From: domg472@gmail.com (Dominick Grift)
Date: Tue, 23 Aug 2011 00:45:06 +0200
Subject: [refpolicy] [ v2 Git patch 1/1] Initial Git daemon domain.
Modify git_selinux.8
In-Reply-To: <20110822212356.GA23190@localhost.localdomain>
References: <20110822212356.GA23190@localhost.localdomain>
Message-ID: <20110822224505.GA16200@localhost.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
So lets walk through/review this patch. This patch is not as big as it seems.
Comments in line:
> diff --git a/man/man8/git_selinux.8 b/man/man8/git_selinux.8
Man page was already merged into refpolicy. I just modified it to reflect the changes i made. The man page should speak for itself
> diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> index 2be17d2..addc3ad 100644
> --- a/policy/modules/roles/staff.te
> +++ b/policy/modules/roles/staff.te
> @@ -27,6 +27,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + git_session_role_template(staff_r, staff_t)
> +')
> +
> +optional_policy(`
When staff_u:staff_r:staff_t runs /usr/libexec/git-core/git-daemon (gitd_exec_t) then domain transition to git_session_t ( Git session daemon )
One can run git-daemon as an unprivileged user to host personal repositories ( e.g. ~/public_git )
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 0f96353..58eb890 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -148,6 +148,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + git_session_role_template(sysadm_r, sysadm_t)
> +')
> +
> +optional_policy(`
Same as above but for sysadm_t
> diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> index 7e9da77..46d24e3 100644
> --- a/policy/modules/roles/unprivuser.te
> +++ b/policy/modules/roles/unprivuser.te
> @@ -17,6 +17,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + git_session_role_template(user_r, user_t)
> +')
> +
> +optional_policy(`
Same as above but for user_t
> diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
> index 54f0737..1b38b13 100644
> --- a/policy/modules/services/git.fc
> +++ b/policy/modules/services/git.fc
> @@ -1,3 +1,13 @@
> -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
> -/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
> +HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t,s0)
This is the location for personal git repositories (git_session_content)
> +/srv/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
Alternate location for shared git repository (git_system_content)
> +/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
The Git daemon executable file (gitd_exec_t)
> +/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
Cgit cgi script cache location.
> +/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
Default location for Git shared repositories as configured by /etc/xinetd.d/git
> /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
> +/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
> +/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
gitweb and cgit CGI executable files and content.
> diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
> index 458aac6..b9e4a98 100644
> --- a/policy/modules/services/git.if
> +++ b/policy/modules/services/git.if
> @@ -1 +1,565 @@
> -## GIT revision control system
> +## Fast Version Control System.
> +
> +########################################
> +##
> +## Role access for Git session daemon.
> +##
> +##
> +##
> +## Role allowed access.
> +##
> +##
> +##
> +##
> +## User domain for the role.
> +##
> +##
> +#
> +template(`git_session_role_template',`
> + gen_require(`
> + type git_session_t, gitd_exec_t, git_session_content_t;
> + ')
> +
> + ########################################
> + #
> + # Git session daemon shared declarations.
> + #
> +
> + role $1 types git_session_t;
> +
> + ########################################
> + #
> + # Git session daemon shared policy.
> + #
> +
> + domtrans_pattern($2, gitd_exec_t, git_session_t)
> +
> + allow $2 git_session_t:process { ptrace signal_perms };
> + ps_process_pattern($2, git_session_t)
> +
> + allow $2 git_session_content_t:dir { manage_dir_perms relabel_dir_perms };
> + allow $2 git_session_content_t:file { manage_file_perms relabel_file_perms };
> +')
This is the git session daemon role template. allows callers role the git_session_t domain. Allows caller to domain transition to git_session_t and allows caller to manage, ps the git_session_t process (ps top kill Ctrl-c etc)
Currently called by user_t, staff_t, sysadm_t. Other policy is shared with git_system_t using the git_daemon attribute in git.te
> +########################################
> +##
> +## Make the specified type a usable
> +## Git shared repository content
> +## file type.
> +##
> +##
> +##
> +## Type to be made usable.
> +##
> +##
> +##
> +#
> +interface(`git_shared_repository_files_type',`
> + gen_require(`
> + attribute git_system_content, git_content;
> + ')
> +
> + typeattribute $1 git_system_content;
> + typeattribute $1 git_content;
> + files_type($1)
> +')
This interface allows one to create new git shared repository types. It expects a type and it makes that type usable git system content and git content (all git repository content is git content (both shared and personal) but only shared repository content is git_system_content. This distinction is made because there is only one personal repository content type (git session content_t) but there can be infinite git shared repository content types.
> +#######################################
> +##
> +## Template for creating Git users.
> +##
> +##
> +##
> +## Prefix of the user domain.
> +##
> +##
> +##
> +#
> +template(`git_user_template',`
> + gen_require(`
> + attribute unpriv_userdomain, userdomain;
> + class context contains;
> + role system_r;
> + ')
> +
> + ########################################
> + #
> + # Git daemon role shared declarations.
> + #
> +
> + type $1_t, unpriv_userdomain, userdomain;
> + domain_type($1_t)
> + ubac_constrained($1_t)
> + role $1_r;
> + role $1_r types $1_t;
> + allow system_r $1_r;
> +
> + ########################################
> + #
> + # Git daemon role shared policy.
> + #
> +
> + allow $1_t self:context contains;
> + allow $1_t self:fifo_file rw_fifo_file_perms;
> +
> + kernel_read_system_state($1_t)
> +
> + corecmd_exec_bin($1_t)
> + corecmd_bin_entry_type($1_t)
> + corecmd_shell_entry_type($1_t)
> +
> + domain_interactive_fd($1_t)
> + domain_user_exemption_target($1_t)
> +
> + files_dontaudit_search_home($1_t)
> +
> + auth_use_nsswitch($1_t)
> +
> + miscfiles_read_localization($1_t)
> +
> + git_exec_generic_sys_content($1_t)
> + git_manage_generic_sys_content($1_t)
> +
> + ssh_rw_stream_sockets($1_t)
> +
> + # If you forget to set the git user login shell to git-shell,
> + # then bash will be looking for .bashrc, but this access is not required
> + # and it is not desired.
> + userdom_dontaudit_search_user_home_dirs($1_t)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_exec_cifs_files($1_t)
> + fs_manage_cifs_dirs($1_t)
> + fs_manage_cifs_files($1_t)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_exec_nfs_files($1_t)
> + fs_manage_nfs_dirs($1_t)
> + fs_manage_nfs_files($1_t)
> + ')
> +')
The git user template. This is a user domain/role for git users. It should be used together with git-shell (/usr/bin/git-shell usually (shell_exec_t) This used doesnt have access to home dir, doesnt need a pty. All it needs is access to generic shared repository content (git sys content t) Its access to other possible shared repository types can be extended by calling the git_manage_spec_sys_content() together with git_exec_spec_sys_content(). Git users need to be able to manage (read write) and execute git shared repositories that they are allowed to access.
The exec_spec_sys_content is for the git hooks. They need to be executed by git users. But currently there is no way for me to differentiate between hooks and other shared repository content. So push comes to show, git users can execute shared repository content.
> +#######################################
> +##
> +## Execute specified Git daemon
> +## shared repository content.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +##
> +##
> +## Git shared repository file type to be allowed.
> +##
> +##
> +#
> +interface(`git_exec_spec_sys_content',`
> + gen_require(`
> + type $1, $2;
> + ')
> +
> + exec_files_pattern($1, $2, $2)
> + files_search_var_lib($1)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_exec_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_exec_nfs_files($1)
> + ')
> +')
allows the calling git user domain to execute the specified git shared repository content type.
> +#######################################
> +##
> +## Create, read, write, and delete
> +## specified Git daemon shared
> +## repository content.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +##
> +##
> +## Git shared repository file type to be allowed.
> +##
> +##
> +#
> +interface(`git_manage_spec_sys_content',`
> + gen_require(`
> + type $1, $2;
> + ')
> +
> + manage_dirs_pattern($1, $2, $2)
> + manage_files_pattern($1, $2, $2)
> + files_search_var_lib($1)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_manage_cifs_dirs($1)
> + fs_manage_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_manage_nfs_dirs($1)
> + fs_manage_nfs_files($1)
> + ')
> +')
allows the calling git user to manage the specified git shared repository content type
(note shared repositories are in either /srv/git or /var/lib/git (hence the files_search_var_lib)
also nfs/cifs support
> +########################################
> +##
> +## Execute all Git daemon
> +## repository content.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`git_exec_all_content',`
> + gen_require(`
> + attribute git_content;
> + ')
> +
> + exec_files_pattern($1, git_content, git_content)
> + userdom_search_user_home_dirs($1)
> + files_search_var_lib($1)
> +
> + tunable_policy(`use_nfs_home_dirs',`
> + fs_exec_nfs_files($1)
> + ')
> +
> + tunable_policy(`use_samba_home_dirs',`
> + fs_exec_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_exec_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_exec_nfs_files($1)
> + ')
> +')
This is currently unused but good to have. If you create many shared repository types and the single personal repository type, Maybe usefull for some future git administration functionality.
> +########################################
> +##
> +## Create, read, write, and delete
> +## all Git daemon repository content.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`git_manage_all_content',`
> + gen_require(`
> + attribute git_content;
> + ')
> +
> + manage_dirs_pattern($1, git_content, git_content)
> + manage_files_pattern($1, git_content, git_content)
> + userdom_search_user_home_dirs($1)
> + files_search_var_lib($1)
> +
> + tunable_policy(`use_nfs_home_dirs',`
> + fs_manage_nfs_dirs($1)
> + fs_manage_nfs_files($1)
> + ')
> +
> + tunable_policy(`use_samba_home_dirs',`
> + fs_manage_cifs_dirs($1)
> + fs_manage_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_manage_cifs_dirs($1)
> + fs_manage_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_manage_nfs_dirs($1)
> + fs_manage_nfs_files($1)
> + ')
> +')
Same as above except manage instead of exec. manage and exec go hand in hand. In theory i could have combined the two but i decided to make it seperate as git_rwx_all_sys_content looks weird.
> +########################################
> +##
> +## Execute all Git daemon
> +## shared repository content.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`git_exec_all_sys_content',`
> + gen_require(`
> + attribute git_system_content;
> + ')
> +
> + exec_files_pattern($1, git_system_content, git_system_content)
> + files_search_var_lib($1)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_exec_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_exec_nfs_files($1)
> + ')
> +')
This is also currently unused but even more useful than the ones above. Since this can also be used by git user domains that may need access to any shared repository available or to be created.
> +
> +########################################
> +##
> +## Create, read, write, and delete
> +## all Git daemon shared
> +## repository content.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`git_manage_all_sys_content',`
> + gen_require(`
> + attribute git_system_content;
> + ')
> +
> + manage_dirs_pattern($1, git_system_content, git_system_content)
> + manage_files_pattern($1, git_system_content, git_system_content)
> + files_search_var_lib($1)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_manage_cifs_dirs($1)
> + fs_manage_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_manage_nfs_dirs($1)
> + fs_manage_nfs_files($1)
> + ')
> +')
same as above but manage instead of exec (manage and exec go hand in hand)
> +########################################
> +##
> +## Execute Git daemon generic shared
> +## repository content.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`git_exec_generic_sys_content',`
> + gen_require(`
> + type git_sys_content_t;
> + ')
> +
> + exec_files_pattern($1, git_sys_content_t, git_sys_content_t)
> + files_search_var_lib($1)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_exec_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_exec_nfs_files($1)
> + ')
> +')
basically useless except that we call it in git user template above. all git users have access to generic shared repositories.
> +########################################
> +##
> +## Create, read, write, and delete
> +## Git daemon generic shared
> +## repository content.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`git_manage_generic_sys_content',`
> + gen_require(`
> + type git_sys_content_t;
> + ')
> +
> + manage_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
> + manage_files_pattern($1, git_sys_content_t, git_sys_content_t)
> + files_search_var_lib($1)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_manage_cifs_dirs($1)
> + fs_manage_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_manage_nfs_dirs($1)
> + fs_manage_nfs_files($1)
> + ')
> +')
This is basically useless except that we call it in the git user template. All git users have access to generic shared repositories.
> +########################################
> +##
> +## Read all Git daemon repository
> +## content files.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`git_read_all_content_files',`
> + gen_require(`
> + attribute git_content;
> + ')
> +
> + list_dirs_pattern($1, git_content, git_content)
> + read_files_pattern($1, git_content, git_content)
> + userdom_search_user_home_dirs($1)
> + files_search_var_lib($1)
> +
> + tunable_policy(`use_nfs_home_dirs',`
> + fs_list_nfs($1)
> + fs_read_nfs_files($1)
> + ')
> +
> + tunable_policy(`use_samba_home_dirs',`
> + fs_list_cifs($1)
> + fs_read_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_list_cifs($1)
> + fs_read_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_list_nfs($1)
> + fs_read_nfs_files($1)
> + ')
> +')
this is used by the cgit and gitweb CGI scripts.
Httpd would in theory also be able to use this for "dumb" repository hosting (git clone http://domain.tld/repo.git) but this interface allows caller to search user home dirs. thus it would break httpd_enable_homedirs boolean if we would call it for httpd_t.
> +########################################
> +##
> +## Read Git daemon personal repository
> +## content files.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`git_read_session_content_files',`
> + gen_require(`
> + type git_session_content_t;
> + ')
> +
> + list_dirs_pattern($1, git_session_content_t, git_session_content_t)
> + read_files_pattern($1, git_session_content_t, git_session_content_t)
> + userdom_search_user_home_dirs($1)
> +
> + tunable_policy(`use_nfs_home_dirs',`
> + fs_list_nfs($1)
> + fs_read_nfs_files($1)
> + ')
> +
> + tunable_policy(`use_samba_home_dirs',`
> + fs_list_cifs($1)
> + fs_read_cifs_files($1)
> + ')
> +')
Basically same as above but only for personal repositories (~/public_git) Currently useless.
> +#######################################
> +##
> +## Do not audit attempts to read
> +## generic personal repository
> +## content files.
> +##
> +##
> +##
> +## Domain to not audit.
> +##
> +##
> +#
> +interface(`git_dontaudit_read_session_content_files',`
> + gen_require(`
> + type git_session_content_t;
> + ')
> +
> + dontaudit $1 git_session_content_t:file read_file_perms;
> +')
Not sure what this is for. I inherited this from Fedora and i actually suspect this can be removed.
In fedora we labelled ~/.gitconfig and ~/.gitadliases, git_session_content_t. which is wrong. These files should be just generic user home content (this is corrected in this patch) git daemons do not need to interact with these two files.
> +########################################
> +##
> +## Read all Git daemon shared
> +## repository content files.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`git_read_all_sys_content_files',`
> + gen_require(`
> + attribute git_system_content;
> + ')
> +
> + list_dirs_pattern($1, git_system_content, git_system_content)
> + read_files_pattern($1, git_system_content, git_system_content)
> + files_search_var_lib($1)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_list_cifs($1)
> + fs_read_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_list_nfs($1)
> + fs_read_nfs_files($1)
> + ')
> +')
this one is also potentially handy for httpd dunb shared repository hosting. this excludes access to personal repositories.
Currently unused.
> +########################################
> +##
> +## Read Git daemon generic shared
> +## repository content files.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`git_read_generic_sys_content_files',`
> + gen_require(`
> + type git_sys_content_t;
> + ')
> +
> + list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
> + read_files_pattern($1, git_sys_content_t, git_sys_content_t)
> + files_search_var_lib($1)
> +
> + tunable_policy(`git_system_use_cifs',`
> + fs_list_cifs($1)
> + fs_read_cifs_files($1)
> + ')
> +
> + tunable_policy(`git_system_use_nfs',`
> + fs_list_nfs($1)
> + fs_read_nfs_files($1)
> + ')
> +')
same as above but this excludes shared repository content. (only read access to personal repositories)
> diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
> index 7382f85..86a207a 100644
> --- a/policy/modules/services/git.te
> +++ b/policy/modules/services/git.te
> @@ -2,7 +2,186 @@ policy_module(git, 1.0)
>
> ########################################
> #
> -# Declarations
> +# Git daemon global private declarations.
> #
>
> -apache_content_template(git)
> +attribute git_daemon;
> +attribute git_content;
> +
> +type gitd_exec_t;
These declarations apply to both git_system_t and git_session_t.
The git_daemon domain attribute is assigned to both domains. We did this because git_system_t and git_session_t are both to a large extend the same. The difference is that git_system_t is run by inetd and git_session_t is run by user domains.
By sharing whatever policy possible we xan make policy more compact.
The git content attribute is assigned to any git repository content, whether its shared pr personal alike.
gitd_exec_t is the type of /usr/libexec/git-core/git-daemon it is the entry file to both git_system_t as well as git_session_t (depending on who runs it respectively)
> +########################################
> +#
> +# Git system daemon private declarations.
> +#
> +
> +##
> +##
> +## Determine whether Git system daemon
> +## can search home directories.
> +##
> +##
> +gen_tunable(git_system_enable_homedirs, false)
boolean specific to git_system_t. This allows git_system_t to traverse /home and /home/$USER, so that it can get to the personal repositories at ~/public_git. if its set to off then git_system_t cannot host personal repositories.
its kind of like httpd_enable_homedirs.
> +##
> +##
> +## Determine whether Git system daemon
> +## can access cifs file systems.
> +##
> +##
> +gen_tunable(git_system_use_cifs, false)
git system_t cifs support. One may have shared repositories located on cifs shares.
> +##
> +##
> +## Determine whether Git system daemon
> +## can access nfs file systems.
> +##
> +##
> +gen_tunable(git_system_use_nfs, false)
same as above but for nfs.
> +attribute git_system_content;
This attribute is assigned to any share repository content type. It allows us to differnetiate between shared and personal repository content. and it allows easy access to all shared repositories.
> +type git_system_t, git_daemon;
> +inetd_service_domain(git_system_t, gitd_exec_t)
the git_system_t domain (a git daemon)
its run by inetd, no need to allow the system_r role to git_system_t domain as inetd_service_domain already provides this.
> +type git_sys_content_t;
> +git_shared_repository_files_type(git_sys_content_t)
The default shared repository type (kind of like a fall back for shared repositories) compare it to httpd_sys_content_t.
/var/lib/git and /srv/git are labelled with this type. by default any shared repositories there inherit this type.
Were making it usable by calling the git_shared_repository_files_type defined in git.if. Basically it makes the calling type a files_type() and it assigned the git_system_content and git_content attributes to the type. to classify this type git content and git shared repository content.
> +########################################
> +#
> +# Git session daemon private declarations.
> +#
> +
> +##
> +##
> +## Determine whether Git session daemons
> +## can bind tcp sockets to all unreserved ports.
> +##
> +##
> +gen_tunable(git_session_bind_all_unreserved_ports, false)
This is specific to git_session_t (git-daemon run by users) git daemon itself just allows clients to clone repositories. Its pretty harmless. In mass hosting environments, one may want to allow shell users to host personal repositories. considering that there may be many shell users and only one git port (tcp 9418), the owner may want to allow git session daemon to listen on any unreserved port.
> +type git_session_t, git_daemon;
> +application_domain(git_session_t, gitd_exec_t)
> +ubac_constrained(git_session_t)
git_session_t, git-daemon run by users, a git daemon.
application domain because its run by user domains, runs as user so ubac constrained.
> +type git_session_content_t, git_content;
> +userdom_user_home_content(git_session_content_t)
git session content type is the sole type for personal repositories (~/public_git)
it is userdom_user_home_content (ubac constraint)
It is also git_content, because any and all git repository content is git content, this includes personal repository content.
> +########################################
> +#
> +# Git daemon global private policy.
> +#
> +
> +allow git_daemon self:fifo_file rw_fifo_file_perms;
> +allow git_daemon self:unix_dgram_socket create_socket_perms;
> +
> +kernel_read_system_state(git_daemon)
> +
> +corecmd_exec_bin(git_daemon)
> +
> +files_read_usr_files(git_daemon)
> +
> +fs_search_auto_mountpoints(git_daemon)
> +
> +auth_use_nsswitch(git_daemon)
> +
> +logging_send_syslog_msg(git_daemon)
> +
> +miscfiles_read_localization(git_daemon)
> +
> +optional_policy(`
> + automount_dontaudit_getattr_tmp_dirs(git_daemon)
> ")
The above is policy that both git_system_t and git_session_t have in common.
Its pretty straight forward, nothing special here. both system ans session can use syslog. use nsswitch etc.
we used git_daemon attribute to keep the policy compact. no need to call it for system and session separately.
> +########################################
> +#
> +# Git system daemon private policy.
> +#
> +
> +list_dirs_pattern(git_system_t, git_content, git_content)
> +read_files_pattern(git_system_t, git_content, git_content)
> +files_search_var_lib(git_system_t)
This policy is specific to git_system_t. only git system_t should be allowed to read any reposutory content, whether sharec or personal...
> +tunable_policy(`git_system_enable_homedirs',`
> + userdom_search_user_home_dirs(git_system_t)
> +')
... ofcourse whether it can read personal repository content depends on how the boolean above is toggled. if it cant get to personal repositories, it cant read them either,
> +tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
> + fs_list_nfs(git_system_t)
> + fs_read_nfs_files(git_system_t)
> +')
nfs home dir support, boring
> +tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
> + fs_list_cifs(git_system_t)
> + fs_read_cifs_files(git_system_t)
> +')
same as above but cifs
> +tunable_policy(`git_system_use_cifs',`
> + fs_list_cifs(git_system_t)
> + fs_read_cifs_files(git_system_t)
> +')
> +
> +tunable_policy(`git_system_use_nfs',`
> + fs_list_nfs(git_system_t)
> + fs_read_nfs_files(git_system_t)
> +')
nfs , cifs support for shared repositories.
> +########################################
> +#
> +# Git session daemon private policy.
> +#
> +
> +allow git_session_t self:tcp_socket { accept listen };
this is specific to git_session_t. The above is interesting. Since git_system_t is a inetd domain. it does actually listen on the git port itself, (inetd handles the network connections and spawn git_system_t when ever a client needs service.
git session t however is run by users and so it needs to listen on tcp_sockets.
> +list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
> +read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
> +userdom_search_user_home_dirs(git_session_t)
git session_t can only read personal repository content.
> +corenet_all_recvfrom_netlabel(git_session_t)
> +corenet_all_recvfrom_unlabeled(git_session_t)
> +corenet_tcp_bind_generic_node(git_session_t)
> +corenet_tcp_sendrecv_generic_if(git_session_t)
> +corenet_tcp_sendrecv_generic_node(git_session_t)
> +corenet_tcp_sendrecv_generic_port(git_session_t)
> +corenet_tcp_bind_git_port(git_session_t)
> +corenet_tcp_sendrecv_git_port(git_session_t)
> +corenet_sendrecv_git_server_packets(git_session_t)
git session t needs to be able to network and bind tcp socket to the git port by default.
inetd handles networking for git system t
.
> +userdom_use_user_terminals(git_session_t)
git session t can log to the user terminal (it outputs to there by default when a user runs /usr/libexec/git-core/git-daemon
> +
> +tunable_policy(`git_session_bind_all_unreserved_ports',`
> + corenet_tcp_bind_all_unreserved_ports(git_session_t)
> + corenet_tcp_sendrecv_all_ports(git_session_t)
> + corenet_sendrecv_generic_server_packets(git_session_t)
> +')
This is for mass hosting of git personal repositories. allows git_session daemon to bind tcp sockets to any unreserved port as opposed to only the default git port.
> +tunable_policy(`use_nfs_home_dirs',`
> + fs_list_nfs(git_session_t)
> + fs_read_nfs_files(git_session_t)
> +')
> +
> +tunable_policy(`use_samba_home_dirs',`
> + fs_list_cifs(git_session_t)
> + fs_read_cifs_files(git_session_t)
> +')
nfs / cifs home dir support.
> +########################################
> +#
> +# Git CGI domain private policy.
> +#
> +
> +optional_policy(`
> + apache_content_template(git)
> + git_read_all_content_files(httpd_git_script_t)
> + files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
> +
> + auth_use_nsswitch(httpd_git_script_t)
> +')
cgit and git web are apache cgi domains. need to be able to read any reposutory content (git_content)
> +########################################
> +#
> +# Git system user private policy.
> +#
> +
> +git_user_template(git_shell)
> +gen_user(git_shell_u, user, git_shell_r, s0, s0)
default git user (git_shell_u) has access to generic shared repositories.
very basic domain but enough for most use cases. If one has some advanced git hook that required extensive user user access then one is advised to create ones own git user using the git_user_template and extend that to ones needs (see man git_selinux for directions)
add a selinux user mapping by default. we want to keep the entrancd barrier low. its there so just "useradd -Z git_shell_u joe"
> --
> 1.7.1
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110823/87c6894e/attachment-0001.bin