From: domg472@gmail.com (Dominick Grift) Date: Wed, 24 Aug 2011 14:35:44 +0200 Subject: [refpolicy] [ v3 PATCH 6/8] Git shared repository separation and custom shared repository types In-Reply-To: <1314189346-10866-1-git-send-email-domg472@gmail.com> References: <1314189346-10866-1-git-send-email-domg472@gmail.com> Message-ID: <1314189346-10866-7-git-send-email-domg472@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com In my previous commit i promised i would try to explain the use of the git_content attribute. It is a attribute to asign to existing and to be create shared and private repository types. In this commit we are using this attribute to allow Git system daemon to read and serve any repository content. We do this because the userdom_git_user_template allows use to provides administrators with advanced type enforcement possibility to restrict access to various types of shared repository. In this commit we created the git_shared_content_template. This template allows for easy creation of new shared repository types. We also created git_manage_spec_shared_content and git_exec_spec_shared_content_files interfaces. This allows us to make a connection between Git user domain and Git shared repository content types. These interfaces and templates allow administrators to create new Git user domains and allow the various Git user domains access to specified Git shared repositories. This allows administrators to employ Type enforcement for shared repository and Git user separation. We also created a attribute called git_system_content that is assigned to all types derived from the prefix that the git_shared_content_template expects. This might be handy if some one later wants a given Git user domain to have access to any shared repository type and not just the primary git_sys_content_t repository type. Signed-off-by: Dominick Grift --- :100644 100644 83356f2... fb27b32... M policy/modules/services/git.if :100644 100644 8602887... ba56287... M policy/modules/services/git.te policy/modules/services/git.if | 96 ++++++++++++++++++++++++++++++++++++++++ policy/modules/services/git.te | 9 ++-- 2 files changed, 101 insertions(+), 4 deletions(-) diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if index 83356f2..fb27b32 100644 --- a/policy/modules/services/git.if +++ b/policy/modules/services/git.if @@ -40,6 +40,102 @@ template(`git_session_role_template',` ######################################## ## +## Create a set of derived types for +## Git daemon shared repository content. +## +## +## +## The prefix to be used for deriving type names. +## +## +# +template(`git_shared_content_template',` + gen_require(` + attribute git_system_content, git_content; + ') + + type git_$1_content_t, git_system_content, git_content; + files_type(git_$1_content_t) +') + +####################################### +## +## Execute specified Git daemon +## shared repository content files. +## +## +## +## Domain allowed access. +## +## +## +## +## Type to allow access to. +## +## +# +interface(`git_exec_spec_shared_content_files',` + gen_require(` + type $1, $2; + ') + + exec_files_pattern($1, $2, $2) + files_search_var_lib($1) + + tunable_policy(`git_system_use_cifs',` + fs_exec_cifs_files($1) + ') + + tunable_policy(`git_system_use_nfs',` + fs_exec_nfs_files($1) + ') +') + +####################################### +## +## Create, read, write, and delete +## specified Git daemon shared +## repository content. +## +## +## +## Domain allowed access. +## +## +## +## +## Type to allow access to. +## +## +# +interface(`git_manage_spec_shared_content',` + gen_require(` + type $1, $2; + ') + + manage_dirs_pattern($1, $2, $2) + manage_files_pattern($1, $2, $2) + files_search_var_lib($1) + + tunable_policy(`git_system_use_cifs',` + fs_manage_cifs_dirs($1) + fs_manage_cifs_files($1) + ',` + fs_dontaudit_manage_cifs_dirs($1) + fs_dontaudit_manage_cifs_files($1) + ') + + tunable_policy(`git_system_use_nfs',` + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + ',` + fs_dontaudit_manage_nfs_dirs($1) + fs_dontaudit_manage_nfs_files($1) + ') +') + +######################################## +## ## Read all Git daemon repository ## content. ## diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te index 8602887..ba56287 100644 --- a/policy/modules/services/git.te +++ b/policy/modules/services/git.te @@ -51,12 +51,13 @@ gen_tunable(git_system_use_cifs, false) ## gen_tunable(git_system_use_nfs, false) +attribute git_system_content; + type git_system_t, git_daemon; typealias git_system_t alias gitd_t; inetd_service_domain(git_system_t, gitd_exec_t) -type git_sys_content_t, git_content; -files_type(git_sys_content_t) +git_shared_content_template(sys) ######################################## # @@ -118,8 +119,8 @@ tunable_policy(`use_samba_home_dirs',` # Git system daemon policy # -list_dirs_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t }) -read_files_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t }) +list_dirs_pattern(git_system_t, git_content, git_content) +read_files_pattern(git_system_t, git_content, git_content) files_search_var_lib(git_system_t) tunable_policy(`git_system_enable_homedirs',` -- 1.7.1