From: dpquigl@tycho.nsa.gov (David P. Quigley)
Date: Mon, 18 Aug 2008 11:08:36 -0400
Subject: [refpolicy] SeLinux policy for git-daemon
In-Reply-To: <1219072370.15402.6.camel@desktop.local.neuhalfen.name>
References: <1219072370.15402.6.camel@desktop.local.neuhalfen.name>
Message-ID: <1219072116.2609.90.camel@moss-terrapins.epoch.ncsc.mil>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

For everyone's convenience I already have the repo checked out and have
attached his three policy template files. I think they have tpl at the
end because the build system is supposed to substitute something in but
it only seems to be the case with respect to the fc file.

Dave

-------------- next part --------------

@@GITD-GITDAEMON@@	--	gen_context(system_u:object_r:git-daemon_exec_t,s0)

@@GITD-INITSCRIPT@@	--	gen_context(system_u:object_r:git-daemon_script_exec_t,s0)

@@GITD-BASEPATH@@(/[^/].+)*	  	gen_context(system_u:object_r:git-daemon_rw_t,s0)

@@GITD-PIDDIR@@			gen_context(system_u:object_r:git-daemon_var_run_t,s0)
# /var/log/git-daemon	--	gen_context(system_u:object_r:git-daemon_var_log_t,s0)
-------------- next part --------------

## <summary>policy for git-daemon</summary>

########################################
## <summary>
##	Execute a domain transition to run git-daemon.
## </summary>
## <param name="domain">
## <summary>
##	Domain allowed to transition.
## </summary>
## </param>
#
interface(`git-daemon_domtrans',`
	gen_require(`
		type git-daemon_t;
                type git-daemon_exec_t;
	')

	domtrans_pattern($1,git-daemon_exec_t,git-daemon_t)
')


########################################
## <summary>
##	Execute git-daemon server in the git-daemon domain.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`git-daemon_script_domtrans',`
	gen_require(`
		type git-daemon_script_exec_t;
	')

	init_script_domtrans_spec($1,git-daemon_script_exec_t)
')

########################################
## <summary>
##	Do not audit attempts to read, 
##	git-daemon tmp files
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`git-daemon_dontaudit_read_tmp_files',`
	gen_require(`
		type git-daemon_tmp_t;
	')

	dontaudit $1 git-daemon_tmp_t:file read_file_perms;
')

########################################
## <summary>
##	Allow domain to read, git-daemon tmp files
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`git-daemon_read_tmp_files',`
	gen_require(`
		type git-daemon_tmp_t;
	')

	allow $1 git-daemon_tmp_t:file read_file_perms;
')

########################################
## <summary>
##	Allow domain to manage git-daemon tmp files
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`git-daemon_manage_tmp',`
	gen_require(`
		type git-daemon_tmp_t;
	')

         manage_dirs_pattern($1,git-daemon_tmp_t,git-daemon_tmp_t)
         manage_files_pattern($1,git-daemon_tmp_t,git-daemon_tmp_t)
         manage_lnk_files_pattern($1,git-daemon_tmp_t,git-daemon_tmp_t)
')

########################################
## <summary>
##	Search git-daemon rw directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`git-daemon_search_rw_dir',`
	gen_require(`
		type git-daemon_rw_t;
	')

	allow $1 git-daemon_rw_t:dir search_dir_perms;
	files_search_rw($1)
')

########################################
## <summary>
##	Read git-daemon rw files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`git-daemon_read_rw_files',`
	gen_require(`
		type git-daemon_rw_t;
	')

	allow $1 git-daemon_rw_t:file r_file_perms;
	allow $1 git-daemon_rw_t:dir list_dir_perms;
	files_search_rw($1)
')

########################################
## <summary>
##	Create, read, write, and delete
##	git-daemon rw files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`git-daemon_manage_rw_files',`
	gen_require(`
		type git-daemon_rw_t;
	')

	allow $1 git-daemon_rw_t:file manage_file_perms;
	allow $1 git-daemon_rw_t:dir rw_dir_perms;
')

########################################
## <summary>
##	Manage git-daemon rw files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`git-daemon_manage_rw',`
	gen_require(`
		type git-daemon_rw_t;
	')

         manage_dirs_pattern($1,git-daemon_rw_t,git-daemon_rw_t)
         manage_files_pattern($1,git-daemon_rw_t,git-daemon_rw_t)
         manage_lnk_files_pattern($1,git-daemon_rw_t,git-daemon_rw_t)
')


########################################
## <summary>
##	All of the rules required to administrate 
##	an git-daemon environment
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed to manage the git-daemon domain.
##	</summary>
## </param>
## <param name="terminal">
##	<summary>
##	The type of the user terminal.
##	</summary>
## </param>
## <rolecap/>
#
interface(`git-daemon_admin',`
	gen_require(`
		type git-daemon_t;
	')

	allow $1 git-daemon_t:process { ptrace signal_perms getattr };
	read_files_pattern($1, git-daemon_t, git-daemon_t)
	        

	gen_require(`
		type git-daemon_script_exec_t;
	')

	# Allow git-daemon_t to restart the service
	git-daemon_script_domtrans($1)
	domain_system_change_exemption($1)
	role_transition $2 git-daemon_script_exec_t system_r;
	allow $2 system_r;

	git-daemon_manage_tmp($1)

	git-daemon_manage_rw($1)

')
-------------- next part --------------
policy_module(git-daemon,1.0.13)


########################################
#
# Declarations
#

type git-daemon_t;
type git-daemon_exec_t;
init_daemon_domain(git-daemon_t, git-daemon_exec_t)

type git-daemon_script_exec_t;
init_script_type(git-daemon_script_exec_t)

type git-daemon_tmp_t;
files_tmp_file(git-daemon_tmp_t)

#type git-daemon_var_log_t;
#logging_log_file(git-daemon_var_log_t)

type git-daemon_var_run_t;
files_pid_file(git-daemon_var_run_t)
manage_files_pattern(git-daemon_t,git-daemon_var_run_t,git-daemon_var_run_t)


type git-daemon_rw_t;
files_type(git-daemon_rw_t)

type git-daemon_port_t;
corenet_port(git-daemon_port_t)

########################################
#
# git-daemon  tuneables
#
#

# Read or Read/Write access to our data-files?
gen_tunable(git_daemon_update_repository,false)


########################################
#
# git-daemon  helper
#
require {
type unconfined_t;
};
# Direktes ausfuehren der Skripte ohne run_init
domain_auto_trans(unconfined_t, git-daemon_exec_t, git-daemon_t)
domain_entry_file(git-daemon_t, git-daemon_exec_t)


#######################################
#
# git-daemon local policy
#

# Init script handling TODO check, if we really want that, optionally make it a boolean
domain_use_interactive_fds(git-daemon_t)

# internal communication is often done using fifo and unix sockets.
allow git-daemon_t self:fifo_file rw_file_perms;
allow git-daemon_t self:unix_stream_socket create_stream_socket_perms;

files_read_etc_files(git-daemon_t)

libs_use_ld_so(git-daemon_t)
libs_use_shared_libs(git-daemon_t)

miscfiles_read_localization(git-daemon_t)

# Temporary files (if any)
allow git-daemon_t git-daemon_tmp_t:file manage_file_perms;
allow git-daemon_t git-daemon_tmp_t:dir create_dir_perms;
files_tmp_file(git-daemon_tmp_t)
files_tmp_filetrans(git-daemon_t,git-daemon_tmp_t, { file dir })


#
# Networking
#
sysnet_dns_name_resolve(git-daemon_t)

# anybody can talk to us
corenet_all_recvfrom_unlabeled(git-daemon_t)

#
# we act as anetwork server that listens on tcp/udp git-daemon_port_t
#


# tcp
allow git-daemon_t self:tcp_socket create_stream_socket_perms;
corenet_tcp_sendrecv_all_if(git-daemon_t)
corenet_tcp_sendrecv_all_nodes(git-daemon_t)
corenet_tcp_sendrecv_all_ports(git-daemon_t)
corenet_tcp_bind_all_nodes(git-daemon_t)

allow git-daemon_t git-daemon_port_t:tcp_socket name_bind;
allow git-daemon_t git-daemon_port_t:tcp_socket name_connect;

# udp
allow git-daemon_t self:udp_socket { create_socket_perms listen };
corenet_udp_sendrecv_all_if(git-daemon_t)
corenet_udp_sendrecv_all_nodes(git-daemon_t)
corenet_udp_sendrecv_all_ports(git-daemon_t)
allow git-daemon_t git-daemon_port_t:udp_socket name_bind;
corenet_udp_bind_all_nodes(git-daemon_t)

#
# Logging
#
logging_send_syslog_msg(git-daemon_t)
#logging_send_audit_msgs(git-daemon_t)



#
# Read or Read/Write access to our data-files?
tunable_policy(`git_daemon_update_repository',`
	manage_dirs_pattern(git-daemon_t,git-daemon_rw_t,git-daemon_rw_t)
	manage_files_pattern(git-daemon_t,git-daemon_rw_t,git-daemon_rw_t)
	manage_lnk_files_pattern(git-daemon_t,git-daemon_rw_t,git-daemon_rw_t)
',`
	read_files_pattern(git-daemon_t,git-daemon_rw_t,git-daemon_rw_t)

	read_lnk_files_pattern(git-daemon_t,git-daemon_rw_t,git-daemon_rw_t)
	list_dirs_pattern(git-daemon_t,git-daemon_rw_t,git-daemon_rw_t)

');


#
# Evtl. Hooks Skripte ausfuehren
exec_files_pattern(git-daemon_t,git-daemon_rw_t,git-daemon_rw_t)

# Some random data is always handy
dev_read_urand(git-daemon_t)


# Allow git to execute basic commands
corecmd_exec_bin(git-daemon_t)


#
# git-daemon needs to change uid/gid to drop privileges
#
allow git-daemon_t self:capability setgid;
allow git-daemon_t self:capability setuid;