From: domg472@gmail.com (Dominick Grift) Date: Tue, 23 Aug 2011 18:35:12 +0200 Subject: [refpolicy] [ PATCH 7/8] Git session daemons binding TCP sockets to unreserved ports In-Reply-To: <1314117313-24421-1-git-send-email-domg472@gmail.com> References: <1314117313-24421-1-git-send-email-domg472@gmail.com> Message-ID: <1314117313-24421-8-git-send-email-domg472@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Assume you own this big shell hosting company and you want to allow your customers to be able to serve their Git personal repositories to their discretion. You might end up with hundreds of instances of Git session daemons. They cannot all bind TCP sockets to a single Git port. This functionality allows the administrator to tune the policy to allow Git session daemons to bind TCP sockets to any unreserved port. Signed-off-by: Dominick Grift --- :100644 100644 47900be... c086a69... M policy/modules/services/git.te policy/modules/services/git.te | 14 ++++++++++++++ 1 files changed, 14 insertions(+), 0 deletions(-) diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te index 47900be..c086a69 100644 --- a/policy/modules/services/git.te +++ b/policy/modules/services/git.te @@ -15,6 +15,14 @@ type gitd_exec_t; # Git session daemon declarations # +## +##

+## Determine whether Git session daemons +## can bind tcp sockets to all unreserved ports. +##

+## +gen_tunable(git_session_tcp_bind_all_unreserved_ports, false) + type git_session_t, git_daemon; application_domain(git_session_t, gitd_exec_t) ubac_constrained(git_session_t) @@ -101,6 +109,12 @@ corenet_sendrecv_git_server_packets(git_session_t) userdom_use_user_terminals(git_session_t) +tunable_policy(`git_session_tcp_bind_all_unreserved_ports',` + corenet_tcp_bind_all_unreserved_ports(git_session_t) + corenet_tcp_sendrecv_all_ports(git_session_t) + corenet_sendrecv_generic_server_packets(git_session_t) +') + tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(git_session_t) ',` -- 1.7.1