From: domg472@gmail.com (Dominick Grift) Date: Fri, 26 Aug 2011 17:46:48 +0200 Subject: [refpolicy] [ v3 PATCH 6/8] Git shared repository separation and custom shared repository types In-Reply-To: <4E57A399.8030509@tresys.com> References: <1314189346-10866-1-git-send-email-domg472@gmail.com> <1314189346-10866-7-git-send-email-domg472@gmail.com> <4E57A399.8030509@tresys.com> Message-ID: <20110826154647.GD8869@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, Aug 26, 2011 at 09:46:01AM -0400, Christopher J. PeBenito wrote: > On 08/24/11 08:35, Dominick Grift wrote: > > In my previous commit i promised i would try to explain the use of the git_content attribute. > > It is a attribute to asign to existing and to be create shared and private repository types. > > > > In this commit we are using this attribute to allow Git system daemon to read and serve any > > repository content. We do this because the userdom_git_user_template allows use to provides > > administrators with advanced type enforcement possibility to restrict access to > > various types of shared repository. In this commit we created the > > git_shared_content_template. > > > > This template allows for easy creation of new shared repository types. > > We also created git_manage_spec_shared_content and git_exec_spec_shared_content_files interfaces. > > This allows us to make a connection between Git user domain and Git shared repository content > > types. These interfaces and templates allow administrators to create new Git user domains > > and allow the various Git user domains access to specified Git shared repositories. > > > > This allows administrators to employ Type enforcement for shared repository and Git user separation. > > We also created a attribute called git_system_content that is assigned to all types derived from the > > prefix that the git_shared_content_template expects. This might be handy if some one later wants a > > given Git user domain to have access to any shared repository type and not just the primary > > git_sys_content_t repository type. > > > > Signed-off-by: Dominick Grift > > --- > > :100644 100644 83356f2... fb27b32... M policy/modules/services/git.if > > :100644 100644 8602887... ba56287... M policy/modules/services/git.te > > policy/modules/services/git.if | 96 ++++++++++++++++++++++++++++++++++++++++ > > policy/modules/services/git.te | 9 ++-- > > 2 files changed, 101 insertions(+), 4 deletions(-) > > > > diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if > > index 83356f2..fb27b32 100644 > > --- a/policy/modules/services/git.if > > +++ b/policy/modules/services/git.if > > @@ -40,6 +40,102 @@ template(`git_session_role_template',` > > > > ######################################## > > ## > > +## Create a set of derived types for > > +## Git daemon shared repository content. > > +## > > +## > > +## > > +## The prefix to be used for deriving type names. > > +## > > +## > > +# > > +template(`git_shared_content_template',` > > + gen_require(` > > + attribute git_system_content, git_content; > > + ') > > + > > + type git_$1_content_t, git_system_content, git_content; > > + files_type(git_$1_content_t) > > +') > > I see no need to declare derived types like this. The caller should > create a type and call this interface on it, which adds the appropriate > attribute(s). Ok i did that before but i thought this would be more appropriate. (like the apache_content_template) Is there any compelling reason as to why the caller should create a type rather than this template? I personally like this better because it makes it easier to create new git shared content and it forces the git shared content to be uniformely named (git_*_content_t) > > > +####################################### > > +## > > +## Execute specified Git daemon > > +## shared repository content files. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +## > > +## > > +## Type to allow access to. > > +## > > +## > > +# > > +interface(`git_exec_spec_shared_content_files',` > > + gen_require(` > > + type $1, $2; > > + ') > > + > > + exec_files_pattern($1, $2, $2) > > + files_search_var_lib($1) > > + > > + tunable_policy(`git_system_use_cifs',` > > + fs_exec_cifs_files($1) > > + ') > > + > > + tunable_policy(`git_system_use_nfs',` > > + fs_exec_nfs_files($1) > > + ') > > +') > > NAK. Explicit interface(s) needs to be declared in the module that owns > the target type. But the target type does not exist at that point... I guess if we cannot implement this we lift the entrance barrier. So ok, then we not add this fine but it will make it a hell of a lot harder for joe admin to employ selinux type enforcement to implement repository seperation... > > > +####################################### > > +## > > +## Create, read, write, and delete > > +## specified Git daemon shared > > +## repository content. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +## > > +## > > +## Type to allow access to. > > +## > > +## > > +# > > +interface(`git_manage_spec_shared_content',` > > + gen_require(` > > + type $1, $2; > > + ') > > + > > + manage_dirs_pattern($1, $2, $2) > > + manage_files_pattern($1, $2, $2) > > + files_search_var_lib($1) > > + > > + tunable_policy(`git_system_use_cifs',` > > + fs_manage_cifs_dirs($1) > > + fs_manage_cifs_files($1) > > + ',` > > + fs_dontaudit_manage_cifs_dirs($1) > > + fs_dontaudit_manage_cifs_files($1) > > + ') > > + > > + tunable_policy(`git_system_use_nfs',` > > + fs_manage_nfs_dirs($1) > > + fs_manage_nfs_files($1) > > + ',` > > + fs_dontaudit_manage_nfs_dirs($1) > > + fs_dontaudit_manage_nfs_files($1) > > + ') > > +') > > Same thing as previous interface. > > > +######################################## > > +## > > ## Read all Git daemon repository > > ## content. > > ## > > diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te > > index 8602887..ba56287 100644 > > --- a/policy/modules/services/git.te > > +++ b/policy/modules/services/git.te > > @@ -51,12 +51,13 @@ gen_tunable(git_system_use_cifs, false) > > ## > > gen_tunable(git_system_use_nfs, false) > > > > +attribute git_system_content; > > + > > type git_system_t, git_daemon; > > typealias git_system_t alias gitd_t; > > inetd_service_domain(git_system_t, gitd_exec_t) > > > > -type git_sys_content_t, git_content; > > -files_type(git_sys_content_t) > > +git_shared_content_template(sys) > > > > ######################################## > > # > > @@ -118,8 +119,8 @@ tunable_policy(`use_samba_home_dirs',` > > # Git system daemon policy > > # > > > > -list_dirs_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t }) > > -read_files_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t }) > > +list_dirs_pattern(git_system_t, git_content, git_content) > > +read_files_pattern(git_system_t, git_content, git_content) > > files_search_var_lib(git_system_t) > > > > tunable_policy(`git_system_enable_homedirs',` > > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110826/a92fa661/attachment-0001.bin