From: domg472@gmail.com (Dominick Grift) Date: Fri, 26 Aug 2011 15:30:01 +0200 Subject: [refpolicy] [ v3 PATCH 2/8] Git personal repositories In-Reply-To: <4E579D29.3060607@tresys.com> References: <1314189346-10866-1-git-send-email-domg472@gmail.com> <1314189346-10866-3-git-send-email-domg472@gmail.com> <4E579D29.3060607@tresys.com> Message-ID: <20110826133000.GA2140@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, Aug 26, 2011 at 09:18:33AM -0400, Christopher J. PeBenito wrote: > On 08/24/11 08:35, Dominick Grift wrote: > > Git inetd service domain can also be configured to read and serve Git personal repositories in the user home directories. > > We would not want Git inetd service domain to be able to read and serve generic or heavens forbid all > > user home content, and therefore a new type for Git personal repositories is declared. > > > > By default Git inetd service domain expects these personal repositories to be in dgrift/public_git. > > It is kind of like apaches userdirs functionality. Git inetd service domain, does not have to be configured to > > read and serve personal repositories, and so we make the policy for this functionality tunable. > > > > We also allow administrators to tune the policy to allow Git inetd service domain to read and serve personal > > repositories on NFS and/or CIFS shares. We added a file context that specifies that public_git > > directories in any user home directory should be labeled with the personal repository file type. > > That means that all login users should be allowed to relabel and manage the git_user_content_t personal > > repository type. Did you know that users might also need to execute some of the Git personal > > repository content. It is not obvious but in some cases users need to be able to execute the Git > > hooks scripts in their personal repositories. For example the might have a script that runs after the user > > commits/pushes for example via ssh (git push ssh://joe at localhost/public_git/joes_personal_repository.git. So we > > also allow all login users to execute Git shared repository files. > > > > Signed-off-by: Dominick Grift > > --- > > :100644 100644 164d2bf... 7314ecb... M policy/modules/services/git.fc > > :100644 100644 458aac6... 4da6875... M policy/modules/services/git.if > > :100644 100644 7766253... 6c8e672... M policy/modules/services/git.te > > :100644 100644 c6d3cc8... 2dc8697... M policy/modules/system/userdomain.if > > policy/modules/services/git.fc | 2 + > > policy/modules/services/git.if | 119 +++++++++++++++++++++++++++++++++++ > > policy/modules/services/git.te | 31 +++++++++- > > policy/modules/system/userdomain.if | 13 ++++ > > 4 files changed, 163 insertions(+), 2 deletions(-) > > > > diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc > > index 164d2bf..7314ecb 100644 > > --- a/policy/modules/services/git.fc > > +++ b/policy/modules/services/git.fc > > @@ -1,3 +1,5 @@ > > +HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0) > > + > > /usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0) > > > > /var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) > > diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if > > index 458aac6..4da6875 100644 > > --- a/policy/modules/services/git.if > > +++ b/policy/modules/services/git.if > > @@ -1 +1,120 @@ > > ## GIT revision control system > > + > > +######################################## > > +## > > +## Execute Git daemon personal > > +## repository content files. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`git_exec_user_content_files',` > > + gen_require(` > > + type git_user_content_t; > > + ') > > + > > + exec_files_pattern($1, git_user_content_t, git_user_content_t) > > + userdom_search_user_home_dirs($1) > > + > > + tunable_policy(`use_samba_home_dirs',` > > + fs_exec_cifs_files($1) > > + ') > > + > > + tunable_policy(`use_nfs_home_dirs',` > > + fs_exec_nfs_files($1) > > + ') > > +') > > + > > +######################################## > > +## > > +## Create, read, write, and delete > > +## Git daemon personal repository content. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`git_manage_user_content',` > > + gen_require(` > > + type git_user_content_t; > > + ') > > + > > + manage_dirs_pattern($1, git_user_content_t, git_user_content_t) > > + manage_files_pattern($1, git_user_content_t, git_user_content_t) > > + userdom_search_user_home_dirs($1) > > + > > + tunable_policy(`use_samba_home_dirs',` > > + fs_manage_cifs_dirs($1) > > + fs_manage_cifs_files($1) > > + ',` > > + fs_dontaudit_manage_cifs_dirs($1) > > + fs_dontaudit_manage_cifs_files($1) > > + ') > > + > > + tunable_policy(`use_nfs_home_dirs',` > > + fs_manage_nfs_dirs($1) > > + fs_manage_nfs_files($1) > > + ',` > > + fs_dontaudit_manage_nfs_dirs($1) > > + fs_dontaudit_manage_nfs_files($1) > > + ') > > +') > > + > > +######################################## > > +## > > +## Read Git daemon personal repository > > +## content. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`git_read_user_content',` > > + gen_require(` > > + type git_user_content_t; > > + ') > > + > > + list_dirs_pattern($1, git_user_content_t, git_user_content_t) > > + read_files_pattern($1, git_user_content_t, git_user_content_t) > > + userdom_search_user_home_dirs($1) > > + > > + tunable_policy(`use_nfs_home_dirs',` > > + fs_read_nfs_files($1) > > + ',` > > + fs_dontaudit_read_cifs_files($1) > > + ') > > + > > + tunable_policy(`use_samba_home_dirs',` > > + fs_read_cifs_files($1) > > + ',` > > + fs_dontaudit_read_cifs_files($1) > > + ') > > +') > > + > > +######################################## > > +## > > +## Relabel Git daemon personal > > +## repository content. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`git_relabel_user_content',` > > + gen_require(` > > + type git_user_content_t; > > + ') > > + > > + relabel_dirs_pattern($1, git_user_content_t, git_user_content_t) > > + relabel_files_pattern($1, git_user_content_t, git_user_content_t) > > + userdom_search_user_home_dirs($1) > > +') > > diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te > > index 7766253..6c8e672 100644 > > --- a/policy/modules/services/git.te > > +++ b/policy/modules/services/git.te > > @@ -8,6 +8,14 @@ policy_module(git, 1.0) > > ## > > ##

> > ## Determine whether Git daemon > > +## can search home directories. > > +##

> > +##
> > +gen_tunable(gitd_enable_homedirs, false) > > + > > +## > > +##

> > +## Determine whether Git daemon > > ## can access cifs file systems. > > ##

> > ##
> > @@ -28,6 +36,9 @@ inetd_service_domain(gitd_t, gitd_exec_t) > > type git_sys_content_t; > > files_type(git_sys_content_t) > > > > +type git_user_content_t; > > +userdom_user_home_content(git_user_content_t) > > + > > ######################################## > > # > > # Local policy > > @@ -36,8 +47,8 @@ files_type(git_sys_content_t) > > allow gitd_t self:fifo_file rw_fifo_file_perms; > > allow gitd_t self:unix_dgram_socket create_socket_perms; > > > > -list_dirs_pattern(gitd_t, git_sys_content_t, git_sys_content_t) > > -read_files_pattern(gitd_t, git_sys_content_t, git_sys_content_t) > > +list_dirs_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t }) > > +read_files_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t }) > > files_search_var_lib(gitd_t) > > > > kernel_read_system_state(gitd_t) > > @@ -52,6 +63,22 @@ logging_send_syslog_msg(gitd_t) > > > > miscfiles_read_localization(gitd_t) > > > > +tunable_policy(`gitd_enable_homedirs',` > > + userdom_search_user_home_dirs(gitd_t) > > +') > > + > > +tunable_policy(`gitd_enable_homedirs && use_nfs_home_dirs',` > > + fs_read_nfs_files(gitd_t) > > +',` > > + fs_dontaudit_read_nfs_files(gitd_t) > > +') > > + > > +tunable_policy(`gitd_enable_homedirs && use_samba_home_dirs',` > > + fs_read_cifs_files(gitd_t) > > +',` > > + fs_dontaudit_read_cifs_files(gitd_t) > > +') > > + > > tunable_policy(`gitd_use_cifs',` > > fs_read_cifs_files(gitd_t) > > ',` > > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > > index c6d3cc8..2dc8697 100644 > > --- a/policy/modules/system/userdomain.if > > +++ b/policy/modules/system/userdomain.if > > @@ -188,6 +188,10 @@ interface(`userdom_ro_home_role',` > > fs_dontaudit_list_cifs($2) > > fs_dontaudit_read_cifs_files($2) > > ') > > + > > + optional_policy(` > > + git_read_user_content($2) > > + ') > > ') > > > > ####################################### > > @@ -267,6 +271,11 @@ interface(`userdom_manage_home_role',` > > fs_dontaudit_manage_cifs_dirs($2) > > fs_dontaudit_manage_cifs_files($2) > > ') > > + > > + optional_policy(` > > + git_manage_user_content($2) > > + git_relabel_user_content($2) > > + ') > > ') > > > > ####################################### > > @@ -789,6 +798,10 @@ template(`userdom_login_user_template', ` > > ') > > > > optional_policy(` > > + git_exec_user_content_files($1_t) > > + ') > > + > > + optional_policy(` > > kerberos_use($1_t) > > ') > > All of these content rules seem like it should be in a git_role() > interface, which would be invoked from the various role.te files. Why do you think that? i will explain why i think not: 1. the file context spec. labels all ~/pubic_git type git_user_content_t, whether the user calls git_role_template or not. 2. sysadm can decide to allow git system daemon to host personal repositories of users that arent allowed to run the git session daemon in the git session domain. > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110826/83638ff2/attachment-0001.bin