2011-08-27 13:15:14

by domg472

[permalink] [raw]
Subject: [refpolicy] [ RFC] 1/1] This is my proposal to deal with the following concerned raised in previous patch set:

1. having a git specific template in the userdom module (userdom_git_user_template)

renamed userdom_git_user_template to userdom_minimal_user_template. Edited userdom_base_user_template to use the userdom_minimal_user_template.
removed all policy that does not belong in userdom_minimal_user_template.

2. remove git_manage/exec_spec_share_content because the target type is not declared in git module.

Now the target type is declared in the git module.

3. now it makes sense to declare git_$1_content_t.

one template to create a new git user domain and a corresponding git shared content type, and to give that git user access to that new git shared content type.

Cons:

We dont have a git_manage/exec_spec_shared_content(_files) interface anymore so giving any git user domains access to other shared content types cannot be facilitated with interfaces (admins need to create rules from avc denials)

Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 f5aa6cb... 82138a1... M policy/modules/roles/git_shell.te
:100644 100644 e4d689b... afed175... M policy/modules/services/git.if
:100644 100644 5c30b4b... c12a4b1... M policy/modules/system/userdomain.if
policy/modules/roles/git_shell.te | 2 +-
policy/modules/services/git.if | 85 +++++++++--------------------------
policy/modules/system/userdomain.if | 56 ++++++++++-------------
3 files changed, 47 insertions(+), 96 deletions(-)

diff --git a/policy/modules/roles/git_shell.te b/policy/modules/roles/git_shell.te
index f5aa6cb..82138a1 100644
--- a/policy/modules/roles/git_shell.te
+++ b/policy/modules/roles/git_shell.te
@@ -5,7 +5,7 @@ policy_module(git_shell, 1.0.0)
# Declarations
#

-userdom_git_user_template(git_shell)
+git_shared_content_template(git_shell)

########################################
#
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index e4d689b..afed175 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@@ -67,83 +67,42 @@ template(`git_shared_content_template',`
attribute git_system_content, git_content;
')

+ userdom_minimal_user_template($1)
+ userdom_unpriv_userdomain($1_t)
+
type git_$1_content_t, git_system_content, git_content;
files_type(git_$1_content_t)
-')
-
-#######################################
-## <summary>
-## Execute specified Git daemon
-## shared repository content files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="file_type">
-## <summary>
-## Type to allow access to.
-## </summary>
-## </param>
-#
-interface(`git_exec_spec_shared_content_files',`
- gen_require(`
- type $1, $2;
- ')

- exec_files_pattern($1, $2, $2)
- files_search_var_lib($1)
+ exec_files_pattern($1_t, git_$1_content_t, git_$1_content_t)
+ manage_dirs_pattern($1_t, git_$1_content_t, git_$1_content_t)
+ manage_files_pattern($1_t, git_$1_content_t, git_$1_content_t)
+ files_search_var_lib($1_t)

- tunable_policy(`git_system_use_cifs',`
- fs_exec_cifs_files($1)
- ')
+ kernel_read_system_state($1_t)

- tunable_policy(`git_system_use_nfs',`
- fs_exec_nfs_files($1)
- ')
-')
+ auth_use_nsswitch($1_t)

-#######################################
-## <summary>
-## Create, read, write, and delete
-## specified Git daemon shared
-## repository content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="file_type">
-## <summary>
-## Type to allow access to.
-## </summary>
-## </param>
-#
-interface(`git_manage_spec_shared_content',`
- gen_require(`
- type $1, $2;
- ')
+ git_exec_generic_sys_content_files($1_t)
+ git_manage_generic_sys_content($1_t)

- manage_dirs_pattern($1, $2, $2)
- manage_files_pattern($1, $2, $2)
- files_search_var_lib($1)
+ ssh_rw_stream_sockets($1_t)

tunable_policy(`git_system_use_cifs',`
- fs_manage_cifs_dirs($1)
- fs_manage_cifs_files($1)
+ fs_exec_cifs_files($1_t)
+ fs_manage_cifs_dirs($1_t)
+ fs_manage_cifs_files($1_t)
',`
- fs_dontaudit_manage_cifs_dirs($1)
- fs_dontaudit_manage_cifs_files($1)
+ fs_dontaudit_manage_cifs_dirs($1_t)
+ fs_dontaudit_manage_cifs_files($1_t)
')

tunable_policy(`git_system_use_nfs',`
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
+ fs_exec_nfs_files($1_t)
+ fs_manage_nfs_dirs($1_t)
+ fs_manage_nfs_files($1_t)
',`
- fs_dontaudit_manage_nfs_dirs($1)
- fs_dontaudit_manage_nfs_files($1)
+ fs_dontaudit_manage_nfs_dirs($1_t)
+ fs_dontaudit_manage_nfs_files($1_t)
')
')

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 5c30b4b..c12a4b1 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2,7 +2,7 @@

#######################################
## <summary>
-## Template for creating Git users.
+## Template for creating minimal users.
## </summary>
## <param name="userdomain_prefix">
## <summary>
@@ -11,9 +11,9 @@
## </param>
## <rolebase/>
#
-template(`userdom_git_user_template',`
+template(`userdom_minimal_user_template',`
gen_require(`
- attribute unpriv_userdomain, userdomain;
+ attribute userdomain;
class context contains;
role system_r;
')
@@ -23,7 +23,7 @@ template(`userdom_git_user_template',`
# Declarations
#

- type $1_t, unpriv_userdomain, userdomain;
+ type $1_t, userdomain;
domain_type($1_t)
ubac_constrained($1_t)
role $1_r;
@@ -38,8 +38,6 @@ template(`userdom_git_user_template',`
allow $1_t self:context contains;
allow $1_t self:fifo_file rw_fifo_file_perms;

- kernel_read_system_state($1_t)
-
corecmd_exec_bin($1_t)
corecmd_bin_entry_type($1_t)
corecmd_shell_entry_type($1_t)
@@ -53,14 +51,7 @@ template(`userdom_git_user_template',`
files_dontaudit_getattr_non_security_pipes($1_t)
files_dontaudit_getattr_non_security_sockets($1_t)

- auth_use_nsswitch($1_t)
-
miscfiles_read_localization($1_t)
-
- git_exec_generic_sys_content_files($1_t)
- git_manage_generic_sys_content($1_t)
-
- ssh_rw_stream_sockets($1_t)
')

#######################################
@@ -87,22 +78,12 @@ template(`userdom_git_user_template',`
template(`userdom_base_user_template',`

gen_require(`
- attribute userdomain;
type user_devpts_t, user_tty_device_t;
- class context contains;
')

attribute $1_file_type;

- type $1_t, userdomain;
- domain_type($1_t)
- corecmd_shell_entry_type($1_t)
- corecmd_bin_entry_type($1_t)
- domain_user_exemption_target($1_t)
- ubac_constrained($1_t)
- role $1_r;
- role $1_r types $1_t;
- allow system_r $1_r;
+ userdom_minimal_user_template($1)

term_user_pty($1_t, user_devpts_t)

@@ -110,14 +91,12 @@ template(`userdom_base_user_template',`

allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
allow $1_t self:fd use;
- allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow $1_t self:shm create_shm_perms;
allow $1_t self:sem create_sem_perms;
allow $1_t self:msgq create_msgq_perms;
allow $1_t self:msg { send receive };
- allow $1_t self:context contains;
dontaudit $1_t self:socket create;

allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms };
@@ -157,12 +136,6 @@ template(`userdom_base_user_template',`
files_read_world_readable_symlinks($1_t)
files_read_world_readable_pipes($1_t)
files_read_world_readable_sockets($1_t)
- # old broswer_domain():
- files_dontaudit_list_non_security($1_t)
- files_dontaudit_getattr_non_security_files($1_t)
- files_dontaudit_getattr_non_security_symlinks($1_t)
- files_dontaudit_getattr_non_security_pipes($1_t)
- files_dontaudit_getattr_non_security_sockets($1_t)

libs_exec_ld_so($1_t)

@@ -3271,3 +3244,22 @@ interface(`userdom_dbus_send_all_users',`

allow $1 userdomain:dbus send_msg;
')
+
+########################################
+## <summary>
+## Make the specified domain
+## unprivileged user domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be made usable.
+## </summary>
+## </param>
+#
+interface(`userdom_unpriv_userdomain',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ typeattribute $1 unpriv_userdomain;
+')
--
1.7.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110827/39edb5f8/attachment.bin