[refpolicy] [ v3 PATCH 5/8] Gitweb, cgit and the git_content attribute

Christopher J. PeBenito cpebenito at tresys.com
Fri Aug 26 08:35:45 CDT 2011 

On 08/24/11 08:35, Dominick Grift wrote:
> Cgit and gitweb are both cgi web applications that run in the httpd_git_script_t apache CGI domain.
> The policy in this commit was taken from Fedora. It is well tested i believe.
> These web applications display Git repositories. And they Should be able to read any Git
> repository whether shared or personal. We implemented another attribute for it called git_content.

Really all repos?  It seems like access to user repos should be tunable.

> This attribute will be assigned to any and all Git repository content types, either existing or
> to be created. Hopefully the next commit should explain why this attribute makes sense.
> 
> Signed-off-by: Dominick Grift <domg472 at gmail.com>
> ---
> :100644 100644 7314ecb... c005782... M	policy/modules/services/git.fc
> :100644 100644 f1466e1... 83356f2... M	policy/modules/services/git.if
> :100644 100644 7040bf6... 8602887... M	policy/modules/services/git.te
>  policy/modules/services/git.fc |    4 ++-
>  policy/modules/services/git.if |   46 ++++++++++++++++++++++++++++++++++++++++
>  policy/modules/services/git.te |   11 +++++++-
>  3 files changed, 58 insertions(+), 3 deletions(-)
> 
> diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
> index 7314ecb..c005782 100644
> --- a/policy/modules/services/git.fc
> +++ b/policy/modules/services/git.fc
> @@ -2,8 +2,10 @@ HOME_DIR/public_git(/.*)?	gen_context(system_u:object_r:git_user_content_t,s0)
>  
>  /usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t,s0)
>  
> -/var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
> +/var/cache/cgit(/.*)?	gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
>  
>  /var/lib/git(/.*)?	gen_context(system_u:object_r:git_sys_content_t,s0)
>  
>  /var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
> +/var/www/git(/.*)?	gen_context(system_u:object_r:httpd_git_content_t,s0)
> +/var/www/git/gitweb.cgi	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
> diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
> index f1466e1..83356f2 100644
> --- a/policy/modules/services/git.if
> +++ b/policy/modules/services/git.if
> @@ -40,6 +40,52 @@ template(`git_session_role_template',`
>  
>  ########################################
>  ## <summary>
> +##	Read all Git daemon repository
> +##	content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`git_read_all_content',`
> +	gen_require(`
> +		attribute git_content;
> +	')
> +
> +	list_dirs_pattern($1, git_content, git_content)
> +	read_files_pattern($1, git_content, git_content)
> +	userdom_search_user_home_dirs($1)
> +	files_search_var_lib($1)
> +
> +	tunable_policy(`use_nfs_home_dirs',`
> +		fs_read_nfs_files($1)
> +	',`
> +		fs_dontaudit_read_nfs_files($1)
> +	')
> +
> +	tunable_policy(`use_samba_home_dirs',`
> +		fs_read_cifs_files($1)
> +	',`
> +		fs_dontaudit_read_cifs_files($1)
> +	')
> +
> +	tunable_policy(`git_system_use_cifs',`
> +		fs_read_cifs_files($1)
> +	',`
> +		fs_dontaudit_read_cifs_files($1)
> +	')
> +
> +	tunable_policy(`git_system_use_nfs',`
> +		fs_read_nfs_files($1)
> +	',`
> +		fs_dontaudit_read_nfs_files($1)
> +	')
> +')
> +
> +########################################
> +## <summary>
>  ##	Execute Git daemon generic shared
>  ##	repository content files.
>  ## </summary>
> diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
> index 7040bf6..8602887 100644
> --- a/policy/modules/services/git.te
> +++ b/policy/modules/services/git.te
> @@ -5,6 +5,7 @@ policy_module(git, 1.0)
>  # Git daemon global declarations
>  #
>  
> +attribute git_content;
>  attribute git_daemon;
>  
>  type gitd_exec_t;
> @@ -18,7 +19,7 @@ type git_session_t, git_daemon;
>  application_domain(git_session_t, gitd_exec_t)
>  ubac_constrained(git_session_t)
>  
> -type git_user_content_t;
> +type git_user_content_t, git_content;
>  userdom_user_home_content(git_user_content_t)
>  
>  ########################################
> @@ -54,7 +55,7 @@ type git_system_t, git_daemon;
>  typealias git_system_t alias gitd_t;
>  inetd_service_domain(git_system_t, gitd_exec_t)
>  
> -type git_sys_content_t;
> +type git_sys_content_t, git_content;
>  files_type(git_sys_content_t)
>  
>  ########################################
> @@ -155,3 +156,9 @@ tunable_policy(`git_system_use_nfs',`
>  #
>  
>  apache_content_template(git)
> +
> +files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
> +
> +auth_use_nsswitch(httpd_git_script_t)
> +
> +git_read_all_content(httpd_git_script_t)


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

More information about the refpolicy mailing list