From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 26 Aug 2011 09:35:45 -0400 Subject: [refpolicy] [ v3 PATCH 5/8] Gitweb, cgit and the git_content attribute In-Reply-To: <1314189346-10866-6-git-send-email-domg472@gmail.com> References: <1314189346-10866-1-git-send-email-domg472@gmail.com> <1314189346-10866-6-git-send-email-domg472@gmail.com> Message-ID: <4E57A131.3070703@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/24/11 08:35, Dominick Grift wrote: > Cgit and gitweb are both cgi web applications that run in the httpd_git_script_t apache CGI domain. > The policy in this commit was taken from Fedora. It is well tested i believe. > These web applications display Git repositories. And they Should be able to read any Git > repository whether shared or personal. We implemented another attribute for it called git_content. Really all repos? It seems like access to user repos should be tunable. > This attribute will be assigned to any and all Git repository content types, either existing or > to be created. Hopefully the next commit should explain why this attribute makes sense. > > Signed-off-by: Dominick Grift > --- > :100644 100644 7314ecb... c005782... M policy/modules/services/git.fc > :100644 100644 f1466e1... 83356f2... M policy/modules/services/git.if > :100644 100644 7040bf6... 8602887... M policy/modules/services/git.te > policy/modules/services/git.fc | 4 ++- > policy/modules/services/git.if | 46 ++++++++++++++++++++++++++++++++++++++++ > policy/modules/services/git.te | 11 +++++++- > 3 files changed, 58 insertions(+), 3 deletions(-) > > diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc > index 7314ecb..c005782 100644 > --- a/policy/modules/services/git.fc > +++ b/policy/modules/services/git.fc > @@ -2,8 +2,10 @@ HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0) > > /usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0) > > -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) > +/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) > > /var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0) > > /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) > +/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) > +/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0) > diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if > index f1466e1..83356f2 100644 > --- a/policy/modules/services/git.if > +++ b/policy/modules/services/git.if > @@ -40,6 +40,52 @@ template(`git_session_role_template',` > > ######################################## > ## > +## Read all Git daemon repository > +## content. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`git_read_all_content',` > + gen_require(` > + attribute git_content; > + ') > + > + list_dirs_pattern($1, git_content, git_content) > + read_files_pattern($1, git_content, git_content) > + userdom_search_user_home_dirs($1) > + files_search_var_lib($1) > + > + tunable_policy(`use_nfs_home_dirs',` > + fs_read_nfs_files($1) > + ',` > + fs_dontaudit_read_nfs_files($1) > + ') > + > + tunable_policy(`use_samba_home_dirs',` > + fs_read_cifs_files($1) > + ',` > + fs_dontaudit_read_cifs_files($1) > + ') > + > + tunable_policy(`git_system_use_cifs',` > + fs_read_cifs_files($1) > + ',` > + fs_dontaudit_read_cifs_files($1) > + ') > + > + tunable_policy(`git_system_use_nfs',` > + fs_read_nfs_files($1) > + ',` > + fs_dontaudit_read_nfs_files($1) > + ') > +') > + > +######################################## > +## > ## Execute Git daemon generic shared > ## repository content files. > ## > diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te > index 7040bf6..8602887 100644 > --- a/policy/modules/services/git.te > +++ b/policy/modules/services/git.te > @@ -5,6 +5,7 @@ policy_module(git, 1.0) > # Git daemon global declarations > # > > +attribute git_content; > attribute git_daemon; > > type gitd_exec_t; > @@ -18,7 +19,7 @@ type git_session_t, git_daemon; > application_domain(git_session_t, gitd_exec_t) > ubac_constrained(git_session_t) > > -type git_user_content_t; > +type git_user_content_t, git_content; > userdom_user_home_content(git_user_content_t) > > ######################################## > @@ -54,7 +55,7 @@ type git_system_t, git_daemon; > typealias git_system_t alias gitd_t; > inetd_service_domain(git_system_t, gitd_exec_t) > > -type git_sys_content_t; > +type git_sys_content_t, git_content; > files_type(git_sys_content_t) > > ######################################## > @@ -155,3 +156,9 @@ tunable_policy(`git_system_use_nfs',` > # > > apache_content_template(git) > + > +files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) > + > +auth_use_nsswitch(httpd_git_script_t) > + > +git_read_all_content(httpd_git_script_t) -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com