From: domg472@gmail.com (Dominick Grift) Date: Thu, 25 Aug 2011 11:07:58 +0200 Subject: [refpolicy] [ v3 PATCH 3/8] Git shell users In-Reply-To: <1314189346-10866-4-git-send-email-domg472@gmail.com> References: <1314189346-10866-1-git-send-email-domg472@gmail.com> <1314189346-10866-4-git-send-email-domg472@gmail.com> Message-ID: <20110825090755.GA11966@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, Aug 24, 2011 at 02:35:41PM +0200, Dominick Grift wrote: Today i was reading an article about the scponly shell. This seems to have properties similar to Git shell. Maybe we could make userdom_git_user_template -> userdom_base_user_template, and rename the current userdom_base_user_template, or something along those lines. I have been thinking about possible arguments against a userdom_git_user_tempplate. Q: Why not just use userdom_base_user_template for "git shell (and possibly scponly) users? A: That would make it harder to configure for administrators. The nice thing about this current implementation is that a default Git shell seuser exists. Administrators can just map their users logins to it and start. It provides Git shell users with access to generic shared repositories. Besides, compare the userdom_git_user_template to userdom_base_user_template, the laster gives the caller way more privileges that arent needed. But userdom_git_user_template is useless for scponly users currently because it provides access to generic shared repositories. We do not want scponly users to have this privilege. That brings me to another issue where the inteface calls git_manage_generic_sys_content and git exec_generic_content_files are not optional policy in the userdom_git_user_template. Which means any calling module will have a dependency on the git module. > Did you know that there is a Git shell in /usr/bin/git-shell, and did you know that you can use that > together with OpenSSH to commit to shared repositories? Heck you can even commit to shared repositories > using OpenSSH with a plain bash shell, but the Git shell is much cooler. A user domain solely for the > purpose of commiting to shared repositories needs much less privileges that the least privilege > userdom_base_user_template provides. > > Git shell users do not need pty's, execmem or many other privileges provided by the base_user_template. > Therefore we implement a template just for Git shell users, and we create a Git shell role, so that > administrators can easily map their Unix logins to the Git shell SELinux user. > > This Git shell user domain is allowed to manage and execute (primary) shared repositories. > > FIXED: the default context in config/appconfig-mls for git_shell_u was wrong. > git_shell.te: userdom_git_user_template was called by git_user but should be called by git_shell > > Fix2: booleans git_system_use_cifs and git_system_use_nfs are currenlty named gitd_use_cifs and gitd_use_nfs respectively > > Signed-off-by: Dominick Grift > --- > :000000 100644 0000000... 2d9c6bc... A config/appconfig-mcs/git_shell_u_default_contexts > :000000 100644 0000000... 2d9c6bc... A config/appconfig-mls/git_shell_u_default_contexts > :000000 100644 0000000... bfbd788... A config/appconfig-standard/git_shell_u_default_contexts > :000000 100644 0000000... 601a7b0... A policy/modules/roles/git_shell.fc > :000000 100644 0000000... c6d9896... A policy/modules/roles/git_shell.if > :000000 100644 0000000... f5aa6cb... A policy/modules/roles/git_shell.te > :100644 100644 4da6875... 6238d54... M policy/modules/services/git.if > :100644 100644 2dc8697... 5c30b4b... M policy/modules/system/userdomain.if > config/appconfig-mcs/git_shell_u_default_contexts | 2 + > config/appconfig-mls/git_shell_u_default_contexts | 2 + > .../git_shell_u_default_contexts | 2 + > policy/modules/roles/git_shell.fc | 1 + > policy/modules/roles/git_shell.if | 50 +++++++++++++++ > policy/modules/roles/git_shell.te | 15 +++++ > policy/modules/services/git.if | 67 ++++++++++++++++++++ > policy/modules/system/userdomain.if | 63 ++++++++++++++++++ > 8 files changed, 202 insertions(+), 0 deletions(-) > > diff --git a/config/appconfig-mcs/git_shell_u_default_contexts b/config/appconfig-mcs/git_shell_u_default_contexts > new file mode 100644 > index 0000000..2d9c6bc > --- /dev/null > +++ b/config/appconfig-mcs/git_shell_u_default_contexts > @@ -0,0 +1,2 @@ > +git_shell_r:git_shell_t:s0 git_shell_r:git_shell_t:s0 > +system_r:sshd_t:s0 git_shell_r:git_shell_t:s0 > diff --git a/config/appconfig-mls/git_shell_u_default_contexts b/config/appconfig-mls/git_shell_u_default_contexts > new file mode 100644 > index 0000000..2d9c6bc > --- /dev/null > +++ b/config/appconfig-mls/git_shell_u_default_contexts > @@ -0,0 +1,2 @@ > +git_shell_r:git_shell_t:s0 git_shell_r:git_shell_t:s0 > +system_r:sshd_t:s0 git_shell_r:git_shell_t:s0 > diff --git a/config/appconfig-standard/git_shell_u_default_contexts b/config/appconfig-standard/git_shell_u_default_contexts > new file mode 100644 > index 0000000..bfbd788 > --- /dev/null > +++ b/config/appconfig-standard/git_shell_u_default_contexts > @@ -0,0 +1,2 @@ > +git_shell_r:git_shell_t git_shell_r:git_shell_t > +system_r:sshd_t git_shell_r:git_shell_t > diff --git a/policy/modules/roles/git_shell.fc b/policy/modules/roles/git_shell.fc > new file mode 100644 > index 0000000..601a7b0 > --- /dev/null > +++ b/policy/modules/roles/git_shell.fc > @@ -0,0 +1 @@ > +# file contexts handled by userdomain and genhomedircon > diff --git a/policy/modules/roles/git_shell.if b/policy/modules/roles/git_shell.if > new file mode 100644 > index 0000000..c6d9896 > --- /dev/null > +++ b/policy/modules/roles/git_shell.if > @@ -0,0 +1,50 @@ > +## Git shell user role. > + > +######################################## > +## > +## Change to the git shell role. > +## > +## > +## > +## Role allowed access. > +## > +## > +## > +# > +interface(`git_shell_role_change',` > + gen_require(` > + role git_shell_r; > + ') > + > + allow $1 git_shell_r; > +') > + > +######################################## > +## > +## Change from the git shell role. > +## > +## > +##

> +## Change from the git shell role to > +## the specified role. > +##

> +##

> +## This is an interface to support third party modules > +## and its use is not allowed in upstream reference > +## policy. > +##

> +##
> +## > +## > +## Role allowed access. > +## > +## > +## > +# > +interface(`git_shell_role_change_to',` > + gen_require(` > + role git_shell_r; > + ') > + > + allow git_shell_r $1; > +') > diff --git a/policy/modules/roles/git_shell.te b/policy/modules/roles/git_shell.te > new file mode 100644 > index 0000000..f5aa6cb > --- /dev/null > +++ b/policy/modules/roles/git_shell.te > @@ -0,0 +1,15 @@ > +policy_module(git_shell, 1.0.0) > + > +######################################## > +# > +# Declarations > +# > + > +userdom_git_user_template(git_shell) > + > +######################################## > +# > +# Local policy > +# > + > +#gen_user(git_shell_u,, git_shell_r, s0, s0) > diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if > index 4da6875..6238d54 100644 > --- a/policy/modules/services/git.if > +++ b/policy/modules/services/git.if > @@ -2,6 +2,73 @@ > > ######################################## > ## > +## Execute Git daemon generic shared > +## repository content files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`git_exec_generic_sys_content_files',` > + gen_require(` > + type git_sys_content_t; > + ') > + > + exec_files_pattern($1, git_sys_content_t, git_sys_content_t) > + files_search_var_lib($1) > + > + tunable_policy(`gitd_use_cifs',` > + fs_exec_cifs_files($1) > + ') > + > + tunable_policy(`gitd_use_nfs',` > + fs_exec_nfs_files($1) > + ') > +') > + > +######################################## > +## > +## Create, read, write, and delete > +## Git daemon generic shared > +## repository content. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`git_manage_generic_sys_content',` > + gen_require(` > + type git_sys_content_t; > + ') > + > + manage_dirs_pattern($1, git_sys_content_t, git_sys_content_t) > + manage_files_pattern($1, git_sys_content_t, git_sys_content_t) > + files_search_var_lib($1) > + > + tunable_policy(`gitd_use_cifs',` > + fs_manage_cifs_dirs($1) > + fs_manage_cifs_files($1) > + ',` > + fs_dontaudit_manage_cifs_dirs($1) > + fs_dontaudit_manage_cifs_files($1) > + ') > + > + tunable_policy(`gitd_use_nfs',` > + fs_manage_nfs_dirs($1) > + fs_manage_nfs_files($1) > + ',` > + fs_dontaudit_manage_nfs_dirs($1) > + fs_dontaudit_manage_nfs_files($1) > + ') > +') > + > + > +######################################## > +## > ## Execute Git daemon personal > ## repository content files. > ## > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > index 2dc8697..5c30b4b 100644 > --- a/policy/modules/system/userdomain.if > +++ b/policy/modules/system/userdomain.if > @@ -2,6 +2,69 @@ > > ####################################### > ## > +## Template for creating Git users. > +## > +## > +## > +## Prefix of the user domain. > +## > +## > +## > +# > +template(`userdom_git_user_template',` > + gen_require(` > + attribute unpriv_userdomain, userdomain; > + class context contains; > + role system_r; > + ') > + > + ######################################## > + # > + # Declarations > + # > + > + type $1_t, unpriv_userdomain, userdomain; > + domain_type($1_t) > + ubac_constrained($1_t) > + role $1_r; > + role $1_r types $1_t; > + allow system_r $1_r; > + > + ######################################## > + # > + # Local policy > + # > + > + allow $1_t self:context contains; > + allow $1_t self:fifo_file rw_fifo_file_perms; > + > + kernel_read_system_state($1_t) > + > + corecmd_exec_bin($1_t) > + corecmd_bin_entry_type($1_t) > + corecmd_shell_entry_type($1_t) > + > + domain_interactive_fd($1_t) > + domain_user_exemption_target($1_t) > + > + files_dontaudit_list_non_security($1_t) > + files_dontaudit_getattr_non_security_files($1_t) > + files_dontaudit_getattr_non_security_symlinks($1_t) > + files_dontaudit_getattr_non_security_pipes($1_t) > + files_dontaudit_getattr_non_security_sockets($1_t) > + > + auth_use_nsswitch($1_t) > + > + miscfiles_read_localization($1_t) > + > + git_exec_generic_sys_content_files($1_t) > + git_manage_generic_sys_content($1_t) > + > + ssh_rw_stream_sockets($1_t) > +') > + > +####################################### > +## > ## The template containing the most basic rules common to all users. > ## > ## > -- > 1.7.1 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110825/7565474c/attachment-0001.bin