From: dac.override@gmail.com (Dominick Grift)
Date: Tue, 25 Aug 2015 12:22:14 +0200
Subject: [refpolicy] [PATCH 2/3] git: allow git_system_t to listen on
 tcp_sockets
In-Reply-To: <1440429009-2576-2-git-send-email-jason@perfinion.com>
References: <1440429009-2576-1-git-send-email-jason@perfinion.com>
	<1440429009-2576-2-git-send-email-jason@perfinion.com>
Message-ID: <20150825102214.GB2269@x250>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, Aug 24, 2015 at 11:10:08PM +0800, Jason Zaman wrote:
> git_session_t already has these permissions but they are missing on
> git_system_t. Instead add the perms on the git_daemon attribute which
> covers both system and session daemons.

By default git-daemon as a system service is configured with xinetd. The
way xinetd works is that it basiscally handles networking on git daemons
behalf. I thought i did add support to run git-daemon as a sysv init
system service, and i did but this part was missing indeed.

Thanks, merged.

> ---
>  git.te | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/git.te b/git.te
> index 1ca8c24..517d513 100644
> --- a/git.te
> +++ b/git.te
> @@ -103,8 +103,6 @@ userdom_user_home_content(git_user_content_t)
>  # Session policy
>  #
>  
> -allow git_session_t self:tcp_socket { accept listen };
> -
>  userdom_search_user_home_dirs(git_session_t)
>  
>  corenet_all_recvfrom_netlabel(git_session_t)
> @@ -266,6 +264,7 @@ tunable_policy(`git_cgi_use_nfs',`
>  #
>  
>  allow git_daemon self:fifo_file rw_fifo_file_perms;
> +allow git_daemon self:tcp_socket { accept listen };
>  
>  list_dirs_pattern(git_daemon, git_user_content_t, git_user_content_t)
>  read_files_pattern(git_daemon, git_user_content_t, git_user_content_t)
> -- 
> 2.4.6
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150825/c270b7c8/attachment.bin