From: domg472@gmail.com (Dominick Grift) Date: Wed, 24 Aug 2011 14:35:43 +0200 Subject: [refpolicy] [ v3 PATCH 5/8] Gitweb, cgit and the git_content attribute In-Reply-To: <1314189346-10866-1-git-send-email-domg472@gmail.com> References: <1314189346-10866-1-git-send-email-domg472@gmail.com> Message-ID: <1314189346-10866-6-git-send-email-domg472@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Cgit and gitweb are both cgi web applications that run in the httpd_git_script_t apache CGI domain. The policy in this commit was taken from Fedora. It is well tested i believe. These web applications display Git repositories. And they Should be able to read any Git repository whether shared or personal. We implemented another attribute for it called git_content. This attribute will be assigned to any and all Git repository content types, either existing or to be created. Hopefully the next commit should explain why this attribute makes sense. Signed-off-by: Dominick Grift --- :100644 100644 7314ecb... c005782... M policy/modules/services/git.fc :100644 100644 f1466e1... 83356f2... M policy/modules/services/git.if :100644 100644 7040bf6... 8602887... M policy/modules/services/git.te policy/modules/services/git.fc | 4 ++- policy/modules/services/git.if | 46 ++++++++++++++++++++++++++++++++++++++++ policy/modules/services/git.te | 11 +++++++- 3 files changed, 58 insertions(+), 3 deletions(-) diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc index 7314ecb..c005782 100644 --- a/policy/modules/services/git.fc +++ b/policy/modules/services/git.fc @@ -2,8 +2,10 @@ HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0) /usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0) -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) +/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) /var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0) /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) +/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0) diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if index f1466e1..83356f2 100644 --- a/policy/modules/services/git.if +++ b/policy/modules/services/git.if @@ -40,6 +40,52 @@ template(`git_session_role_template',` ######################################## ## +## Read all Git daemon repository +## content. +## +## +## +## Domain allowed access. +## +## +# +interface(`git_read_all_content',` + gen_require(` + attribute git_content; + ') + + list_dirs_pattern($1, git_content, git_content) + read_files_pattern($1, git_content, git_content) + userdom_search_user_home_dirs($1) + files_search_var_lib($1) + + tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files($1) + ',` + fs_dontaudit_read_nfs_files($1) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_read_cifs_files($1) + ',` + fs_dontaudit_read_cifs_files($1) + ') + + tunable_policy(`git_system_use_cifs',` + fs_read_cifs_files($1) + ',` + fs_dontaudit_read_cifs_files($1) + ') + + tunable_policy(`git_system_use_nfs',` + fs_read_nfs_files($1) + ',` + fs_dontaudit_read_nfs_files($1) + ') +') + +######################################## +## ## Execute Git daemon generic shared ## repository content files. ## diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te index 7040bf6..8602887 100644 --- a/policy/modules/services/git.te +++ b/policy/modules/services/git.te @@ -5,6 +5,7 @@ policy_module(git, 1.0) # Git daemon global declarations # +attribute git_content; attribute git_daemon; type gitd_exec_t; @@ -18,7 +19,7 @@ type git_session_t, git_daemon; application_domain(git_session_t, gitd_exec_t) ubac_constrained(git_session_t) -type git_user_content_t; +type git_user_content_t, git_content; userdom_user_home_content(git_user_content_t) ######################################## @@ -54,7 +55,7 @@ type git_system_t, git_daemon; typealias git_system_t alias gitd_t; inetd_service_domain(git_system_t, gitd_exec_t) -type git_sys_content_t; +type git_sys_content_t, git_content; files_type(git_sys_content_t) ######################################## @@ -155,3 +156,9 @@ tunable_policy(`git_system_use_nfs',` # apache_content_template(git) + +files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) + +auth_use_nsswitch(httpd_git_script_t) + +git_read_all_content(httpd_git_script_t) -- 1.7.1