_t, git_session_t)
> +
> + allow $2 git_session_t:process { ptrace signal_perms };
> + ps_process_pattern($2, git_session_t)
> +
> + allow $2 git_session_content_t:dir { manage_dir_perms relabel_dir_perms };
> + allow $2 git_session_content_t:file { manage_file_perms relabel_file_perms };
> +')

This is the git session daemon role template. allows callers role the git_session_t domain. Allows caller to domain transition to git_session_t and allows caller to manage, ps the git_session_t process (ps top kill Ctrl-c etc)

Currently called by user_t, staff_t, sysadm_t. Other policy is shared with git_system_t using the git_daemon attribute in git.te

> +########################################
> +## <summary>
> +## Make the specified type a usable
> +## Git shared repository content
> +## file type.
> +## </summary>
> +## <param name="type">
> +## <summary>
> +## Type to be made usable.
> +## </summary>
> +## </param>
> +## <infoflow type="none"/>
> +#
> +interface(`git_shared_repository_files_type',`
> + gen_require(`
> + attribute git_system_content, git_content;
> + ')
> +
> + typeattribute $1 git_system_content;
> + typeattribute $1 git_content;
> + files_type($1)
> +')

This interface allows one to create new git shared repository types. It expects a type and it makes that type usable git system content and git content (all git repository content is git content (both shared and personal) but only shared repository content is git_system_content. This distinction is made because there is only one personal repository content type (git session content_t) but there can be infinite git shared repository content types.

> +#######################################
> +## <summary>
> +## Template for creating Git users.
> +## </summary>
> +## <param name="userdomain_prefix">
> +## <summary>
> +## Prefix of the user domain.
> +## </summary>
> +## </param>
> +## <rolebase/>
> +#
> +template(`git_user_template',`
> + gen_require(`
> + attribute unpriv_userdomain, userdomain;
> + class context contains;
> + role system_r;
> + ')
> +
> + ########################################
> + #
> + # Git daemon role shared declarations.
> + #
> +
> + type $1_t, unpriv_userdomain, userdomain;
> + domain_type($1_t)
> + ubac_constrained($1_t)
> + role $1_r;
> + role $1_r types $1_t;
> + allow system_r $1_r;
> +
> + ########################################
> + #
> + # Git daemon role shared policy.
> + #
> +
> + allow $1_t self:context contains;
> + allow $1_t self:fifo_file rw_fifo_file_perms;
> +
> + kernel_read_system_state($1_t)
> +
> + corecmd_exec_bin($1_t)
> + corecmd_bin_entry_type($1_t)
> + corecmd_shell_entry_type($1_t)
> +
> + domain_interactive_fd($1_t)
> + domain_user_exemption_target($1_t)
> +
> + files_dontaudit_search_home($1_t)
> +
> + auth_use_nsswitch($1_t)
> +
> + miscfiles_read_localization($1_t)
> +
> + git_exec_generic_sys_content($1_t)
> + git_manage_generic_sys_content($1_t)
> +
> + ssh_rw_stream_sockets($1_t)
> +
> + # If you forget to set the git user login shell to git-shell,
> + # then bash will be looking for .bashrc, but this access is not required
> + # and it is not desired.
> + userdom_dontaudit_search_user_home_dirs($1_t)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_exec_cifs_files($1_t)
> + fs_manage_cifs_dirs($1_t)
> + fs_manage_cifs_files($1_t)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_exec_nfs_files($1_t)
> + fs_manage_nfs_dirs($1_t)
> + fs_manage_nfs_files($1_t)
> + ')
> +')

The git user template. This is a user domain/role for git users. It should be used together with git-shell (/usr/bin/git-shell usually (shell_exec_t) This used doesnt have access to home dir, doesnt need a pty. All it needs is access to generic shared repository content (git sys content t) Its access to other possible shared repository types can be extended by calling the git_manage_spec_sys_content() together with git_exec_spec_sys_content(). Git users need to be able to manage (read write) and execute git shared repositories that they are allowed to access.

The exec_spec_sys_content is for the git hooks. They need to be executed by git users. But currently there is no way for me to differentiate between hooks and other shared repository content. So push comes to show, git users can execute shared repository content.

> +#######################################
> +## <summary>
> +## Execute specified Git daemon
> +## shared repository content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="git_shared_repository_files_type">
> +## <summary>
> +## Git shared repository file type to be allowed.
> +## </summary>
> +## </param>
> +#
> +interface(`git_exec_spec_sys_content',`
> + gen_require(`
> + type $1, $2;
> + ')
> +
> + exec_files_pattern($1, $2, $2)
> + files_search_var_lib($1)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_exec_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_exec_nfs_files($1)
> + ')
> +')

allows the calling git user domain to execute the specified git shared repository content type.

> +#######################################
> +## <summary>
> +## Create, read, write, and delete
> +## specified Git daemon shared
> +## repository content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="git_shared_repository_files_type">
> +## <summary>
> +## Git shared repository file type to be allowed.
> +## </summary>
> +## </param>
> +#
> +interface(`git_manage_spec_sys_content',`
> + gen_require(`
> + type $1, $2;
> + ')
> +
> + manage_dirs_pattern($1, $2, $2)
> + manage_files_pattern($1, $2, $2)
> + files_search_var_lib($1)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_manage_cifs_dirs($1)
> + fs_manage_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_manage_nfs_dirs($1)
> + fs_manage_nfs_files($1)
> + ')
> +')

allows the calling git user to manage the specified git shared repository content type

(note shared repositories are in either /srv/git or /var/lib/git (hence the files_search_var_lib)

also nfs/cifs support

> +########################################
> +## <summary>
> +## Execute all Git daemon
> +## repository content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`git_exec_all_content',`
> + gen_require(`
> + attribute git_content;
> + ')
> +
> + exec_files_pattern($1, git_content, git_content)
> + userdom_search_user_home_dirs($1)
> + files_search_var_lib($1)
> +
> + tunable_policy(`use_nfs_home_dirs',`
> + fs_exec_nfs_files($1)
> + ')
> +
> + tunable_policy(`use_samba_home_dirs',`
> + fs_exec_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_exec_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_exec_nfs_files($1)
> + ')
> +')

This is currently unused but good to have. If you create many shared repository types and the single personal repository type, Maybe usefull for some future git administration functionality.

> +########################################
> +## <summary>
> +## Create, read, write, and delete
> +## all Git daemon repository content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`git_manage_all_content',`
> + gen_require(`
> + attribute git_content;
> + ')
> +
> + manage_dirs_pattern($1, git_content, git_content)
> + manage_files_pattern($1, git_content, git_content)
> + userdom_search_user_home_dirs($1)
> + files_search_var_lib($1)
> +
> + tunable_policy(`use_nfs_home_dirs',`
> + fs_manage_nfs_dirs($1)
> + fs_manage_nfs_files($1)
> + ')
> +
> + tunable_policy(`use_samba_home_dirs',`
> + fs_manage_cifs_dirs($1)
> + fs_manage_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_manage_cifs_dirs($1)
> + fs_manage_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_manage_nfs_dirs($1)
> + fs_manage_nfs_files($1)
> + ')
> +')

Same as above except manage instead of exec. manage and exec go hand in hand. In theory i could have combined the two but i decided to make it seperate as git_rwx_all_sys_content looks weird.

> +########################################
> +## <summary>
> +## Execute all Git daemon
> +## shared repository content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`git_exec_all_sys_content',`
> + gen_require(`
> + attribute git_system_content;
> + ')
> +
> + exec_files_pattern($1, git_system_content, git_system_content)
> + files_search_var_lib($1)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_exec_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_exec_nfs_files($1)
> + ')
> +')

This is also currently unused but even more useful than the ones above. Since this can also be used by git user domains that may need access to any shared repository available or to be created.

> +
> +########################################
> +## <summary>
> +## Create, read, write, and delete
> +## all Git daemon shared
> +## repository content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`git_manage_all_sys_content',`
> + gen_require(`
> + attribute git_system_content;
> + ')
> +
> + manage_dirs_pattern($1, git_system_content, git_system_content)
> + manage_files_pattern($1, git_system_content, git_system_content)
> + files_search_var_lib($1)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_manage_cifs_dirs($1)
> + fs_manage_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_manage_nfs_dirs($1)
> + fs_manage_nfs_files($1)
> + ')
> +')

same as above but manage instead of exec (manage and exec go hand in hand)

> +########################################
> +## <summary>
> +## Execute Git daemon generic shared
> +## repository content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`git_exec_generic_sys_content',`
> + gen_require(`
> + type git_sys_content_t;
> + ')
> +
> + exec_files_pattern($1, git_sys_content_t, git_sys_content_t)
> + files_search_var_lib($1)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_exec_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_exec_nfs_files($1)
> + ')
> +')

basically useless except that we call it in git user template above. all git users have access to generic shared repositories.

> +########################################
> +## <summary>
> +## Create, read, write, and delete
> +## Git daemon generic shared
> +## repository content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`git_manage_generic_sys_content',`
> + gen_require(`
> + type git_sys_content_t;
> + ')
> +
> + manage_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
> + manage_files_pattern($1, git_sys_content_t, git_sys_content_t)
> + files_search_var_lib($1)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_manage_cifs_dirs($1)
> + fs_manage_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_manage_nfs_dirs($1)
> + fs_manage_nfs_files($1)
> + ')
> +')

This is basically useless except that we call it in the git user template. All git users have access to generic shared repositories.

> +########################################
> +## <summary>
> +## Read all Git daemon repository
> +## content files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`git_read_all_content_files',`
> + gen_require(`
> + attribute git_content;
> + ')
> +
> + list_dirs_pattern($1, git_content, git_content)
> + read_files_pattern($1, git_content, git_content)
> + userdom_search_user_home_dirs($1)
> + files_search_var_lib($1)
> +
> + tunable_policy(`use_nfs_home_dirs',`
> + fs_list_nfs($1)
> + fs_read_nfs_files($1)
> + ')
> +
> + tunable_policy(`use_samba_home_dirs',`
> + fs_list_cifs($1)
> + fs_read_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_list_cifs($1)
> + fs_read_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_list_nfs($1)
> + fs_read_nfs_files($1)
> + ')
> +')

this is used by the cgit and gitweb CGI scripts.
Httpd would in theory also be able to use this for "dumb" repository hosting (git clone http://domain.tld/repo.git) but this interface allows caller to search user home dirs. thus it would break httpd_enable_homedirs boolean if we would call it for httpd_t.

> +########################################
> +## <summary>
> +## Read Git daemon personal repository
> +## content files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`git_read_session_content_files',`
> + gen_require(`
> + type git_session_content_t;
> + ')
> +
> + list_dirs_pattern($1, git_session_content_t, git_session_content_t)
> + read_files_pattern($1, git_session_content_t, git_session_content_t)
> + userdom_search_user_home_dirs($1)
> +
> + tunable_policy(`use_nfs_home_dirs',`
> + fs_list_nfs($1)
> + fs_read_nfs_files($1)
> + ')
> +
> + tunable_policy(`use_samba_home_dirs',`
> + fs_list_cifs($1)
> + fs_read_cifs_files($1)
> + ')
> +')

Basically same as above but only for personal repositories (~/public_git) Currently useless.

> +#######################################
> +## <summary>
> +## Do not audit attempts to read
> +## generic personal repository
> +## content files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`git_dontaudit_read_session_content_files',`
> + gen_require(`
> + type git_session_content_t;
> + ')
> +
> + dontaudit $1 git_session_content_t:file read_file_perms;
> +')

Not sure what this is for. I inherited this from Fedora and i actually suspect this can be removed.
In fedora we labelled ~/.gitconfig and ~/.gitadliases, git_session_content_t. which is wrong. These files should be just generic user home content (this is corrected in this patch) git daemons do not need to interact with these two files.

> +########################################
> +## <summary>
> +## Read all Git daemon shared
> +## repository content files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`git_read_all_sys_content_files',`
> + gen_require(`
> + attribute git_system_content;
> + ')
> +
> + list_dirs_pattern($1, git_system_content, git_system_content)
> + read_files_pattern($1, git_system_content, git_system_content)
> + files_search_var_lib($1)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_list_cifs($1)
> + fs_read_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_list_nfs($1)
> + fs_read_nfs_files($1)
> + ')
> +')

this one is also potentially handy for httpd dunb shared repository hosting. this excludes access to personal repositories.
Currently unused.

> +########################################
> +## <summary>
> +## Read Git daemon generic shared
> +## repository content files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`git_read_generic_sys_content_files',`
> + gen_require(`
> + type git_sys_content_t;
> + ')
> +
> + list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
> + read_files_pattern($1, git_sys_content_t, git_sys_content_t)
> + files_search_var_lib($1)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_list_cifs($1)
> + fs_read_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_list_nfs($1)
> + fs_read_nfs_files($1)
> + ')
> +')

same as above but this excludes shared repository content. (only read access to personal repositories)

> diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
> index 7382f85..86a207a 100644
> --- a/policy/modules/services/git.te
> +++ b/policy/modules/services/git.te
> @@ -2,7 +2,186 @@ policy_module(git, 1.0)
>
> ########################################
> #
> -# Declarations
> +# Git daemon global private declarations.
> #
>
> -apache_content_template(git)
> +attribute git_daemon;
> +attribute git_content;
> +
> +type gitd_exec_t;

These declarations apply to both git_system_t and git_session_t.

The git_daemon domain attribute is assigned to both domains. We did this because git_system_t and git_session_t are both to a large extend the same. The difference is that git_system_t is run by inetd and git_session_t is run by user domains.

By sharing whatever policy possible we xan make policy more compact.

The git content attribute is assigned to any git repository content, whether its shared pr personal alike.

gitd_exec_t is the type of /usr/libexec/git-core/git-daemon it is the entry file to both git_system_t as well as git_session_t (depending on who runs it respectively)

> +########################################
> +#
> +# Git system daemon private declarations.
> +#
> +
> +## <desc>
> +## <p>
> +## Determine whether Git system daemon
> +## can search home directories.
> +## </p>
> +## </desc>
> +gen_tunable(git_system_enable_homedirs, false)

boolean specific to git_system_t. This allows git_system_t to traverse /home and /home/$USER, so that it can get to the personal repositories at ~/public_git. if its set to off then git_system_t cannot host personal repositories.

its kind of like httpd_enable_homedirs.

> +## <desc>
> +## <p>
> +## Determine whether Git system daemon
> +## can access cifs file systems.
> +## </p>
> +## </desc>
> +gen_tunable(git_system_use_cifs, false)

git system_t cifs support. One may have shared repositories located on cifs shares.

> +## <desc>
> +## <p>
> +## Determine whether Git system daemon
> +## can access nfs file systems.
> +## </p>
> +## </desc>
> +gen_tunable(git_system_use_nfs, false)

same as above but for nfs.

> +attribute git_system_content;

This attribute is assigned to any share repository content type. It allows us to differnetiate between shared and personal repository content. and it allows easy access to all shared repositories.

> +type git_system_t, git_daemon;
> +inetd_service_domain(git_system_t, gitd_exec_t)

the git_system_t domain (a git daemon)
its run by inetd, no need to allow the system_r role to git_system_t domain as inetd_service_domain already provides this.

> +type git_sys_content_t;
> +git_shared_repository_files_type(git_sys_content_t)

The default shared repository type (kind of like a fall back for shared repositories) compare it to httpd_sys_content_t.
/var/lib/git and /srv/git are labelled with this type. by default any shared repositories there inherit this type.

Were making it usable by calling the git_shared_repository_files_type defined in git.if. Basically it makes the calling type a files_type() and it assigned the git_system_content and git_content attributes to the type. to classify this type git content and git shared repository content.

> +########################################
> +#
> +# Git session daemon private declarations.
> +#
> +
> +## <desc>
> +## <p>
> +## Determine whether Git session daemons
> +## can bind tcp sockets to all unreserved ports.
> +## </p>
> +## </desc>
> +gen_tunable(git_session_bind_all_unreserved_ports, false)

This is specific to git_session_t (git-daemon run by users) git daemon itself just allows clients to clone repositories. Its pretty harmless. In mass hosting environments, one may want to allow shell users to host personal repositories. considering that there may be many shell users and only one git port (tcp 9418), the owner may want to allow git session daemon to listen on any unreserved port.

> +type git_session_t, git_daemon;
> +application_domain(git_session_t, gitd_exec_t)
> +ubac_constrained(git_session_t)

git_session_t, git-daemon run by users, a git daemon.
application domain because its run by user domains, runs as user so ubac constrained.

> +type git_session_content_t, git_content;
> +userdom_user_home_content(git_session_content_t)

git session content type is the sole type for personal repositories (~/public_git)
it is userdom_user_home_content (ubac constraint)

It is also git_content, because any and all git repository content is git content, this includes personal repository content.

> +########################################
> +#
> +# Git daemon global private policy.
> +#
> +
> +allow git_daemon self:fifo_file rw_fifo_file_perms;
> +allow git_daemon self:unix_dgram_socket create_socket_perms;
> +
> +kernel_read_system_state(git_daemon)
> +
> +corecmd_exec_bin(git_daemon)
> +
> +files_read_usr_files(git_daemon)
> +
> +fs_search_auto_mountpoints(git_daemon)
> +
> +auth_use_nsswitch(git_daemon)
> +
> +logging_send_syslog_msg(git_daemon)
> +
> +miscfiles_read_localization(git_daemon)
> +
> +optional_policy(`
> + automount_dontaudit_getattr_tmp_dirs(git_daemon)
> ")

The above is policy that both git_system_t and git_session_t have in common.
Its pretty straight forward, nothing special here. both system ans session can use syslog. use nsswitch etc.

we used git_daemon attribute to keep the policy compact. no need to call it for system and session separately.

> +########################################
> +#
> +# Git system daemon private policy.
> +#
> +
> +list_dirs_pattern(git_system_t, git_content, git_content)
> +read_files_pattern(git_system_t, git_content, git_content)
> +files_search_var_lib(git_system_t)

This policy is specific to git_system_t. only git system_t should be allowed to read any reposutory content, whether sharec or personal...

> +tunable_policy(`git_system_enable_homedirs',`
> + userdom_search_user_home_dirs(git_system_t)
> +')


... ofcourse whether it can read personal repository content depends on how the boolean above is toggled. if it cant get to personal repositories, it cant read them either,

> +tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
> + fs_list_nfs(git_system_t)
> + fs_read_nfs_files(git_system_t)
> +')

nfs home dir support, boring

> +tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
> + fs_list_cifs(git_system_t)
> + fs_read_cifs_files(git_system_t)
> +')

same as above but cifs

> +tunable_policy(`git_system_use_cifs',`
> + fs_list_cifs(git_system_t)
> + fs_read_cifs_files(git_system_t)
> +')
> +
> +tunable_policy(`git_system_use_nfs',`
> + fs_list_nfs(git_system_t)
> + fs_read_nfs_files(git_system_t)
> +')

nfs , cifs support for shared repositories.

> +########################################
> +#
> +# Git session daemon private policy.
> +#
> +
> +allow git_session_t self:tcp_socket { accept listen };

this is specific to git_session_t. The above is interesting. Since git_system_t is a inetd domain. it does actually listen on the git port itself, (inetd handles the network connections and spawn git_system_t when ever a client needs service.

git session t however is run by users and so it needs to listen on tcp_sockets.

> +list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
> +read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
> +userdom_search_user_home_dirs(git_session_t)

git session_t can only read personal repository content.

> +corenet_all_recvfrom_netlabel(git_session_t)
> +corenet_all_recvfrom_unlabeled(git_session_t)
> +corenet_tcp_bind_generic_node(git_session_t)
> +corenet_tcp_sendrecv_generic_if(git_session_t)
> +corenet_tcp_sendrecv_generic_node(git_session_t)
> +corenet_tcp_sendrecv_generic_port(git_session_t)
> +corenet_tcp_bind_git_port(git_session_t)
> +corenet_tcp_sendrecv_git_port(git_session_t)
> +corenet_sendrecv_git_server_packets(git_session_t)

git session t needs to be able to network and bind tcp socket to the git port by default.
inetd handles networking for git system t
.
> +userdom_use_user_terminals(git_session_t)

git session t can log to the user terminal (it outputs to there by default when a user runs /usr/libexec/git-core/git-daemon
> +
> +tunable_policy(`git_session_bind_all_unreserved_ports',`
> + corenet_tcp_bind_all_unreserved_ports(git_session_t)
> + corenet_tcp_sendrecv_all_ports(git_session_t)
> + corenet_sendrecv_generic_server_packets(git_session_t)
> +')

This is for mass hosting of git personal repositories. allows git_session daemon to bind tcp sockets to any unreserved port as opposed to only the default git port.

> +tunable_policy(`use_nfs_home_dirs',`
> + fs_list_nfs(git_session_t)
> + fs_read_nfs_files(git_session_t)
> +')
> +
> +tunable_policy(`use_samba_home_dirs',`
> + fs_list_cifs(git_session_t)
> + fs_read_cifs_files(git_session_t)
> +')

nfs / cifs home dir support.

> +########################################
> +#
> +# Git CGI domain private policy.
> +#
> +
> +optional_policy(`
> + apache_content_template(git)
> + git_read_all_content_files(httpd_git_script_t)
> + files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
> +
> + auth_use_nsswitch(httpd_git_script_t)
> +')

cgit and git web are apache cgi domains. need to be able to read any reposutory content (git_content)

> +########################################
> +#
> +# Git system user private policy.
> +#
> +
> +git_user_template(git_shell)
> +gen_user(git_shell_u, user, git_shell_r, s0, s0)

default git user (git_shell_u) has access to generic shared repositories.
very basic domain but enough for most use cases. If one has some advanced git hook that required extensive user user access then one is advised to create ones own git user using the git_user_template and extend that to ones needs (see man git_selinux for directions)

add a selinux user mapping by default. we want to keep the entrancd barrier low. its there so just "useradd -Z git_shell_u joe"

> --
> 1.7.1
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110823/87c6894e/attachment-0001.bin