From: domg472@gmail.com (Dominick Grift) Date: Fri, 26 Aug 2011 18:14:03 +0200 Subject: [refpolicy] [ v3 PATCH 5/8] Gitweb, cgit and the git_content attribute In-Reply-To: <4E57A131.3070703@tresys.com> References: <1314189346-10866-1-git-send-email-domg472@gmail.com> <1314189346-10866-6-git-send-email-domg472@gmail.com> <4E57A131.3070703@tresys.com> Message-ID: <20110826161402.GE8869@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, Aug 26, 2011 at 09:35:45AM -0400, Christopher J. PeBenito wrote: > On 08/24/11 08:35, Dominick Grift wrote: > > Cgit and gitweb are both cgi web applications that run in the httpd_git_script_t apache CGI domain. > > The policy in this commit was taken from Fedora. It is well tested i believe. > > These web applications display Git repositories. And they Should be able to read any Git > > repository whether shared or personal. We implemented another attribute for it called git_content. > > Really all repos? It seems like access to user repos should be tunable. I guess it could be tunable but is it really worth that? i mean these git webapps are made to read git content. thats their sole purpose. We could +implement a tunable for access to git_user_content_t but it seems a bit overdone. But if you want it tunable it will be my please to submit a follow up patch to fix this or a replacement. By the way i already mentioned this but this httpd cgi domains should be in httpd.te. because it makes for example the git module dependent on the +apache module whilst, git can work fine without httpd. > > > This attribute will be assigned to any and all Git repository content types, either existing or > > to be created. Hopefully the next commit should explain why this attribute makes sense. > > > > Signed-off-by: Dominick Grift > > --- > > :100644 100644 7314ecb... c005782... M policy/modules/services/git.fc > > :100644 100644 f1466e1... 83356f2... M policy/modules/services/git.if > > :100644 100644 7040bf6... 8602887... M policy/modules/services/git.te > > policy/modules/services/git.fc | 4 ++- > > policy/modules/services/git.if | 46 ++++++++++++++++++++++++++++++++++++++++ > > policy/modules/services/git.te | 11 +++++++- > > 3 files changed, 58 insertions(+), 3 deletions(-) > > > > diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc > > index 7314ecb..c005782 100644 > > --- a/policy/modules/services/git.fc > > +++ b/policy/modules/services/git.fc > > @@ -2,8 +2,10 @@ HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0) > > > > /usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0) > > > > -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) > > +/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) > > > > /var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0) > > > > /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) > > +/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) > > +/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0) > > diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if > > index f1466e1..83356f2 100644 > > --- a/policy/modules/services/git.if > > +++ b/policy/modules/services/git.if > > @@ -40,6 +40,52 @@ template(`git_session_role_template',` > > > > ######################################## > > ## > > +## Read all Git daemon repository > > +## content. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`git_read_all_content',` > > + gen_require(` > > + attribute git_content; > > + ') > > + > > + list_dirs_pattern($1, git_content, git_content) > > + read_files_pattern($1, git_content, git_content) > > + userdom_search_user_home_dirs($1) > > + files_search_var_lib($1) > > + > > + tunable_policy(`use_nfs_home_dirs',` > > + fs_read_nfs_files($1) > > + ',` > > + fs_dontaudit_read_nfs_files($1) > > + ') > > + > > + tunable_policy(`use_samba_home_dirs',` > > + fs_read_cifs_files($1) > > + ',` > > + fs_dontaudit_read_cifs_files($1) > > + ') > > + > > + tunable_policy(`git_system_use_cifs',` > > + fs_read_cifs_files($1) > > + ',` > > + fs_dontaudit_read_cifs_files($1) > > + ') > > + > > + tunable_policy(`git_system_use_nfs',` > > + fs_read_nfs_files($1) > > + ',` > > + fs_dontaudit_read_nfs_files($1) > > + ') > > +') > > + > > +######################################## > > +## > > ## Execute Git daemon generic shared > > ## repository content files. > > ## > > diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te > > index 7040bf6..8602887 100644 > > --- a/policy/modules/services/git.te > > +++ b/policy/modules/services/git.te > > @@ -5,6 +5,7 @@ policy_module(git, 1.0) > > # Git daemon global declarations > > # > > > > +attribute git_content; > > attribute git_daemon; > > > > type gitd_exec_t; > > @@ -18,7 +19,7 @@ type git_session_t, git_daemon; > > application_domain(git_session_t, gitd_exec_t) > > ubac_constrained(git_session_t) > > > > -type git_user_content_t; > > +type git_user_content_t, git_content; > > userdom_user_home_content(git_user_content_t) > > > > ######################################## > > @@ -54,7 +55,7 @@ type git_system_t, git_daemon; > > typealias git_system_t alias gitd_t; > > inetd_service_domain(git_system_t, gitd_exec_t) > > > > -type git_sys_content_t; > > +type git_sys_content_t, git_content; > > files_type(git_sys_content_t) > > > > ######################################## > > @@ -155,3 +156,9 @@ tunable_policy(`git_system_use_nfs',` > > # > > > > apache_content_template(git) > > + > > +files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) > > + > > +auth_use_nsswitch(httpd_git_script_t) > > + > > +git_read_all_content(httpd_git_script_t) > > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110826/c8d7aec0/attachment.bin