From: domg472@gmail.com (Dominick Grift) Date: Mon, 22 Mar 2010 10:50:27 +0100 Subject: [refpolicy] [ git patch RETRY 1/1] Implement Git policy. Message-ID: <20100322095024.GA6413@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com I am not sure why policy for Git daemon has not been adopted yet, but since i was merging it in my custom policy based off of refpolicy i decided to give it another go and submit it for inclusion. Signed-off-by: Dominick Grift --- :100644 100644 3fd227b... 6b0be11... M policy/modules/roles/staff.te :100644 100644 2ed3c67... 863f7a7... M policy/modules/roles/sysadm.te :100644 100644 b0be6d2... bc2638a... M policy/modules/roles/unprivuser.te :100644 100644 2821565... 373f9c5... M policy/modules/services/git.fc :100644 100644 458aac6... 0032e07... M policy/modules/services/git.if :100644 100644 64dd65a... 593af20... M policy/modules/services/git.te :100644 100644 66788d3... bcfd52d... M policy/modules/services/inetd.te policy/modules/roles/staff.te | 4 + policy/modules/roles/sysadm.te | 4 + policy/modules/roles/unprivuser.te | 4 + policy/modules/services/git.fc | 13 +- policy/modules/services/git.if | 560 +++++++++++++++++++++++++++++++++++- policy/modules/services/git.te | 176 +++++++++++- policy/modules/services/inetd.te | 5 +- 7 files changed, 757 insertions(+), 9 deletions(-) diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 3fd227b..6b0be11 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -60,6 +60,10 @@ optional_policy(` ') optional_policy(` + git_session_role(staff_r, staff_t) +') + +optional_policy(` gnome_role(staff_r, staff_t) ') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 2ed3c67..863f7a7 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -186,6 +186,10 @@ optional_policy(` ') optional_policy(` + git_session_role(sysadm_r, sysadm_t) +') + +optional_policy(` gnome_role(sysadm_r, sysadm_t) ') diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index b0be6d2..bc2638a 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -54,6 +54,10 @@ optional_policy(` ') optional_policy(` + git_session_role(user_r, user_t) +') + +optional_policy(` gnome_role(user_r, user_t) ') diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc index 2821565..373f9c5 100644 --- a/policy/modules/services/git.fc +++ b/policy/modules/services/git.fc @@ -1,3 +1,10 @@ -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0) -/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) -/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t,s0) +HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t,s0) + +/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:git_exec_t,s0) + +/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0) +/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t,s0) + +/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0) diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if index 458aac6..0032e07 100644 --- a/policy/modules/services/git.if +++ b/policy/modules/services/git.if @@ -1 +1,559 @@ -## GIT revision control system +## Git fast version control system. +## +##

+## A really simple TCP git daemon that normally listens on +## port DEFAULT_GIT_PORT aka 9418. It waits for a +## connection asking for a service, and will serve that +## service if it is enabled. +##

+## + +####################################### +## +## Role access for Git daemon session. +## +## +## +## Role allowed access. +## +## +## +## +## User domain for the role. +## +## +# +interface(`git_session_role',` + gen_require(` + type git_session_t, git_exec_t; + type git_session_content_t; + ') + + ######################################## + # + # Git daemon session shared declarations. + # + + role $1 types git_session_t; + + ######################################## + # + # Git daemon session shared policy. + # + + domtrans_pattern($2, git_exec_t, git_session_t) + + allow $2 git_session_t:process { ptrace signal_perms }; + ps_process_pattern($2, git_session_t) + + manage_dirs_pattern($2, git_session_content_t, git_session_content_t) + manage_files_pattern($2, git_session_content_t, git_session_content_t) + + relabel_dirs_pattern($2, git_session_content_t, git_session_content_t) + relabel_files_pattern($2, git_session_content_t, git_session_content_t) +') + +######################################## +## +## Create a set of derived types for Git +## daemon shared repository content. +## +## +## +## The prefix to be used for deriving type names. +## +## +# +template(`git_content_template',` + gen_require(` + attribute git_system_content; + attribute git_content; + ') + + ######################################## + # + # Git daemon content shared declarations. + # + + type git_$1_content_t; + files_type(git_$1_content_t) + + typeattribute git_$1_content_t git_system_content; + typeattribute git_$1_content_t git_content; +') + +######################################## +## +## Create a set of derived types for Git +## daemon shared repository roles. +## +## +## +## The prefix to be used for deriving type names. +## +## +# +template(`git_role_template',` + gen_require(` + class context contains; + role system_r; + ') + + ######################################## + # + # Git daemon role shared declarations. + # + + attribute $1_usertype; + + type $1_t; + userdom_unpriv_usertype($1, $1_t) + domain_type($1_t) + + role $1_r types $1_t; + allow system_r $1_r; + + ######################################## + # + # Git daemon role shared policy. + # + + allow $1_t self:context contains; + allow $1_t self:fifo_file rw_fifo_file_perms; + + corecmd_exec_bin($1_t) + corecmd_bin_entry_type($1_t) + corecmd_shell_entry_type($1_t) + + domain_interactive_fd($1_t) + domain_user_exemption_target($1_t) + + kernel_read_system_state($1_t) + + files_read_etc_files($1_t) + files_dontaudit_search_home($1_t) + + miscfiles_read_localization($1_t) + + git_rwx_generic_system_content($1_t) + + ssh_rw_stream_sockets($1_t) + + tunable_policy(`git_system_use_cifs',` + fs_exec_cifs_files($1_t) + fs_manage_cifs_dirs($1_t) + fs_manage_cifs_files($1_t) + ') + + tunable_policy(`git_system_use_nfs',` + fs_exec_nfs_files($1_t) + fs_manage_nfs_dirs($1_t) + fs_manage_nfs_files($1_t) + ') + + optional_policy(` + nscd_read_pid($1_t) + ') +') + +####################################### +## +## Read, write and execute the +## specified Git daemon content. +## +## +## +## Domain allowed access. +## +## +## +## +## Type of the object that access is allowed to. +## +## +# +interface(`git_content_delegation',` + gen_require(` + type $1, $2; + ') + + exec_files_pattern($1, $2, $2) + manage_dirs_pattern($1, $2, $2) + manage_files_pattern($1, $2, $2) + files_search_var_lib($1) + + tunable_policy(`git_system_use_cifs',` + fs_exec_cifs_files($1) + fs_manage_cifs_dirs($1) + fs_manage_cifs_files($1) + ') + + tunable_policy(`git_system_use_nfs',` + fs_exec_nfs_files($1) + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + ') +') + +######################################## +## +## Manage and execute all Git daemon +## system content. +## +## +## +## Domain allowed access. +## +## +# +interface(`git_manage_all_system_content',` + gen_require(` + attribute git_system_content; + ') + + manage_dirs_pattern($1, git_system_content, git_system_content) + manage_files_pattern($1, git_system_content, git_system_content) + files_search_var_lib($1) + + tunable_policy(`git_system_use_cifs',` + fs_manage_cifs_dirs($1) + fs_manage_cifs_files($1) + ') + + tunable_policy(`git_system_use_nfs',` + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + ') +') + +######################################## +## +## Manage and execute all Git daemon +## content. +## +## +## +## Domain allowed access. +## +## +# +interface(`git_rwx_all_content',` + gen_require(` + attribute git_content; + ') + + exec_files_pattern($1, git_content, git_content) + manage_dirs_pattern($1, git_content, git_content) + manage_files_pattern($1, git_content, git_content) + userdom_search_user_home_dirs($1) + files_search_var_lib($1) + + tunable_policy(`use_nfs_home_dirs',` + fs_exec_nfs_files($1) + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_exec_cifs_files($1) + fs_manage_cifs_dirs($1) + fs_manage_cifs_files($1) + ') + + tunable_policy(`git_system_use_cifs',` + fs_exec_cifs_files($1) + fs_manage_cifs_dirs($1) + fs_manage_cifs_files($1) + ') + + tunable_policy(`git_system_use_nfs',` + fs_exec_nfs_files($1) + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + ') +') + +######################################## +## +## Manage and execute all Git daemon +## system content. +## +## +## +## Domain allowed access. +## +## +# +interface(`git_rwx_all_system_content',` + gen_require(` + attribute git_system_content; + ') + + exec_files_pattern($1, git_system_content, git_system_content) + manage_dirs_pattern($1, git_system_content, git_system_content) + manage_files_pattern($1, git_system_content, git_system_content) + files_search_var_lib($1) + + tunable_policy(`git_system_use_cifs',` + fs_exec_cifs_files($1) + fs_manage_cifs_dirs($1) + fs_manage_cifs_files($1) + ') + + tunable_policy(`git_system_use_nfs',` + fs_exec_nfs_files($1) + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + ') +') + +######################################## +## +## Manage and execute Git daemon +## generic system content. +## +## +## +## Domain allowed access. +## +## +# +interface(`git_rwx_generic_system_content',` + gen_require(` + type git_system_content_t; + ') + + exec_files_pattern($1, git_system_content_t, git_system_content_t) + manage_dirs_pattern($1, git_system_content_t, git_system_content_t) + manage_files_pattern($1, git_system_content_t, git_system_content_t) + files_search_var_lib($1) + + tunable_policy(`git_system_use_cifs',` + fs_exec_cifs_files($1) + fs_manage_cifs_dirs($1) + fs_manage_cifs_files($1) + ') + + tunable_policy(`git_system_use_nfs',` + fs_exec_nfs_files($1) + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + ') +') + +######################################## +## +## Read all Git daemon content files. +## +## +## +## Domain allowed access. +## +## +# +interface(`git_read_all_content_files',` + gen_require(` + attribute git_content; + ') + + list_dirs_pattern($1, git_content, git_content) + read_files_pattern($1, git_content, git_content) + userdom_search_user_home_dirs($1) + files_search_var_lib($1) + + tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs($1) + fs_read_nfs_files($1) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_list_cifs($1) + fs_read_cifs_files($1) + ') + + tunable_policy(`git_system_use_cifs',` + fs_list_cifs($1) + fs_read_cifs_files($1) + ') + + tunable_policy(`git_system_use_nfs',` + fs_list_nfs($1) + fs_read_nfs_files($1) + ') +') + +######################################## +## +## Read Git daemon session content +## files. +## +## +## +## Domain allowed access. +## +## +# +interface(`git_read_session_content_files',` + gen_require(` + type git_session_content_t; + ') + + list_dirs_pattern($1, git_session_content_t, git_session_content_t) + read_files_pattern($1, git_session_content_t, git_session_content_t) + userdom_search_user_home_dirs($1) + + tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs($1) + fs_read_nfs_files($1) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_list_cifs($1) + fs_read_cifs_files($1) + ') +') + +######################################## +## +## Read all Git daemon system content +## files. +## +## +## +## Domain allowed access. +## +## +# +interface(`git_read_all_system_content_files',` + gen_require(` + attribute git_system_content; + ') + + list_dirs_pattern($1, git_system_content, git_system_content) + read_files_pattern($1, git_system_content, git_system_content) + files_search_var_lib($1) + + tunable_policy(`git_system_use_cifs',` + fs_list_cifs($1) + fs_read_cifs_files($1) + ') + + tunable_policy(`git_system_use_nfs',` + fs_list_nfs($1) + fs_read_nfs_files($1) + ') +') + +######################################## +## +## Read Git daemon generic system +## content files. +## +## +## +## Domain allowed access. +## +## +# +interface(`git_read_generic_system_content_files',` + gen_require(` + type git_system_content_t; + ') + + list_dirs_pattern($1, git_system_content_t, git_system_content_t) + read_files_pattern($1, git_system_content_t, git_system_content_t) + files_search_var_lib($1) + + tunable_policy(`git_system_use_cifs',` + fs_list_cifs($1) + fs_read_cifs_files($1) + ') + + tunable_policy(`git_system_use_nfs',` + fs_list_nfs($1) + fs_read_nfs_files($1) + ') +') + +######################################## +## +## Relabel all Git daemon content. +## +## +## +## Domain allowed access. +## +## +# +interface(`git_relabel_all_content',` + gen_require(` + attribute git_content; + ') + + relabel_dirs_pattern($1, git_content, git_content) + relabel_files_pattern($1, git_content, git_content) + userdom_search_user_home_dirs($1) + files_search_var_lib($1) +') + +######################################## +## +## Relabel all Git daemon system +## content. +## +## +## +## Domain allowed access. +## +## +# +interface(`git_relabel_all_system_content',` + gen_require(` + attribute git_system_content; + ') + + relabel_dirs_pattern($1, git_system_content, git_system_content) + relabel_files_pattern($1, git_system_content, git_system_content) + files_search_var_lib($1) +') + +######################################## +## +## Relabel Git daemon generic system +## content. +## +## +## +## Domain allowed access. +## +## +# +interface(`git_relabel_generic_system_content',` + gen_require(` + type git_system_content_t; + ') + + relabel_dirs_pattern($1, git_system_content_t, git_system_content_t) + relabel_files_pattern($1, git_system_content_t, git_system_content_t) + files_search_var_lib($1) +') + +######################################## +## +## Relabel Git daemon session content. +## +## +## +## Domain allowed access. +## +## +# +interface(`git_relabel_session_content',` + gen_require(` + type git_session_content_t; + ') + + relabel_dirs_pattern($1, git_session_content_t, git_session_content_t) + relabel_files_pattern($1, git_session_content_t, git_session_content_t) + userdom_search_user_home_dirs($1) +') diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te index 64dd65a..593af20 100644 --- a/policy/modules/services/git.te +++ b/policy/modules/services/git.te @@ -1,9 +1,179 @@ -policy_module(git, 1.0) +policy_module(git, 1.0.0) ######################################## # -# Declarations +# Git daemon global private declarations. # -apache_content_template(git) +attribute git_domains; +attribute git_content; + +type git_exec_t; + +######################################## +# +# Git daemon system private declarations. +# + +## +##

+## Allow Git daemon system to search +## home directories. +##

+## +gen_tunable(git_system_enable_homedirs, false) + +## +##

+## Allow Git daemon system to access +## cifs file systems. +##

+## +gen_tunable(git_system_use_cifs, false) + +## +##

+## Allow Git daemon system to access +## nfs file systems. +##

+## +gen_tunable(git_system_use_nfs, false) + +attribute git_system_content; + +type git_system_t, git_domains; +inetd_service_domain(git_system_t, git_exec_t) +role system_r types git_system_t; + +type git_system_content_t, git_system_content, git_content; +files_type(git_system_content_t) + +######################################## +# +# Git daemon session private declarations. +# + +## +##

+## Allow Git daemon session to bind +## tcp sockets to all unreserved ports. +##

+## +gen_tunable(git_session_bind_all_unreserved_ports, false) + +type git_session_t, git_domains; +application_domain(git_session_t, git_exec_t) +ubac_constrained(git_session_t) + +type git_session_content_t, git_content; # Customizable type +userdom_user_home_content(git_session_content_t) + +######################################## +# +# Cgi Git personal declarations. +# + +optional_policy(` + apache_content_template(git) + git_read_session_content_files(httpd_git_script_t) + files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) +') + +######################################## +# +# Git daemon global private policy. +# + +allow git_domains self:fifo_file rw_fifo_file_perms; +allow git_domains self:netlink_route_socket create_netlink_socket_perms; +allow git_domains self:tcp_socket create_stream_socket_perms; +allow git_domains self:udp_socket create_socket_perms; +allow git_domains self:unix_dgram_socket create_socket_perms; + +corenet_all_recvfrom_netlabel(git_domains) +corenet_all_recvfrom_unlabeled(git_domains) +corenet_sendrecv_git_server_packets(git_domains) +corenet_tcp_bind_generic_node(git_domains) +corenet_tcp_bind_git_port(git_domains) +corenet_tcp_sendrecv_generic_if(git_domains) +corenet_tcp_sendrecv_generic_node(git_domains) +corenet_tcp_sendrecv_generic_port(git_domains) + +corecmd_exec_bin(git_domains) + +kernel_read_system_state(git_domains) + +files_read_etc_files(git_domains) +files_read_usr_files(git_domains) + +fs_search_auto_mountpoints(git_domains) + +logging_send_syslog_msg(git_domains) + +miscfiles_read_localization(git_domains) + +sysnet_read_config(git_domains) + +optional_policy(` + nis_use_ypbind(git_domains) +') + +######################################## +# +# Git daemon system repository private policy. +# + +list_dirs_pattern(git_system_t, git_content, git_content) +read_files_pattern(git_system_t, git_content, git_content) +files_search_var_lib(git_system_t) + +tunable_policy(`git_system_enable_homedirs',` + userdom_search_user_home_dirs(git_system_t) +') + +tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',` + fs_list_nfs(git_system_t) + fs_read_nfs_files(git_system_t) +') + +tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',` + fs_list_cifs(git_system_t) + fs_read_cifs_files(git_system_t) +') + +tunable_policy(`git_system_use_cifs',` + fs_list_cifs(git_system_t) + fs_read_cifs_files(git_system_t) +') + +tunable_policy(`git_system_use_nfs',` + fs_list_nfs(git_system_t) + fs_read_nfs_files(git_system_t) +') + +######################################## +# +# Git daemon session repository private policy. +# + +list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t) +read_files_pattern(git_session_t, git_session_content_t, git_session_content_t) +userdom_search_user_home_dirs(git_session_t) + +userdom_use_user_terminals(git_session_t) + +tunable_policy(`git_session_bind_all_unreserved_ports',` + corenet_tcp_bind_all_unreserved_ports(git_session_t) + corenet_sendrecv_generic_server_packets(git_session_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs(git_session_t) + fs_read_nfs_files(git_session_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_list_cifs(git_session_t) + fs_read_cifs_files(git_session_t) +') diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te index 66788d3..bcfd52d 100644 --- a/policy/modules/services/inetd.te +++ b/policy/modules/services/inetd.te @@ -88,6 +88,8 @@ corenet_tcp_bind_dbskkd_port(inetd_t) corenet_udp_bind_dbskkd_port(inetd_t) corenet_tcp_bind_ftp_port(inetd_t) corenet_udp_bind_ftp_port(inetd_t) +corenet_tcp_bind_git_port(inetd_t) +corenet_udp_bind_git_port(inetd_t) corenet_tcp_bind_inetd_child_port(inetd_t) corenet_udp_bind_inetd_child_port(inetd_t) corenet_tcp_bind_ircd_port(inetd_t) @@ -104,8 +106,6 @@ corenet_udp_bind_swat_port(inetd_t) corenet_tcp_bind_telnetd_port(inetd_t) corenet_udp_bind_tftp_port(inetd_t) corenet_tcp_bind_ssh_port(inetd_t) -corenet_tcp_bind_git_port(inetd_t) -corenet_udp_bind_git_port(inetd_t) # service port packets: corenet_sendrecv_amanda_server_packets(inetd_t) @@ -113,6 +113,7 @@ corenet_sendrecv_auth_server_packets(inetd_t) corenet_sendrecv_comsat_server_packets(inetd_t) corenet_sendrecv_dbskkd_server_packets(inetd_t) corenet_sendrecv_ftp_server_packets(inetd_t) +corenet_sendrecv_git_server_packets(inetd_t) corenet_sendrecv_inetd_child_server_packets(inetd_t) corenet_sendrecv_ircd_server_packets(inetd_t) corenet_sendrecv_ktalkd_server_packets(inetd_t) -- 1.7.0.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100322/d844e94c/attachment-0001.bin