From: domg472@gmail.com (Dominick Grift) Date: Tue, 30 Aug 2011 19:15:31 +0200 Subject: [refpolicy] [ v3 PATCH 5/8] Gitweb, cgit and the git_content attribute In-Reply-To: <4E5CE467.10902@tresys.com> References: <1314189346-10866-1-git-send-email-domg472@gmail.com> <1314189346-10866-6-git-send-email-domg472@gmail.com> <4E57A131.3070703@tresys.com> <20110826161402.GE8869@localhost.localdomain> <4E5CE467.10902@tresys.com> Message-ID: <20110830171530.GB6861@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, Aug 30, 2011 at 09:23:51AM -0400, Christopher J. PeBenito wrote: > On 08/26/11 12:14, Dominick Grift wrote: > > On Fri, Aug 26, 2011 at 09:35:45AM -0400, Christopher J. PeBenito wrote: > >> On 08/24/11 08:35, Dominick Grift wrote: > >>> Cgit and gitweb are both cgi web applications that run in the httpd_git_script_t apache CGI domain. > >>> The policy in this commit was taken from Fedora. It is well tested i believe. > >>> These web applications display Git repositories. And they Should be able to read any Git > >>> repository whether shared or personal. We implemented another attribute for it called git_content. > >> > >> Really all repos? It seems like access to user repos should be tunable. > > > > I guess it could be tunable but is it really worth that? i mean these git webapps are made to read git content. thats their sole purpose. We could > > +implement a tunable for access to git_user_content_t but it seems a bit overdone. > > I understand what you're saying, I'm just thinking that there could be a server > that has several "system" repos, but have personal user dev repos that shouldn't > be exported. Ok if you want it that way i can do that to. I can't say i agree. I would call this over engineering. You can configure git to specify which repositories to export and we also have good old dac. > > But if you want it tunable it will be my please to submit a follow up patch to fix this or a replacement. > > > > By the way i already mentioned this but this httpd cgi domains should be in httpd.te. because it makes for example the git module dependent on the > > +apache module whilst, git can work fine without httpd. > > You could put that all in an optional. You cannot make a file context specification optional. if you make an apache content template call optional, for example: optional_policy(` apache_content_template(git) ') /var/www/cgi-bin/git\.pl -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) Than it is effectively not optional, because if you decide to disable or de-install the apache module, then the git module will blow up due to the type used in the file context file specification (httpd_git_script_exec_t) it should be in the apache module instead. > > >>> This attribute will be assigned to any and all Git repository content types, either existing or > >>> to be created. Hopefully the next commit should explain why this attribute makes sense. > >>> > >>> Signed-off-by: Dominick Grift > >>> --- > >>> :100644 100644 7314ecb... c005782... M policy/modules/services/git.fc > >>> :100644 100644 f1466e1... 83356f2... M policy/modules/services/git.if > >>> :100644 100644 7040bf6... 8602887... M policy/modules/services/git.te > >>> policy/modules/services/git.fc | 4 ++- > >>> policy/modules/services/git.if | 46 ++++++++++++++++++++++++++++++++++++++++ > >>> policy/modules/services/git.te | 11 +++++++- > >>> 3 files changed, 58 insertions(+), 3 deletions(-) > >>> > >>> diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc > >>> index 7314ecb..c005782 100644 > >>> --- a/policy/modules/services/git.fc > >>> +++ b/policy/modules/services/git.fc > >>> @@ -2,8 +2,10 @@ HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0) > >>> > >>> /usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0) > >>> > >>> -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) > >>> +/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) > >>> > >>> /var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0) > >>> > >>> /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) > >>> +/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) > >>> +/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0) > >>> diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if > >>> index f1466e1..83356f2 100644 > >>> --- a/policy/modules/services/git.if > >>> +++ b/policy/modules/services/git.if > >>> @@ -40,6 +40,52 @@ template(`git_session_role_template',` > >>> > >>> ######################################## > >>> ## > >>> +## Read all Git daemon repository > >>> +## content. > >>> +## > >>> +## > >>> +## > >>> +## Domain allowed access. > >>> +## > >>> +## > >>> +# > >>> +interface(`git_read_all_content',` > >>> + gen_require(` > >>> + attribute git_content; > >>> + ') > >>> + > >>> + list_dirs_pattern($1, git_content, git_content) > >>> + read_files_pattern($1, git_content, git_content) > >>> + userdom_search_user_home_dirs($1) > >>> + files_search_var_lib($1) > >>> + > >>> + tunable_policy(`use_nfs_home_dirs',` > >>> + fs_read_nfs_files($1) > >>> + ',` > >>> + fs_dontaudit_read_nfs_files($1) > >>> + ') > >>> + > >>> + tunable_policy(`use_samba_home_dirs',` > >>> + fs_read_cifs_files($1) > >>> + ',` > >>> + fs_dontaudit_read_cifs_files($1) > >>> + ') > >>> + > >>> + tunable_policy(`git_system_use_cifs',` > >>> + fs_read_cifs_files($1) > >>> + ',` > >>> + fs_dontaudit_read_cifs_files($1) > >>> + ') > >>> + > >>> + tunable_policy(`git_system_use_nfs',` > >>> + fs_read_nfs_files($1) > >>> + ',` > >>> + fs_dontaudit_read_nfs_files($1) > >>> + ') > >>> +') > >>> + > >>> +######################################## > >>> +## > >>> ## Execute Git daemon generic shared > >>> ## repository content files. > >>> ## > >>> diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te > >>> index 7040bf6..8602887 100644 > >>> --- a/policy/modules/services/git.te > >>> +++ b/policy/modules/services/git.te > >>> @@ -5,6 +5,7 @@ policy_module(git, 1.0) > >>> # Git daemon global declarations > >>> # > >>> > >>> +attribute git_content; > >>> attribute git_daemon; > >>> > >>> type gitd_exec_t; > >>> @@ -18,7 +19,7 @@ type git_session_t, git_daemon; > >>> application_domain(git_session_t, gitd_exec_t) > >>> ubac_constrained(git_session_t) > >>> > >>> -type git_user_content_t; > >>> +type git_user_content_t, git_content; > >>> userdom_user_home_content(git_user_content_t) > >>> > >>> ######################################## > >>> @@ -54,7 +55,7 @@ type git_system_t, git_daemon; > >>> typealias git_system_t alias gitd_t; > >>> inetd_service_domain(git_system_t, gitd_exec_t) > >>> > >>> -type git_sys_content_t; > >>> +type git_sys_content_t, git_content; > >>> files_type(git_sys_content_t) > >>> > >>> ######################################## > >>> @@ -155,3 +156,9 @@ tunable_policy(`git_system_use_nfs',` > >>> # > >>> > >>> apache_content_template(git) > >>> + > >>> +files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) > >>> + > >>> +auth_use_nsswitch(httpd_git_script_t) > >>> + > >>> +git_read_all_content(httpd_git_script_t) > >> > >> > >> -- > >> Chris PeBenito > >> Tresys Technology, LLC > >> www.tresys.com | oss.tresys.com > >> > >> > >> _______________________________________________ > >> refpolicy mailing list > >> refpolicy at oss.tresys.com > >> http://oss.tresys.com/mailman/listinfo/refpolicy > > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110830/fcd8fabd/attachment.bin