From: domg472@gmail.com (Dominick Grift) Date: Wed, 24 Aug 2011 14:35:39 +0200 Subject: [refpolicy] [ v3 PATCH 1/8] Git inetd service domain and a primage Git shared repository type In-Reply-To: <1314189346-10866-1-git-send-email-domg472@gmail.com> References: <1314189346-10866-1-git-send-email-domg472@gmail.com> Message-ID: <1314189346-10866-2-git-send-email-domg472@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Create a Git inetd service domain and create a primary shared repository file type. Quote from the Git daemon manual page: "git-daemon - A really simple server for git repositories". This really is no joke. This policy allows Git inetd service domain to read and serve Git shared repositories located in /var/lib/git. This implementation allows administrators to tune the policy to allow Git inetd service domain to read and serve Git shared repositories on NFS and/or CIFS shares. Signed-off-by: Dominick Grift --- :100644 100644 54f0737... 164d2bf... M policy/modules/services/git.fc :100644 100644 7382f85... 7766253... M policy/modules/services/git.te policy/modules/services/git.fc | 6 +++- policy/modules/services/git.te | 64 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 69 insertions(+), 1 deletions(-) diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc index 54f0737..164d2bf 100644 --- a/policy/modules/services/git.fc +++ b/policy/modules/services/git.fc @@ -1,3 +1,7 @@ +/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0) + /var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) -/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) + +/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0) + /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te index 7382f85..7766253 100644 --- a/policy/modules/services/git.te +++ b/policy/modules/services/git.te @@ -5,4 +5,68 @@ policy_module(git, 1.0) # Declarations # +## +##

+## Determine whether Git daemon +## can access cifs file systems. +##

+##
+gen_tunable(gitd_use_cifs, false) + +## +##

+## Determine whether Git daemon +## can access nfs file systems. +##

+##
+gen_tunable(gitd_use_nfs, false) + +type gitd_t; +type gitd_exec_t; +inetd_service_domain(gitd_t, gitd_exec_t) + +type git_sys_content_t; +files_type(git_sys_content_t) + +######################################## +# +# Local policy +# + +allow gitd_t self:fifo_file rw_fifo_file_perms; +allow gitd_t self:unix_dgram_socket create_socket_perms; + +list_dirs_pattern(gitd_t, git_sys_content_t, git_sys_content_t) +read_files_pattern(gitd_t, git_sys_content_t, git_sys_content_t) +files_search_var_lib(gitd_t) + +kernel_read_system_state(gitd_t) + +corecmd_exec_bin(gitd_t) + +files_read_usr_files(gitd_t) + +auth_use_nsswitch(gitd_t) + +logging_send_syslog_msg(gitd_t) + +miscfiles_read_localization(gitd_t) + +tunable_policy(`gitd_use_cifs',` + fs_read_cifs_files(gitd_t) +',` + fs_dontaudit_read_cifs_files(gitd_t) +') + +tunable_policy(`gitd_use_nfs',` + fs_read_nfs_files(gitd_t) +',` + fs_dontaudit_read_nfs_files(gitd_t) +') + +######################################## +# +# Git apache CGI domain +# + apache_content_template(git) -- 1.7.1