From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 26 Aug 2011 09:18:33 -0400
Subject: [refpolicy] [ v3 PATCH 2/8] Git personal repositories
In-Reply-To: <1314189346-10866-3-git-send-email-domg472@gmail.com>
References: <1314189346-10866-1-git-send-email-domg472@gmail.com>
	<1314189346-10866-3-git-send-email-domg472@gmail.com>
Message-ID: <4E579D29.3060607@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/24/11 08:35, Dominick Grift wrote:
> Git inetd service domain can also be configured to read and serve Git personal repositories in the user home directories.
> We would not want Git inetd service domain to be able to read and serve generic or heavens forbid all
> user home content, and therefore a new type for Git personal repositories is declared.
> 
> By default Git inetd service domain expects these personal repositories to be in dgrift/public_git.
> It is kind of like apaches userdirs functionality. Git inetd service domain, does not have to be configured to
> read and serve personal repositories, and so we make the policy for this functionality tunable.
> 
> We also allow administrators to tune the policy to allow Git inetd service domain to read and serve personal
> repositories on NFS and/or CIFS shares. We added a file context that specifies that public_git
> directories in any user home directory should be labeled with the personal repository file type.
> That means that all login users should be allowed to relabel and manage the git_user_content_t personal
> repository type. Did you know that users might also need to execute some of the Git personal
> repository content. It is not obvious but in some cases users need to be able to execute the Git
> hooks scripts in their personal repositories. For example the might have a script that runs after the user
> commits/pushes for example via ssh (git push ssh://joe at localhost/public_git/joes_personal_repository.git. So we
> also allow all login users to execute Git shared repository files.
> 
> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :100644 100644 164d2bf... 7314ecb... M	policy/modules/services/git.fc
> :100644 100644 458aac6... 4da6875... M	policy/modules/services/git.if
> :100644 100644 7766253... 6c8e672... M	policy/modules/services/git.te
> :100644 100644 c6d3cc8... 2dc8697... M	policy/modules/system/userdomain.if
>  policy/modules/services/git.fc      |    2 +
>  policy/modules/services/git.if      |  119 +++++++++++++++++++++++++++++++++++
>  policy/modules/services/git.te      |   31 +++++++++-
>  policy/modules/system/userdomain.if |   13 ++++
>  4 files changed, 163 insertions(+), 2 deletions(-)
> 
> diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
> index 164d2bf..7314ecb 100644
> --- a/policy/modules/services/git.fc
> +++ b/policy/modules/services/git.fc
> @@ -1,3 +1,5 @@
> +HOME_DIR/public_git(/.*)?	gen_context(system_u:object_r:git_user_content_t,s0)
> +
>  /usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t,s0)
>  
>  /var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
> diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
> index 458aac6..4da6875 100644
> --- a/policy/modules/services/git.if
> +++ b/policy/modules/services/git.if
> @@ -1 +1,120 @@
>  ## <summary>GIT revision control system</summary>
> +
> +########################################
> +## <summary>
> +##	Execute Git daemon personal
> +##	repository content files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`git_exec_user_content_files',`
> +	gen_require(`
> +		type git_user_content_t;
> +	')
> +
> +	exec_files_pattern($1, git_user_content_t, git_user_content_t)
> +	userdom_search_user_home_dirs($1)
> +
> +	tunable_policy(`use_samba_home_dirs',`
> +		fs_exec_cifs_files($1)
> +	')
> +
> +	tunable_policy(`use_nfs_home_dirs',`
> +		fs_exec_nfs_files($1)
> +	')
> +')
> +
> +########################################
> +## <summary>
> +##	Create, read, write, and delete
> +##	Git daemon personal repository content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`git_manage_user_content',`
> +	gen_require(`
> +		type git_user_content_t;
> +	')
> +
> +	manage_dirs_pattern($1, git_user_content_t, git_user_content_t)
> +	manage_files_pattern($1, git_user_content_t, git_user_content_t)
> +	userdom_search_user_home_dirs($1)
> +
> +	tunable_policy(`use_samba_home_dirs',`
> +		fs_manage_cifs_dirs($1)
> +		fs_manage_cifs_files($1)
> +	',`
> +		fs_dontaudit_manage_cifs_dirs($1)
> +		fs_dontaudit_manage_cifs_files($1)
> +	')
> +
> +	tunable_policy(`use_nfs_home_dirs',`
> +		fs_manage_nfs_dirs($1)
> +		fs_manage_nfs_files($1)
> +	',`
> +		fs_dontaudit_manage_nfs_dirs($1)
> +		fs_dontaudit_manage_nfs_files($1)
> +	')
> +')
> +
> +########################################
> +## <summary>
> +##	Read Git daemon personal repository
> +##	content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`git_read_user_content',`
> +	gen_require(`
> +		type git_user_content_t;
> +	')
> +
> +	list_dirs_pattern($1, git_user_content_t, git_user_content_t)
> +	read_files_pattern($1, git_user_content_t, git_user_content_t)
> +	userdom_search_user_home_dirs($1)
> +
> +	tunable_policy(`use_nfs_home_dirs',`
> +		fs_read_nfs_files($1)
> +	',`
> +		fs_dontaudit_read_cifs_files($1)
> +	')
> +
> +	tunable_policy(`use_samba_home_dirs',`
> +		fs_read_cifs_files($1)
> +	',`
> +		fs_dontaudit_read_cifs_files($1)
> +	')
> +')
> +
> +########################################
> +## <summary>
> +##	Relabel Git daemon personal
> +##	repository content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`git_relabel_user_content',`
> +	gen_require(`
> +		type git_user_content_t;
> +	')
> +
> +	relabel_dirs_pattern($1, git_user_content_t, git_user_content_t)
> +	relabel_files_pattern($1, git_user_content_t, git_user_content_t)
> +	userdom_search_user_home_dirs($1)
> +')
> diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
> index 7766253..6c8e672 100644
> --- a/policy/modules/services/git.te
> +++ b/policy/modules/services/git.te
> @@ -8,6 +8,14 @@ policy_module(git, 1.0)
>  ## <desc>
>  ##	<p>
>  ##	Determine whether Git daemon
> +##	can search home directories.
> +##	</p>
> +## </desc>
> +gen_tunable(gitd_enable_homedirs, false)
> +
> +## <desc>
> +##	<p>
> +##	Determine whether Git daemon
>  ##	can access cifs file systems.
>  ##	</p>
>  ## </desc>
> @@ -28,6 +36,9 @@ inetd_service_domain(gitd_t, gitd_exec_t)
>  type git_sys_content_t;
>  files_type(git_sys_content_t)
>  
> +type git_user_content_t;
> +userdom_user_home_content(git_user_content_t)
> +
>  ########################################
>  #
>  # Local policy
> @@ -36,8 +47,8 @@ files_type(git_sys_content_t)
>  allow gitd_t self:fifo_file rw_fifo_file_perms;
>  allow gitd_t self:unix_dgram_socket create_socket_perms;
>  
> -list_dirs_pattern(gitd_t, git_sys_content_t, git_sys_content_t)
> -read_files_pattern(gitd_t, git_sys_content_t, git_sys_content_t)
> +list_dirs_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
> +read_files_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
>  files_search_var_lib(gitd_t)
>  
>  kernel_read_system_state(gitd_t)
> @@ -52,6 +63,22 @@ logging_send_syslog_msg(gitd_t)
>  
>  miscfiles_read_localization(gitd_t)
>  
> +tunable_policy(`gitd_enable_homedirs',`
> +	userdom_search_user_home_dirs(gitd_t)
> +')
> +
> +tunable_policy(`gitd_enable_homedirs && use_nfs_home_dirs',`
> +	fs_read_nfs_files(gitd_t)
> +',`
> +	fs_dontaudit_read_nfs_files(gitd_t)
> +')
> +
> +tunable_policy(`gitd_enable_homedirs && use_samba_home_dirs',`
> +	fs_read_cifs_files(gitd_t)
> +',`
> +	fs_dontaudit_read_cifs_files(gitd_t)
> +')
> +
>  tunable_policy(`gitd_use_cifs',`
>  	fs_read_cifs_files(gitd_t)
>  ',`
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index c6d3cc8..2dc8697 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -188,6 +188,10 @@ interface(`userdom_ro_home_role',`
>  		fs_dontaudit_list_cifs($2)
>  		fs_dontaudit_read_cifs_files($2)
>  	')
> +
> +	optional_policy(`
> +		git_read_user_content($2)
> +	')
>  ')
>  
>  #######################################
> @@ -267,6 +271,11 @@ interface(`userdom_manage_home_role',`
>  		fs_dontaudit_manage_cifs_dirs($2)
>  		fs_dontaudit_manage_cifs_files($2)
>  	')
> +
> +	optional_policy(`
> +		git_manage_user_content($2)
> +		git_relabel_user_content($2)
> +	')
>  ')
>  
>  #######################################
> @@ -789,6 +798,10 @@ template(`userdom_login_user_template', `
>  	')
>  
>  	optional_policy(`
> +		git_exec_user_content_files($1_t)
> +	')
> +
> +	optional_policy(`
>  		kerberos_use($1_t)
>  	')

All of these content rules seem like it should be in a git_role()
interface, which would be invoked from the various role.te files.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com