From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 2 Sep 2011 09:22:14 -0400 Subject: [refpolicy] [ v6 PATCH 1/1] Git daemon policy In-Reply-To: <20110830190905.GA4952@localhost.localdomain> References: <20110830190905.GA4952@localhost.localdomain> Message-ID: <4E60D886.9020902@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/30/11 15:09, Dominick Grift wrote: > Renamed git_session_role_template to git_role as per requested. > Only allow callers of the git_role to manage, execute and relabel git user content as per request. > Make callers of the git_role transition to git session tunable as per request. > Make logging to syslog for git session tunable as per request. > Make git cgi script access to search user home directories tunable as per request. > > Dumbed down policy: > > No longer support git shell, if administrators want this functionality they better start learning how to write selinux policy because it is currently not supported. > Admins best bet is to create a userdomain based off of userdom_restricted_user_template, and allow this user domain to manage and execute git sys content. > > No longer support the use of Type enforcement to enforce git shared repository isolation, There is only one git shared repository type (git_sys_content). If admin wants to use selinux to restrict access to the various shared repositories, then admins best bet currently is to use MCS. Merged, with some adjustment and fixes and without a passive-aggressive commit message. > Signed-off-by: Dominick Grift > --- > :100644 100644 2be17d2... cdc6c98... M policy/modules/roles/staff.te > :100644 100644 0f96353... a27e9a4... M policy/modules/roles/sysadm.te > :100644 100644 7e9da77... 3043ea8... M policy/modules/roles/unprivuser.te > :100644 100644 54f0737... 65b7dbc... M policy/modules/services/git.fc > :100644 100644 458aac6... 6daf082... M policy/modules/services/git.if > :100644 100644 7382f85... 12d93d8... M policy/modules/services/git.te > policy/modules/roles/staff.te | 4 + > policy/modules/roles/sysadm.te | 4 + > policy/modules/roles/unprivuser.te | 4 + > policy/modules/services/git.fc | 12 ++- > policy/modules/services/git.if | 60 +++++++++- > policy/modules/services/git.te | 228 +++++++++++++++++++++++++++++++++++- > 6 files changed, 308 insertions(+), 4 deletions(-) > > diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te > index 2be17d2..cdc6c98 100644 > --- a/policy/modules/roles/staff.te > +++ b/policy/modules/roles/staff.te > @@ -27,6 +27,10 @@ optional_policy(` > ') > > optional_policy(` > + git_role(staff_r, staff_t) > +') > + > +optional_policy(` > postgresql_role(staff_r, staff_t) > ') > > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te > index 0f96353..a27e9a4 100644 > --- a/policy/modules/roles/sysadm.te > +++ b/policy/modules/roles/sysadm.te > @@ -148,6 +148,10 @@ optional_policy(` > ') > > optional_policy(` > + git_role(sysadm_r, sysadm_t) > +') > + > +optional_policy(` > hostname_run(sysadm_t, sysadm_r) > ') > > diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te > index 7e9da77..3043ea8 100644 > --- a/policy/modules/roles/unprivuser.te > +++ b/policy/modules/roles/unprivuser.te > @@ -17,6 +17,10 @@ optional_policy(` > ') > > optional_policy(` > + git_role(user_r, user_t) > +') > + > +optional_policy(` > screen_role_template(user, user_r, user_t) > ') > > diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc > index 54f0737..65b7dbc 100644 > --- a/policy/modules/services/git.fc > +++ b/policy/modules/services/git.fc > @@ -1,3 +1,11 @@ > -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) > -/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) > +HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0) > + > +/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0) > + > +/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) > + > +/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0) > + > /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) > +/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) > +/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) > diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if > index 458aac6..6daf082 100644 > --- a/policy/modules/services/git.if > +++ b/policy/modules/services/git.if > @@ -1 +1,59 @@ > -## GIT revision control system > +## GIT revision control system. > + > +######################################## > +## > +## Role access for Git session. > +## > +## > +## > +## Role allowed access. > +## > +## > +## > +## > +## User domain for the role. > +## > +## > +# > +template(`git_role',` > + gen_require(` > + type git_session_t, gitd_exec_t, git_user_content_t; > + ') > + > + ######################################## > + # > + # Declarations > + # > + > + ## > + ##

> + ## Determine whether calling user domains > + ## can execute Git daemon in the > + ## git_session_t domain. > + ##

> + ## > + gen_tunable(git_session_users, false) > + > + role $1 types git_session_t; > + > + ######################################## > + # > + # Policy > + # > + > + manage_dirs_pattern($2, git_user_content_t, git_user_content_t) > + relabel_dirs_pattern($2, git_user_content_t, git_user_content_t) > + > + exec_files_pattern($2, git_user_content_t, git_user_content_t) > + manage_files_pattern($2, git_user_content_t, git_user_content_t) > + relabel_files_pattern($2, git_user_content_t, git_user_content_t) > + > + allow $2 git_session_t:process { ptrace signal_perms }; > + ps_process_pattern($2, git_session_t) > + > + tunable_policy(`git_session_users',` > + domtrans_pattern($2, gitd_exec_t, git_session_t) > + ',` > + can_exec($2, gitd_exec_t) > + ') > +') > diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te > index 7382f85..12d93d8 100644 > --- a/policy/modules/services/git.te > +++ b/policy/modules/services/git.te > @@ -2,7 +2,233 @@ policy_module(git, 1.0) > > ######################################## > # > -# Declarations > +# Git global declarations > # > > +attribute git_daemon; > + > +type gitd_exec_t; > + > +######################################## > +# > +# Git CGI declarations > +# > + > +## > +##

> +## Determine whether Git CGI > +## can search home directories. > +##

> +## > +gen_tunable(git_cgi_enable_homedirs, false) > + > +## > +##

> +## Determine whether Git CGI > +## can access cifs file systems. > +##

> +## > +gen_tunable(git_cgi_use_cifs, false) > + > +## > +##

> +## Determine whether Git CGI > +## can access nfs file systems. > +##

> +## > +gen_tunable(git_cgi_use_nfs, false) > + > apache_content_template(git) > + > +######################################## > +# > +# Git session declarations > +# > + > +## > +##

> +## Determine whether Git session daemons > +## can send syslog messages. > +##

> +## > +gen_tunable(git_session_send_syslog_msg, false) > + > +type git_session_t, git_daemon; > +application_domain(git_session_t, gitd_exec_t) > +ubac_constrained(git_session_t) > + > +type git_user_content_t; > +userdom_user_home_content(git_user_content_t) > + > +######################################## > +# > +# Git system declarations > +# > + > +## > +##

> +## Determine whether Git system daemon > +## can search home directories. > +##

> +## > +gen_tunable(git_system_enable_homedirs, false) > + > +## > +##

> +## Determine whether Git system daemon > +## can access cifs file systems. > +##

> +## > +gen_tunable(git_system_use_cifs, false) > + > +## > +##

> +## Determine whether Git system daemon > +## can access nfs file systems. > +##

> +## > +gen_tunable(git_system_use_nfs, false) > + > +type git_system_t, git_daemon; > +inetd_service_domain(git_system_t, gitd_exec_t) > + > +type git_sys_content_t; > +files_type(git_sys_content_t) > + > +######################################## > +# > +# Git global policy > +# > + > +allow git_daemon self:fifo_file rw_fifo_file_perms; > + > +kernel_read_system_state(git_daemon) > + > +corecmd_exec_bin(git_daemon) > + > +files_read_usr_files(git_daemon) > + > +fs_search_auto_mountpoints(git_daemon) > + > +auth_use_nsswitch(git_daemon) > + > +miscfiles_read_localization(git_daemon) > + > +######################################## > +# > +# Git session policy > +# > + > +allow git_session_t self:tcp_socket { accept listen }; > + > +list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t) > +read_files_pattern(git_session_t, git_user_content_t, git_user_content_t) > +userdom_search_user_home_dirs(git_session_t) > + > +corenet_all_recvfrom_netlabel(git_session_t) > +corenet_all_recvfrom_unlabeled(git_session_t) > +corenet_tcp_bind_generic_node(git_session_t) > +corenet_tcp_sendrecv_generic_if(git_session_t) > +corenet_tcp_sendrecv_generic_node(git_session_t) > +corenet_tcp_sendrecv_generic_port(git_session_t) > +corenet_tcp_bind_git_port(git_session_t) > +corenet_tcp_sendrecv_git_port(git_session_t) > +corenet_sendrecv_git_server_packets(git_session_t) > + > +userdom_use_user_terminals(git_session_t) > + > +tunable_policy(`git_session_send_syslog_msg',` > + logging_send_syslog_msg(git_session_t) > +') > + > +tunable_policy(`use_nfs_home_dirs',` > + fs_read_nfs_files(git_session_t) > +',` > + fs_dontaudit_read_nfs_files(git_session_t) > +') > + > +tunable_policy(`use_samba_home_dirs',` > + fs_read_cifs_files(git_session_t) > +',` > + fs_dontaudit_read_cifs_files(git_session_t) > +') > + > +######################################## > +# > +# Git system policy > +# > + > +list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t) > +read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t) > +files_search_var_lib(git_system_t) > + > +logging_send_syslog_msg(git_system_t) > + > +tunable_policy(`git_system_enable_homedirs',` > + userdom_search_user_home_dirs(git_system_t) > +') > + > +tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',` > + fs_read_nfs_files(git_system_t) > +',` > + fs_dontaudit_read_nfs_files(git_system_t) > +') > + > +tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',` > + fs_read_cifs_files(git_system_t) > +',` > + fs_dontaudit_read_cifs_files(git_system_t) > +') > + > +tunable_policy(`git_system_use_cifs',` > + fs_read_cifs_files(git_system_t) > +',` > + fs_dontaudit_read_cifs_files(git_system_t) > +') > + > +tunable_policy(`git_system_use_nfs',` > + fs_read_nfs_files(git_system_t) > +',` > + fs_dontaudit_read_nfs_files(git_system_t) > +') > + > +######################################## > +# > +# Git CGI policy > +# > + > +list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) > +read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) > +files_search_var_lib(httpd_git_script_t) > + > +files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) > + > +auth_use_nsswitch(httpd_git_script_t) > + > +tunable_policy(`git_cgi_enable_homedirs',` > + userdom_search_user_home_dirs(httpd_git_script_t) > +') > + > +tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',` > + fs_read_nfs_files(httpd_git_script_t) > +',` > + fs_dontaudit_read_nfs_files(httpd_git_script_t) > +') > + > +tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',` > + fs_read_cifs_files(httpd_git_script_t) > +',` > + fs_dontaudit_read_cifs_files(httpd_git_script_t) > +') > + > +tunable_policy(`git_cgi_use_cifs',` > + fs_read_cifs_files(httpd_git_script_t) > +',` > + fs_dontaudit_read_cifs_files(httpd_git_script_t) > +') > + > +tunable_policy(`git_cgi_use_nfs',` > + fs_read_nfs_files(httpd_git_script_t) > +',` > + fs_dontaudit_read_nfs_files(httpd_git_script_t) > +') -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com