From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 26 Aug 2011 09:18:33 -0400 Subject: [refpolicy] [ v3 PATCH 2/8] Git personal repositories In-Reply-To: <1314189346-10866-3-git-send-email-domg472@gmail.com> References: <1314189346-10866-1-git-send-email-domg472@gmail.com> <1314189346-10866-3-git-send-email-domg472@gmail.com> Message-ID: <4E579D29.3060607@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/24/11 08:35, Dominick Grift wrote: > Git inetd service domain can also be configured to read and serve Git personal repositories in the user home directories. > We would not want Git inetd service domain to be able to read and serve generic or heavens forbid all > user home content, and therefore a new type for Git personal repositories is declared. > > By default Git inetd service domain expects these personal repositories to be in dgrift/public_git. > It is kind of like apaches userdirs functionality. Git inetd service domain, does not have to be configured to > read and serve personal repositories, and so we make the policy for this functionality tunable. > > We also allow administrators to tune the policy to allow Git inetd service domain to read and serve personal > repositories on NFS and/or CIFS shares. We added a file context that specifies that public_git > directories in any user home directory should be labeled with the personal repository file type. > That means that all login users should be allowed to relabel and manage the git_user_content_t personal > repository type. Did you know that users might also need to execute some of the Git personal > repository content. It is not obvious but in some cases users need to be able to execute the Git > hooks scripts in their personal repositories. For example the might have a script that runs after the user > commits/pushes for example via ssh (git push ssh://joe at localhost/public_git/joes_personal_repository.git. So we > also allow all login users to execute Git shared repository files. > > Signed-off-by: Dominick Grift > --- > :100644 100644 164d2bf... 7314ecb... M policy/modules/services/git.fc > :100644 100644 458aac6... 4da6875... M policy/modules/services/git.if > :100644 100644 7766253... 6c8e672... M policy/modules/services/git.te > :100644 100644 c6d3cc8... 2dc8697... M policy/modules/system/userdomain.if > policy/modules/services/git.fc | 2 + > policy/modules/services/git.if | 119 +++++++++++++++++++++++++++++++++++ > policy/modules/services/git.te | 31 +++++++++- > policy/modules/system/userdomain.if | 13 ++++ > 4 files changed, 163 insertions(+), 2 deletions(-) > > diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc > index 164d2bf..7314ecb 100644 > --- a/policy/modules/services/git.fc > +++ b/policy/modules/services/git.fc > @@ -1,3 +1,5 @@ > +HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0) > + > /usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0) > > /var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) > diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if > index 458aac6..4da6875 100644 > --- a/policy/modules/services/git.if > +++ b/policy/modules/services/git.if > @@ -1 +1,120 @@ > ## GIT revision control system > + > +######################################## > +## > +## Execute Git daemon personal > +## repository content files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`git_exec_user_content_files',` > + gen_require(` > + type git_user_content_t; > + ') > + > + exec_files_pattern($1, git_user_content_t, git_user_content_t) > + userdom_search_user_home_dirs($1) > + > + tunable_policy(`use_samba_home_dirs',` > + fs_exec_cifs_files($1) > + ') > + > + tunable_policy(`use_nfs_home_dirs',` > + fs_exec_nfs_files($1) > + ') > +') > + > +######################################## > +## > +## Create, read, write, and delete > +## Git daemon personal repository content. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`git_manage_user_content',` > + gen_require(` > + type git_user_content_t; > + ') > + > + manage_dirs_pattern($1, git_user_content_t, git_user_content_t) > + manage_files_pattern($1, git_user_content_t, git_user_content_t) > + userdom_search_user_home_dirs($1) > + > + tunable_policy(`use_samba_home_dirs',` > + fs_manage_cifs_dirs($1) > + fs_manage_cifs_files($1) > + ',` > + fs_dontaudit_manage_cifs_dirs($1) > + fs_dontaudit_manage_cifs_files($1) > + ') > + > + tunable_policy(`use_nfs_home_dirs',` > + fs_manage_nfs_dirs($1) > + fs_manage_nfs_files($1) > + ',` > + fs_dontaudit_manage_nfs_dirs($1) > + fs_dontaudit_manage_nfs_files($1) > + ') > +') > + > +######################################## > +## > +## Read Git daemon personal repository > +## content. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`git_read_user_content',` > + gen_require(` > + type git_user_content_t; > + ') > + > + list_dirs_pattern($1, git_user_content_t, git_user_content_t) > + read_files_pattern($1, git_user_content_t, git_user_content_t) > + userdom_search_user_home_dirs($1) > + > + tunable_policy(`use_nfs_home_dirs',` > + fs_read_nfs_files($1) > + ',` > + fs_dontaudit_read_cifs_files($1) > + ') > + > + tunable_policy(`use_samba_home_dirs',` > + fs_read_cifs_files($1) > + ',` > + fs_dontaudit_read_cifs_files($1) > + ') > +') > + > +######################################## > +## > +## Relabel Git daemon personal > +## repository content. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`git_relabel_user_content',` > + gen_require(` > + type git_user_content_t; > + ') > + > + relabel_dirs_pattern($1, git_user_content_t, git_user_content_t) > + relabel_files_pattern($1, git_user_content_t, git_user_content_t) > + userdom_search_user_home_dirs($1) > +') > diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te > index 7766253..6c8e672 100644 > --- a/policy/modules/services/git.te > +++ b/policy/modules/services/git.te > @@ -8,6 +8,14 @@ policy_module(git, 1.0) > ## > ##

> ## Determine whether Git daemon > +## can search home directories. > +##

> +##
> +gen_tunable(gitd_enable_homedirs, false) > + > +## > +##

> +## Determine whether Git daemon > ## can access cifs file systems. > ##

> ##
> @@ -28,6 +36,9 @@ inetd_service_domain(gitd_t, gitd_exec_t) > type git_sys_content_t; > files_type(git_sys_content_t) > > +type git_user_content_t; > +userdom_user_home_content(git_user_content_t) > + > ######################################## > # > # Local policy > @@ -36,8 +47,8 @@ files_type(git_sys_content_t) > allow gitd_t self:fifo_file rw_fifo_file_perms; > allow gitd_t self:unix_dgram_socket create_socket_perms; > > -list_dirs_pattern(gitd_t, git_sys_content_t, git_sys_content_t) > -read_files_pattern(gitd_t, git_sys_content_t, git_sys_content_t) > +list_dirs_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t }) > +read_files_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t }) > files_search_var_lib(gitd_t) > > kernel_read_system_state(gitd_t) > @@ -52,6 +63,22 @@ logging_send_syslog_msg(gitd_t) > > miscfiles_read_localization(gitd_t) > > +tunable_policy(`gitd_enable_homedirs',` > + userdom_search_user_home_dirs(gitd_t) > +') > + > +tunable_policy(`gitd_enable_homedirs && use_nfs_home_dirs',` > + fs_read_nfs_files(gitd_t) > +',` > + fs_dontaudit_read_nfs_files(gitd_t) > +') > + > +tunable_policy(`gitd_enable_homedirs && use_samba_home_dirs',` > + fs_read_cifs_files(gitd_t) > +',` > + fs_dontaudit_read_cifs_files(gitd_t) > +') > + > tunable_policy(`gitd_use_cifs',` > fs_read_cifs_files(gitd_t) > ',` > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > index c6d3cc8..2dc8697 100644 > --- a/policy/modules/system/userdomain.if > +++ b/policy/modules/system/userdomain.if > @@ -188,6 +188,10 @@ interface(`userdom_ro_home_role',` > fs_dontaudit_list_cifs($2) > fs_dontaudit_read_cifs_files($2) > ') > + > + optional_policy(` > + git_read_user_content($2) > + ') > ') > > ####################################### > @@ -267,6 +271,11 @@ interface(`userdom_manage_home_role',` > fs_dontaudit_manage_cifs_dirs($2) > fs_dontaudit_manage_cifs_files($2) > ') > + > + optional_policy(` > + git_manage_user_content($2) > + git_relabel_user_content($2) > + ') > ') > > ####################################### > @@ -789,6 +798,10 @@ template(`userdom_login_user_template', ` > ') > > optional_policy(` > + git_exec_user_content_files($1_t) > + ') > + > + optional_policy(` > kerberos_use($1_t) > ') All of these content rules seem like it should be in a git_role() interface, which would be invoked from the various role.te files. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com