From: domg472@gmail.com (Dominick Grift) Date: Fri, 26 Aug 2011 17:30:11 +0200 Subject: [refpolicy] [ v3 PATCH 4/8] Git session daemon In-Reply-To: <4E57A0C2.7010407@tresys.com> References: <1314189346-10866-1-git-send-email-domg472@gmail.com> <1314189346-10866-5-git-send-email-domg472@gmail.com> <4E57A0C2.7010407@tresys.com> Message-ID: <20110826153009.GA8869@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, Aug 26, 2011 at 09:33:54AM -0400, Christopher J. PeBenito wrote: > On 08/24/11 08:35, Dominick Grift wrote: > > Wait! Theres more. Besides running Git daemon as a inetd service domain, unprivileged users can also > > run Git daemon by executing /usr/libexec/git-core/git-daemon from a shell to allow it to > > read and serve their Git personal repositories in ~/public_git. It in large parts does the same > > as Git daemon run by inetd but there are some differences. Most notably is the network access > > that the Git session daemon requires to listen on the Git port for service. > > > > The Git system daemon does not need this because inetd takes care of the network for it. > > Another difference is that Git session daemon can only read and serve users Git personal > > repositories, where Git system daemon can, if configured, read and serve both shared as well > > as personal repositories. Since much of the policy is common to both session and > > system, we declared a git_daemon attribute and assigned that to both the Git system and > > session daemons. This allows use to write policy that both daemon have in common once. > > Leaving the policy as compact as possible. So now we have two Git daemon domains, one > > session domain started by unprivileged users and one system domain started by inetd. > > > > Fix: since we renamed gitd_t to git_system_t, add alias. > > Change back gitd_use_nfs, gitd_use_cifs to git_system_use_nfs and git_system_use_cifs respectively > > Perhaps I missed something, but how did it make sense to separate out > the content types from this patch? The git_user_content_t has no relation to git session per se. in the git.fc file there is a context spec for HOME_DIR/\public_git(/.*)? ... this means all login users will get content at ~/public_git labeled git_user_content_t, whether they call git_session_role_template or not. So they need to be able to manage that. what if a user creates ~/pubic_git, and administrator runs filefiles relabel or restorecon -R -v /home? then ~/public_git will get relabeled to git_user_content_t and that user can no longer interact with it. By splitting the git_user_content_t type from the git session t policy we make it more flexible. administrator may want to allow git system domain to read and service ~/public_git even though the user owning it is not allowed to run git session in the git session domain. in short git_user_content_t and git_session_t arent strictly related. I was hoping the descriptions accompanying the patches would make that clear > > I'm confused why its renaming things from previous patches. Why not > create it right in the first place? I initially started with gitd_t rather than git_system_t because that made sense at that stage. There was no git_session_t yet at that point. Besides, what does it matter i created an alias to git_system_t in the patch that introduce git session t > git_session_role_template() isn't creating any types, so it should be > renamed to git_session_role(). Or in light of the previous patches, > git_role(). Ok that pretty minor and i can just submit a patch to apply that after the other applicable patches are submitted. If i have to rebase the whole thing for every nit then ill probably be rebasing until next year. > > Signed-off-by: Dominick Grift > > --- > > :100644 100644 2be17d2... 17fc624... M policy/modules/roles/staff.te > > :100644 100644 0f96353... 7461e65... M policy/modules/roles/sysadm.te > > :100644 100644 7e9da77... 52156cd... M policy/modules/roles/unprivuser.te > > :100644 100644 6238d54... f1466e1... M policy/modules/services/git.if > > :100644 100644 6c8e672... 7040bf6... M policy/modules/services/git.te > > policy/modules/roles/staff.te | 4 + > > policy/modules/roles/sysadm.te | 4 + > > policy/modules/roles/unprivuser.te | 4 + > > policy/modules/services/git.if | 46 +++++++++++- > > policy/modules/services/git.te | 134 ++++++++++++++++++++++++++---------- > > 5 files changed, 150 insertions(+), 42 deletions(-) > > > > diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te > > index 2be17d2..17fc624 100644 > > --- a/policy/modules/roles/staff.te > > +++ b/policy/modules/roles/staff.te > > @@ -89,6 +89,10 @@ ifndef(`distro_redhat',` > > ') > > > > optional_policy(` > > + git_session_role_template(staff_r, staff_t) > > + ') > > + > > + optional_policy(` > > gnome_role(staff_r, staff_t) > > ') > > > > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te > > index 0f96353..7461e65 100644 > > --- a/policy/modules/roles/sysadm.te > > +++ b/policy/modules/roles/sysadm.te > > @@ -438,6 +438,10 @@ ifndef(`distro_redhat',` > > ') > > > > optional_policy(` > > + git_session_role_template(sysadm_r, sysadm_t) > > + ') > > + > > + optional_policy(` > > gnome_role(sysadm_r, sysadm_t) > > ') > > > > diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te > > index 7e9da77..52156cd 100644 > > --- a/policy/modules/roles/unprivuser.te > > +++ b/policy/modules/roles/unprivuser.te > > @@ -62,6 +62,10 @@ ifndef(`distro_redhat',` > > ') > > > > optional_policy(` > > + git_session_role_template(user_r, user_t) > > + ') > > + > > + optional_policy(` > > gnome_role(user_r, user_t) > > ') > > > > diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if > > index 6238d54..f1466e1 100644 > > --- a/policy/modules/services/git.if > > +++ b/policy/modules/services/git.if > > @@ -2,6 +2,44 @@ > > > > ######################################## > > ## > > +## Role access for Git session daemon. > > +## > > +## > > +## > > +## Role allowed access. > > +## > > +## > > +## > > +## > > +## User domain for the role. > > +## > > +## > > +# > > +template(`git_session_role_template',` > > + gen_require(` > > + type git_session_t, gitd_exec_t; > > + ') > > + > > + ######################################## > > + # > > + # Git session daemon shared declarations > > + # > > + > > + role $1 types git_session_t; > > + > > + ######################################## > > + # > > + # Git session daemon shared policy > > + # > > + > > + domtrans_pattern($2, gitd_exec_t, git_session_t) > > + > > + allow $2 git_session_t:process { ptrace signal_perms }; > > + ps_process_pattern($2, git_session_t) > > +') > > + > > +######################################## > > +## > > ## Execute Git daemon generic shared > > ## repository content files. > > ## > > @@ -19,11 +57,11 @@ interface(`git_exec_generic_sys_content_files',` > > exec_files_pattern($1, git_sys_content_t, git_sys_content_t) > > files_search_var_lib($1) > > > > - tunable_policy(`gitd_use_cifs',` > > + tunable_policy(`git_system_use_cifs',` > > fs_exec_cifs_files($1) > > ') > > > > - tunable_policy(`gitd_use_nfs',` > > + tunable_policy(`git_system_use_nfs',` > > fs_exec_nfs_files($1) > > ') > > ') > > @@ -49,7 +87,7 @@ interface(`git_manage_generic_sys_content',` > > manage_files_pattern($1, git_sys_content_t, git_sys_content_t) > > files_search_var_lib($1) > > > > - tunable_policy(`gitd_use_cifs',` > > + tunable_policy(`git_system_use_cifs',` > > fs_manage_cifs_dirs($1) > > fs_manage_cifs_files($1) > > ',` > > @@ -57,7 +95,7 @@ interface(`git_manage_generic_sys_content',` > > fs_dontaudit_manage_cifs_files($1) > > ') > > > > - tunable_policy(`gitd_use_nfs',` > > + tunable_policy(`git_system_use_nfs',` > > fs_manage_nfs_dirs($1) > > fs_manage_nfs_files($1) > > ',` > > diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te > > index 6c8e672..7040bf6 100644 > > --- a/policy/modules/services/git.te > > +++ b/policy/modules/services/git.te > > @@ -2,93 +2,151 @@ policy_module(git, 1.0) > > > > ######################################## > > # > > -# Declarations > > +# Git daemon global declarations > > +# > > + > > +attribute git_daemon; > > + > > +type gitd_exec_t; > > + > > +######################################## > > +# > > +# Git session daemon declarations > > +# > > + > > +type git_session_t, git_daemon; > > +application_domain(git_session_t, gitd_exec_t) > > +ubac_constrained(git_session_t) > > + > > +type git_user_content_t; > > +userdom_user_home_content(git_user_content_t) > > + > > +######################################## > > +# > > +# Git system daemon declarations > > # > > > > ## > > ##

> > -## Determine whether Git daemon > > +## Determine whether Git system daemon > > ## can search home directories. > > ##

> > ##
> > -gen_tunable(gitd_enable_homedirs, false) > > +gen_tunable(git_system_enable_homedirs, false) > > > > ## > > ##

> > -## Determine whether Git daemon > > +## Determine whether Git system daemon > > ## can access cifs file systems. > > ##

> > ##
> > -gen_tunable(gitd_use_cifs, false) > > +gen_tunable(git_system_use_cifs, false) > > > > ## > > ##

> > -## Determine whether Git daemon > > +## Determine whether Git system daemon > > ## can access nfs file systems. > > ##

> > ##
> > -gen_tunable(gitd_use_nfs, false) > > +gen_tunable(git_system_use_nfs, false) > > > > -type gitd_t; > > -type gitd_exec_t; > > -inetd_service_domain(gitd_t, gitd_exec_t) > > +type git_system_t, git_daemon; > > +typealias git_system_t alias gitd_t; > > +inetd_service_domain(git_system_t, gitd_exec_t) > > > > type git_sys_content_t; > > files_type(git_sys_content_t) > > > > -type git_user_content_t; > > -userdom_user_home_content(git_user_content_t) > > +######################################## > > +# > > +# Git daemon global policy > > +# > > + > > +allow git_daemon self:fifo_file rw_fifo_file_perms; > > +allow git_daemon self:unix_dgram_socket create_socket_perms; > > + > > +kernel_read_system_state(git_daemon) > > + > > +corecmd_exec_bin(git_daemon) > > + > > +files_read_usr_files(git_daemon) > > + > > +auth_use_nsswitch(git_daemon) > > + > > +logging_send_syslog_msg(git_daemon) > > + > > +miscfiles_read_localization(git_daemon) > > > > ######################################## > > # > > -# Local policy > > +# Git session daemon policy > > # > > > > -allow gitd_t self:fifo_file rw_fifo_file_perms; > > -allow gitd_t self:unix_dgram_socket create_socket_perms; > > +allow git_session_t self:tcp_socket { accept listen }; > > > > -list_dirs_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t }) > > -read_files_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t }) > > -files_search_var_lib(gitd_t) > > +list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t) > > +read_files_pattern(git_session_t, git_user_content_t, git_user_content_t) > > +userdom_search_user_home_dirs(git_session_t) > > > > -kernel_read_system_state(gitd_t) > > +corenet_all_recvfrom_netlabel(git_session_t) > > +corenet_all_recvfrom_unlabeled(git_session_t) > > +corenet_tcp_bind_generic_node(git_session_t) > > +corenet_tcp_sendrecv_generic_if(git_session_t) > > +corenet_tcp_sendrecv_generic_node(git_session_t) > > +corenet_tcp_sendrecv_generic_port(git_session_t) > > +corenet_tcp_bind_git_port(git_session_t) > > +corenet_tcp_sendrecv_git_port(git_session_t) > > +corenet_sendrecv_git_server_packets(git_session_t) > > > > -corecmd_exec_bin(gitd_t) > > +userdom_use_user_terminals(git_session_t) > > > > -files_read_usr_files(gitd_t) > > +tunable_policy(`use_nfs_home_dirs',` > > + fs_read_nfs_files(git_session_t) > > +',` > > + fs_dontaudit_read_nfs_files(git_session_t) > > +') > > > > -auth_use_nsswitch(gitd_t) > > +tunable_policy(`use_samba_home_dirs',` > > + fs_read_cifs_files(git_session_t) > > +',` > > + fs_dontaudit_read_cifs_files(git_session_t) > > +') > > > > -logging_send_syslog_msg(gitd_t) > > +######################################## > > +# > > +# Git system daemon policy > > +# > > > > -miscfiles_read_localization(gitd_t) > > +list_dirs_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t }) > > +read_files_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t }) > > +files_search_var_lib(git_system_t) > > > > -tunable_policy(`gitd_enable_homedirs',` > > - userdom_search_user_home_dirs(gitd_t) > > +tunable_policy(`git_system_enable_homedirs',` > > + userdom_search_user_home_dirs(git_system_t) > > ') > > > > -tunable_policy(`gitd_enable_homedirs && use_nfs_home_dirs',` > > - fs_read_nfs_files(gitd_t) > > +tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',` > > + fs_read_nfs_files(git_system_t) > > ',` > > - fs_dontaudit_read_nfs_files(gitd_t) > > + fs_dontaudit_read_nfs_files(git_system_t) > > ') > > > > -tunable_policy(`gitd_enable_homedirs && use_samba_home_dirs',` > > - fs_read_cifs_files(gitd_t) > > +tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',` > > + fs_read_cifs_files(git_system_t) > > ',` > > - fs_dontaudit_read_cifs_files(gitd_t) > > + fs_dontaudit_read_cifs_files(git_system_t) > > ') > > > > -tunable_policy(`gitd_use_cifs',` > > - fs_read_cifs_files(gitd_t) > > +tunable_policy(`git_system_use_cifs',` > > + fs_read_cifs_files(git_system_t) > > ',` > > - fs_dontaudit_read_cifs_files(gitd_t) > > + fs_dontaudit_read_cifs_files(git_system_t) > > ') > > > > -tunable_policy(`gitd_use_nfs',` > > - fs_read_nfs_files(gitd_t) > > +tunable_policy(`git_system_use_nfs',` > > + fs_read_nfs_files(git_system_t) > > ',` > > - fs_dontaudit_read_nfs_files(gitd_t) > > + fs_dontaudit_read_nfs_files(git_system_t) > > ') > > > > ######################################## > > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110826/ea89b1f9/attachment.bin