From: domg472@gmail.com (Dominick Grift)
Date: Wed, 24 Aug 2011 14:35:39 +0200
Subject: [refpolicy] [ v3 PATCH 1/8] Git inetd service domain and a primage
	Git shared repository type
In-Reply-To: <1314189346-10866-1-git-send-email-domg472@gmail.com>
References: <1314189346-10866-1-git-send-email-domg472@gmail.com>
Message-ID: <1314189346-10866-2-git-send-email-domg472@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Create a Git inetd service domain and create a primary shared repository file type.

Quote from the Git daemon manual page: "git-daemon - A really simple server for git repositories".

This really is no joke. This policy allows Git inetd service domain to read and serve Git shared
repositories located in /var/lib/git. This implementation allows administrators to tune the policy to
allow Git inetd service domain to read and serve Git shared repositories on NFS and/or CIFS shares.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 54f0737... 164d2bf... M	policy/modules/services/git.fc
:100644 100644 7382f85... 7766253... M	policy/modules/services/git.te
 policy/modules/services/git.fc |    6 +++-
 policy/modules/services/git.te |   64 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+), 1 deletions(-)

diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
index 54f0737..164d2bf 100644
--- a/policy/modules/services/git.fc
+++ b/policy/modules/services/git.fc
@@ -1,3 +1,7 @@
+/usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t,s0)
+
 /var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
-/var/lib/git(/.*)?		gen_context(system_u:object_r:httpd_git_content_t,s0)
+
+/var/lib/git(/.*)?	gen_context(system_u:object_r:git_sys_content_t,s0)
+
 /var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index 7382f85..7766253 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -5,4 +5,68 @@ policy_module(git, 1.0)
 # Declarations
 #
 
+## <desc>
+##	<p>
+##	Determine whether Git daemon
+##	can access cifs file systems.
+##	</p>
+## </desc>
+gen_tunable(gitd_use_cifs, false)
+
+## <desc>
+##	<p>
+##	Determine whether Git daemon
+##	can access nfs file systems.
+##	</p>
+## </desc>
+gen_tunable(gitd_use_nfs, false)
+
+type gitd_t;
+type gitd_exec_t;
+inetd_service_domain(gitd_t, gitd_exec_t)
+
+type git_sys_content_t;
+files_type(git_sys_content_t)
+
+########################################
+#
+# Local policy
+#
+
+allow gitd_t self:fifo_file rw_fifo_file_perms;
+allow gitd_t self:unix_dgram_socket create_socket_perms;
+
+list_dirs_pattern(gitd_t, git_sys_content_t, git_sys_content_t)
+read_files_pattern(gitd_t, git_sys_content_t, git_sys_content_t)
+files_search_var_lib(gitd_t)
+
+kernel_read_system_state(gitd_t)
+
+corecmd_exec_bin(gitd_t)
+
+files_read_usr_files(gitd_t)
+
+auth_use_nsswitch(gitd_t)
+
+logging_send_syslog_msg(gitd_t)
+
+miscfiles_read_localization(gitd_t)
+
+tunable_policy(`gitd_use_cifs',`
+	fs_read_cifs_files(gitd_t)
+',`
+	fs_dontaudit_read_cifs_files(gitd_t)
+')
+
+tunable_policy(`gitd_use_nfs',`
+	fs_read_nfs_files(gitd_t)
+',`
+	fs_dontaudit_read_nfs_files(gitd_t)
+')
+
+########################################
+#
+# Git apache CGI domain
+#
+
 apache_content_template(git)
-- 
1.7.1