From: domg472@gmail.com (Dominick Grift) Date: Sat, 27 Aug 2011 15:15:14 +0200 Subject: [refpolicy] [ RFC] 1/1] This is my proposal to deal with the following concerned raised in previous patch set: Message-ID: <20110827131511.GA24005@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com 1. having a git specific template in the userdom module (userdom_git_user_template) renamed userdom_git_user_template to userdom_minimal_user_template. Edited userdom_base_user_template to use the userdom_minimal_user_template. removed all policy that does not belong in userdom_minimal_user_template. 2. remove git_manage/exec_spec_share_content because the target type is not declared in git module. Now the target type is declared in the git module. 3. now it makes sense to declare git_$1_content_t. one template to create a new git user domain and a corresponding git shared content type, and to give that git user access to that new git shared content type. Cons: We dont have a git_manage/exec_spec_shared_content(_files) interface anymore so giving any git user domains access to other shared content types cannot be facilitated with interfaces (admins need to create rules from avc denials) Signed-off-by: Dominick Grift --- :100644 100644 f5aa6cb... 82138a1... M policy/modules/roles/git_shell.te :100644 100644 e4d689b... afed175... M policy/modules/services/git.if :100644 100644 5c30b4b... c12a4b1... M policy/modules/system/userdomain.if policy/modules/roles/git_shell.te | 2 +- policy/modules/services/git.if | 85 +++++++++-------------------------- policy/modules/system/userdomain.if | 56 ++++++++++------------- 3 files changed, 47 insertions(+), 96 deletions(-) diff --git a/policy/modules/roles/git_shell.te b/policy/modules/roles/git_shell.te index f5aa6cb..82138a1 100644 --- a/policy/modules/roles/git_shell.te +++ b/policy/modules/roles/git_shell.te @@ -5,7 +5,7 @@ policy_module(git_shell, 1.0.0) # Declarations # -userdom_git_user_template(git_shell) +git_shared_content_template(git_shell) ######################################## # diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if index e4d689b..afed175 100644 --- a/policy/modules/services/git.if +++ b/policy/modules/services/git.if @@ -67,83 +67,42 @@ template(`git_shared_content_template',` attribute git_system_content, git_content; ') + userdom_minimal_user_template($1) + userdom_unpriv_userdomain($1_t) + type git_$1_content_t, git_system_content, git_content; files_type(git_$1_content_t) -') - -####################################### -## -## Execute specified Git daemon -## shared repository content files. -## -## -## -## Domain allowed access. -## -## -## -## -## Type to allow access to. -## -## -# -interface(`git_exec_spec_shared_content_files',` - gen_require(` - type $1, $2; - ') - exec_files_pattern($1, $2, $2) - files_search_var_lib($1) + exec_files_pattern($1_t, git_$1_content_t, git_$1_content_t) + manage_dirs_pattern($1_t, git_$1_content_t, git_$1_content_t) + manage_files_pattern($1_t, git_$1_content_t, git_$1_content_t) + files_search_var_lib($1_t) - tunable_policy(`git_system_use_cifs',` - fs_exec_cifs_files($1) - ') + kernel_read_system_state($1_t) - tunable_policy(`git_system_use_nfs',` - fs_exec_nfs_files($1) - ') -') + auth_use_nsswitch($1_t) -####################################### -## -## Create, read, write, and delete -## specified Git daemon shared -## repository content. -## -## -## -## Domain allowed access. -## -## -## -## -## Type to allow access to. -## -## -# -interface(`git_manage_spec_shared_content',` - gen_require(` - type $1, $2; - ') + git_exec_generic_sys_content_files($1_t) + git_manage_generic_sys_content($1_t) - manage_dirs_pattern($1, $2, $2) - manage_files_pattern($1, $2, $2) - files_search_var_lib($1) + ssh_rw_stream_sockets($1_t) tunable_policy(`git_system_use_cifs',` - fs_manage_cifs_dirs($1) - fs_manage_cifs_files($1) + fs_exec_cifs_files($1_t) + fs_manage_cifs_dirs($1_t) + fs_manage_cifs_files($1_t) ',` - fs_dontaudit_manage_cifs_dirs($1) - fs_dontaudit_manage_cifs_files($1) + fs_dontaudit_manage_cifs_dirs($1_t) + fs_dontaudit_manage_cifs_files($1_t) ') tunable_policy(`git_system_use_nfs',` - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) + fs_exec_nfs_files($1_t) + fs_manage_nfs_dirs($1_t) + fs_manage_nfs_files($1_t) ',` - fs_dontaudit_manage_nfs_dirs($1) - fs_dontaudit_manage_nfs_files($1) + fs_dontaudit_manage_nfs_dirs($1_t) + fs_dontaudit_manage_nfs_files($1_t) ') ') diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 5c30b4b..c12a4b1 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -2,7 +2,7 @@ ####################################### ## -## Template for creating Git users. +## Template for creating minimal users. ## ## ## @@ -11,9 +11,9 @@ ## ## # -template(`userdom_git_user_template',` +template(`userdom_minimal_user_template',` gen_require(` - attribute unpriv_userdomain, userdomain; + attribute userdomain; class context contains; role system_r; ') @@ -23,7 +23,7 @@ template(`userdom_git_user_template',` # Declarations # - type $1_t, unpriv_userdomain, userdomain; + type $1_t, userdomain; domain_type($1_t) ubac_constrained($1_t) role $1_r; @@ -38,8 +38,6 @@ template(`userdom_git_user_template',` allow $1_t self:context contains; allow $1_t self:fifo_file rw_fifo_file_perms; - kernel_read_system_state($1_t) - corecmd_exec_bin($1_t) corecmd_bin_entry_type($1_t) corecmd_shell_entry_type($1_t) @@ -53,14 +51,7 @@ template(`userdom_git_user_template',` files_dontaudit_getattr_non_security_pipes($1_t) files_dontaudit_getattr_non_security_sockets($1_t) - auth_use_nsswitch($1_t) - miscfiles_read_localization($1_t) - - git_exec_generic_sys_content_files($1_t) - git_manage_generic_sys_content($1_t) - - ssh_rw_stream_sockets($1_t) ') ####################################### @@ -87,22 +78,12 @@ template(`userdom_git_user_template',` template(`userdom_base_user_template',` gen_require(` - attribute userdomain; type user_devpts_t, user_tty_device_t; - class context contains; ') attribute $1_file_type; - type $1_t, userdomain; - domain_type($1_t) - corecmd_shell_entry_type($1_t) - corecmd_bin_entry_type($1_t) - domain_user_exemption_target($1_t) - ubac_constrained($1_t) - role $1_r; - role $1_r types $1_t; - allow system_r $1_r; + userdom_minimal_user_template($1) term_user_pty($1_t, user_devpts_t) @@ -110,14 +91,12 @@ template(`userdom_base_user_template',` allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr }; allow $1_t self:fd use; - allow $1_t self:fifo_file rw_fifo_file_perms; allow $1_t self:unix_dgram_socket { create_socket_perms sendto }; allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow $1_t self:shm create_shm_perms; allow $1_t self:sem create_sem_perms; allow $1_t self:msgq create_msgq_perms; allow $1_t self:msg { send receive }; - allow $1_t self:context contains; dontaudit $1_t self:socket create; allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms }; @@ -157,12 +136,6 @@ template(`userdom_base_user_template',` files_read_world_readable_symlinks($1_t) files_read_world_readable_pipes($1_t) files_read_world_readable_sockets($1_t) - # old broswer_domain(): - files_dontaudit_list_non_security($1_t) - files_dontaudit_getattr_non_security_files($1_t) - files_dontaudit_getattr_non_security_symlinks($1_t) - files_dontaudit_getattr_non_security_pipes($1_t) - files_dontaudit_getattr_non_security_sockets($1_t) libs_exec_ld_so($1_t) @@ -3271,3 +3244,22 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') + +######################################## +## +## Make the specified domain +## unprivileged user domain. +## +## +## +## Domain to be made usable. +## +## +# +interface(`userdom_unpriv_userdomain',` + gen_require(` + attribute unpriv_userdomain; + ') + + typeattribute $1 unpriv_userdomain; +') -- 1.7.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110827/39edb5f8/attachment.bin