From: domg472@gmail.com (Dominick Grift) Date: Wed, 24 Aug 2011 14:35:45 +0200 Subject: [refpolicy] [ v3 PATCH 7/8] Git session daemons binding TCP sockets to unreserved ports In-Reply-To: <1314189346-10866-1-git-send-email-domg472@gmail.com> References: <1314189346-10866-1-git-send-email-domg472@gmail.com> Message-ID: <1314189346-10866-8-git-send-email-domg472@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Assume you own this big shell hosting company and you want to allow your customers to be able to serve their Git personal repositories to their discretion. You might end up with hundreds of instances of Git session daemons. They cannot all bind TCP sockets to a single Git port. This functionality allows the administrator to tune the policy to allow Git session daemons to bind TCP sockets to any unreserved port. Signed-off-by: Dominick Grift --- :100644 100644 ba56287... 6723c99... M policy/modules/services/git.te policy/modules/services/git.te | 14 ++++++++++++++ 1 files changed, 14 insertions(+), 0 deletions(-) diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te index ba56287..6723c99 100644 --- a/policy/modules/services/git.te +++ b/policy/modules/services/git.te @@ -15,6 +15,14 @@ type gitd_exec_t; # Git session daemon declarations # +## +##

+## Determine whether Git session daemons +## can bind tcp sockets to all unreserved ports. +##

+##
+gen_tunable(git_session_tcp_bind_all_unreserved_ports, false) + type git_session_t, git_daemon; application_domain(git_session_t, gitd_exec_t) ubac_constrained(git_session_t) @@ -102,6 +110,12 @@ corenet_sendrecv_git_server_packets(git_session_t) userdom_use_user_terminals(git_session_t) +tunable_policy(`git_session_tcp_bind_all_unreserved_ports',` + corenet_tcp_bind_all_unreserved_ports(git_session_t) + corenet_tcp_sendrecv_all_ports(git_session_t) + corenet_sendrecv_generic_server_packets(git_session_t) +') + tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(git_session_t) ',` -- 1.7.1