From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 26 Aug 2011 09:46:01 -0400 Subject: [refpolicy] [ v3 PATCH 6/8] Git shared repository separation and custom shared repository types In-Reply-To: <1314189346-10866-7-git-send-email-domg472@gmail.com> References: <1314189346-10866-1-git-send-email-domg472@gmail.com> <1314189346-10866-7-git-send-email-domg472@gmail.com> Message-ID: <4E57A399.8030509@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/24/11 08:35, Dominick Grift wrote: > In my previous commit i promised i would try to explain the use of the git_content attribute. > It is a attribute to asign to existing and to be create shared and private repository types. > > In this commit we are using this attribute to allow Git system daemon to read and serve any > repository content. We do this because the userdom_git_user_template allows use to provides > administrators with advanced type enforcement possibility to restrict access to > various types of shared repository. In this commit we created the > git_shared_content_template. > > This template allows for easy creation of new shared repository types. > We also created git_manage_spec_shared_content and git_exec_spec_shared_content_files interfaces. > This allows us to make a connection between Git user domain and Git shared repository content > types. These interfaces and templates allow administrators to create new Git user domains > and allow the various Git user domains access to specified Git shared repositories. > > This allows administrators to employ Type enforcement for shared repository and Git user separation. > We also created a attribute called git_system_content that is assigned to all types derived from the > prefix that the git_shared_content_template expects. This might be handy if some one later wants a > given Git user domain to have access to any shared repository type and not just the primary > git_sys_content_t repository type. > > Signed-off-by: Dominick Grift > --- > :100644 100644 83356f2... fb27b32... M policy/modules/services/git.if > :100644 100644 8602887... ba56287... M policy/modules/services/git.te > policy/modules/services/git.if | 96 ++++++++++++++++++++++++++++++++++++++++ > policy/modules/services/git.te | 9 ++-- > 2 files changed, 101 insertions(+), 4 deletions(-) > > diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if > index 83356f2..fb27b32 100644 > --- a/policy/modules/services/git.if > +++ b/policy/modules/services/git.if > @@ -40,6 +40,102 @@ template(`git_session_role_template',` > > ######################################## > ## > +## Create a set of derived types for > +## Git daemon shared repository content. > +## > +## > +## > +## The prefix to be used for deriving type names. > +## > +## > +# > +template(`git_shared_content_template',` > + gen_require(` > + attribute git_system_content, git_content; > + ') > + > + type git_$1_content_t, git_system_content, git_content; > + files_type(git_$1_content_t) > +') I see no need to declare derived types like this. The caller should create a type and call this interface on it, which adds the appropriate attribute(s). > +####################################### > +## > +## Execute specified Git daemon > +## shared repository content files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## Type to allow access to. > +## > +## > +# > +interface(`git_exec_spec_shared_content_files',` > + gen_require(` > + type $1, $2; > + ') > + > + exec_files_pattern($1, $2, $2) > + files_search_var_lib($1) > + > + tunable_policy(`git_system_use_cifs',` > + fs_exec_cifs_files($1) > + ') > + > + tunable_policy(`git_system_use_nfs',` > + fs_exec_nfs_files($1) > + ') > +') NAK. Explicit interface(s) needs to be declared in the module that owns the target type. > +####################################### > +## > +## Create, read, write, and delete > +## specified Git daemon shared > +## repository content. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## Type to allow access to. > +## > +## > +# > +interface(`git_manage_spec_shared_content',` > + gen_require(` > + type $1, $2; > + ') > + > + manage_dirs_pattern($1, $2, $2) > + manage_files_pattern($1, $2, $2) > + files_search_var_lib($1) > + > + tunable_policy(`git_system_use_cifs',` > + fs_manage_cifs_dirs($1) > + fs_manage_cifs_files($1) > + ',` > + fs_dontaudit_manage_cifs_dirs($1) > + fs_dontaudit_manage_cifs_files($1) > + ') > + > + tunable_policy(`git_system_use_nfs',` > + fs_manage_nfs_dirs($1) > + fs_manage_nfs_files($1) > + ',` > + fs_dontaudit_manage_nfs_dirs($1) > + fs_dontaudit_manage_nfs_files($1) > + ') > +') Same thing as previous interface. > +######################################## > +## > ## Read all Git daemon repository > ## content. > ## > diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te > index 8602887..ba56287 100644 > --- a/policy/modules/services/git.te > +++ b/policy/modules/services/git.te > @@ -51,12 +51,13 @@ gen_tunable(git_system_use_cifs, false) > ## > gen_tunable(git_system_use_nfs, false) > > +attribute git_system_content; > + > type git_system_t, git_daemon; > typealias git_system_t alias gitd_t; > inetd_service_domain(git_system_t, gitd_exec_t) > > -type git_sys_content_t, git_content; > -files_type(git_sys_content_t) > +git_shared_content_template(sys) > > ######################################## > # > @@ -118,8 +119,8 @@ tunable_policy(`use_samba_home_dirs',` > # Git system daemon policy > # > > -list_dirs_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t }) > -read_files_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t }) > +list_dirs_pattern(git_system_t, git_content, git_content) > +read_files_pattern(git_system_t, git_content, git_content) > files_search_var_lib(git_system_t) > > tunable_policy(`git_system_enable_homedirs',` -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com