[refpolicy] [ v3 PATCH 4/8] Git session daemon
Dominick Grift
domg472 at gmail.com
Fri Aug 26 10:30:11 CDT 2011
On Fri, Aug 26, 2011 at 09:33:54AM -0400, Christopher J. PeBenito wrote:
> On 08/24/11 08:35, Dominick Grift wrote:
> > Wait! Theres more. Besides running Git daemon as a inetd service domain, unprivileged users can also
> > run Git daemon by executing /usr/libexec/git-core/git-daemon from a shell to allow it to
> > read and serve their Git personal repositories in ~/public_git. It in large parts does the same
> > as Git daemon run by inetd but there are some differences. Most notably is the network access
> > that the Git session daemon requires to listen on the Git port for service.
> >
> > The Git system daemon does not need this because inetd takes care of the network for it.
> > Another difference is that Git session daemon can only read and serve users Git personal
> > repositories, where Git system daemon can, if configured, read and serve both shared as well
> > as personal repositories. Since much of the policy is common to both session and
> > system, we declared a git_daemon attribute and assigned that to both the Git system and
> > session daemons. This allows use to write policy that both daemon have in common once.
> > Leaving the policy as compact as possible. So now we have two Git daemon domains, one
> > session domain started by unprivileged users and one system domain started by inetd.
> >
> > Fix: since we renamed gitd_t to git_system_t, add alias.
> > Change back gitd_use_nfs, gitd_use_cifs to git_system_use_nfs and git_system_use_cifs respectively
>
> Perhaps I missed something, but how did it make sense to separate out
> the content types from this patch?
The git_user_content_t has no relation to git session per se.
in the git.fc file there is a context spec for HOME_DIR/\public_git(/.*)? ...
this means all login users will get content at ~/public_git labeled git_user_content_t, whether they call git_session_role_template or not.
So they need to be able to manage that. what if a user creates ~/pubic_git, and administrator runs filefiles relabel or restorecon -R -v /home? then ~/public_git will get relabeled to git_user_content_t and that user can no longer interact with it.
By splitting the git_user_content_t type from the git session t policy we make it more flexible.
administrator may want to allow git system domain to read and service ~/public_git even though the user owning it is not allowed to run git session in the git session domain.
in short git_user_content_t and git_session_t arent strictly related. I was hoping the descriptions accompanying the patches would make that clear
>
> I'm confused why its renaming things from previous patches. Why not
> create it right in the first place?
I initially started with gitd_t rather than git_system_t because that made sense at that stage. There was no git_session_t yet at that point. Besides, what does it matter i created an alias to git_system_t in the patch that introduce git session t
> git_session_role_template() isn't creating any types, so it should be
> renamed to git_session_role(). Or in light of the previous patches,
> git_role().
Ok that pretty minor and i can just submit a patch to apply that after the other applicable patches are submitted. If i have to rebase the whole thing for every nit then ill probably be rebasing until next year.
> > Signed-off-by: Dominick Grift <domg472 at gmail.com>
> > ---
> > :100644 100644 2be17d2... 17fc624... M policy/modules/roles/staff.te
> > :100644 100644 0f96353... 7461e65... M policy/modules/roles/sysadm.te
> > :100644 100644 7e9da77... 52156cd... M policy/modules/roles/unprivuser.te
> > :100644 100644 6238d54... f1466e1... M policy/modules/services/git.if
> > :100644 100644 6c8e672... 7040bf6... M policy/modules/services/git.te
> > policy/modules/roles/staff.te | 4 +
> > policy/modules/roles/sysadm.te | 4 +
> > policy/modules/roles/unprivuser.te | 4 +
> > policy/modules/services/git.if | 46 +++++++++++-
> > policy/modules/services/git.te | 134 ++++++++++++++++++++++++++----------
> > 5 files changed, 150 insertions(+), 42 deletions(-)
> >
> > diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> > index 2be17d2..17fc624 100644
> > --- a/policy/modules/roles/staff.te
> > +++ b/policy/modules/roles/staff.te
> > @@ -89,6 +89,10 @@ ifndef(`distro_redhat',`
> > ')
> >
> > optional_policy(`
> > + git_session_role_template(staff_r, staff_t)
> > + ')
> > +
> > + optional_policy(`
> > gnome_role(staff_r, staff_t)
> > ')
> >
> > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> > index 0f96353..7461e65 100644
> > --- a/policy/modules/roles/sysadm.te
> > +++ b/policy/modules/roles/sysadm.te
> > @@ -438,6 +438,10 @@ ifndef(`distro_redhat',`
> > ')
> >
> > optional_policy(`
> > + git_session_role_template(sysadm_r, sysadm_t)
> > + ')
> > +
> > + optional_policy(`
> > gnome_role(sysadm_r, sysadm_t)
> > ')
> >
> > diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> > index 7e9da77..52156cd 100644
> > --- a/policy/modules/roles/unprivuser.te
> > +++ b/policy/modules/roles/unprivuser.te
> > @@ -62,6 +62,10 @@ ifndef(`distro_redhat',`
> > ')
> >
> > optional_policy(`
> > + git_session_role_template(user_r, user_t)
> > + ')
> > +
> > + optional_policy(`
> > gnome_role(user_r, user_t)
> > ')
> >
> > diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
> > index 6238d54..f1466e1 100644
> > --- a/policy/modules/services/git.if
> > +++ b/policy/modules/services/git.if
> > @@ -2,6 +2,44 @@
> >
> > ########################################
> > ## <summary>
> > +## Role access for Git session daemon.
> > +## </summary>
> > +## <param name="role">
> > +## <summary>
> > +## Role allowed access.
> > +## </summary>
> > +## </param>
> > +## <param name="domain">
> > +## <summary>
> > +## User domain for the role.
> > +## </summary>
> > +## </param>
> > +#
> > +template(`git_session_role_template',`
> > + gen_require(`
> > + type git_session_t, gitd_exec_t;
> > + ')
> > +
> > + ########################################
> > + #
> > + # Git session daemon shared declarations
> > + #
> > +
> > + role $1 types git_session_t;
> > +
> > + ########################################
> > + #
> > + # Git session daemon shared policy
> > + #
> > +
> > + domtrans_pattern($2, gitd_exec_t, git_session_t)
> > +
> > + allow $2 git_session_t:process { ptrace signal_perms };
> > + ps_process_pattern($2, git_session_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > ## Execute Git daemon generic shared
> > ## repository content files.
> > ## </summary>
> > @@ -19,11 +57,11 @@ interface(`git_exec_generic_sys_content_files',`
> > exec_files_pattern($1, git_sys_content_t, git_sys_content_t)
> > files_search_var_lib($1)
> >
> > - tunable_policy(`gitd_use_cifs',`
> > + tunable_policy(`git_system_use_cifs',`
> > fs_exec_cifs_files($1)
> > ')
> >
> > - tunable_policy(`gitd_use_nfs',`
> > + tunable_policy(`git_system_use_nfs',`
> > fs_exec_nfs_files($1)
> > ')
> > ')
> > @@ -49,7 +87,7 @@ interface(`git_manage_generic_sys_content',`
> > manage_files_pattern($1, git_sys_content_t, git_sys_content_t)
> > files_search_var_lib($1)
> >
> > - tunable_policy(`gitd_use_cifs',`
> > + tunable_policy(`git_system_use_cifs',`
> > fs_manage_cifs_dirs($1)
> > fs_manage_cifs_files($1)
> > ',`
> > @@ -57,7 +95,7 @@ interface(`git_manage_generic_sys_content',`
> > fs_dontaudit_manage_cifs_files($1)
> > ')
> >
> > - tunable_policy(`gitd_use_nfs',`
> > + tunable_policy(`git_system_use_nfs',`
> > fs_manage_nfs_dirs($1)
> > fs_manage_nfs_files($1)
> > ',`
> > diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
> > index 6c8e672..7040bf6 100644
> > --- a/policy/modules/services/git.te
> > +++ b/policy/modules/services/git.te
> > @@ -2,93 +2,151 @@ policy_module(git, 1.0)
> >
> > ########################################
> > #
> > -# Declarations
> > +# Git daemon global declarations
> > +#
> > +
> > +attribute git_daemon;
> > +
> > +type gitd_exec_t;
> > +
> > +########################################
> > +#
> > +# Git session daemon declarations
> > +#
> > +
> > +type git_session_t, git_daemon;
> > +application_domain(git_session_t, gitd_exec_t)
> > +ubac_constrained(git_session_t)
> > +
> > +type git_user_content_t;
> > +userdom_user_home_content(git_user_content_t)
> > +
> > +########################################
> > +#
> > +# Git system daemon declarations
> > #
> >
> > ## <desc>
> > ## <p>
> > -## Determine whether Git daemon
> > +## Determine whether Git system daemon
> > ## can search home directories.
> > ## </p>
> > ## </desc>
> > -gen_tunable(gitd_enable_homedirs, false)
> > +gen_tunable(git_system_enable_homedirs, false)
> >
> > ## <desc>
> > ## <p>
> > -## Determine whether Git daemon
> > +## Determine whether Git system daemon
> > ## can access cifs file systems.
> > ## </p>
> > ## </desc>
> > -gen_tunable(gitd_use_cifs, false)
> > +gen_tunable(git_system_use_cifs, false)
> >
> > ## <desc>
> > ## <p>
> > -## Determine whether Git daemon
> > +## Determine whether Git system daemon
> > ## can access nfs file systems.
> > ## </p>
> > ## </desc>
> > -gen_tunable(gitd_use_nfs, false)
> > +gen_tunable(git_system_use_nfs, false)
> >
> > -type gitd_t;
> > -type gitd_exec_t;
> > -inetd_service_domain(gitd_t, gitd_exec_t)
> > +type git_system_t, git_daemon;
> > +typealias git_system_t alias gitd_t;
> > +inetd_service_domain(git_system_t, gitd_exec_t)
> >
> > type git_sys_content_t;
> > files_type(git_sys_content_t)
> >
> > -type git_user_content_t;
> > -userdom_user_home_content(git_user_content_t)
> > +########################################
> > +#
> > +# Git daemon global policy
> > +#
> > +
> > +allow git_daemon self:fifo_file rw_fifo_file_perms;
> > +allow git_daemon self:unix_dgram_socket create_socket_perms;
> > +
> > +kernel_read_system_state(git_daemon)
> > +
> > +corecmd_exec_bin(git_daemon)
> > +
> > +files_read_usr_files(git_daemon)
> > +
> > +auth_use_nsswitch(git_daemon)
> > +
> > +logging_send_syslog_msg(git_daemon)
> > +
> > +miscfiles_read_localization(git_daemon)
> >
> > ########################################
> > #
> > -# Local policy
> > +# Git session daemon policy
> > #
> >
> > -allow gitd_t self:fifo_file rw_fifo_file_perms;
> > -allow gitd_t self:unix_dgram_socket create_socket_perms;
> > +allow git_session_t self:tcp_socket { accept listen };
> >
> > -list_dirs_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
> > -read_files_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
> > -files_search_var_lib(gitd_t)
> > +list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
> > +read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
> > +userdom_search_user_home_dirs(git_session_t)
> >
> > -kernel_read_system_state(gitd_t)
> > +corenet_all_recvfrom_netlabel(git_session_t)
> > +corenet_all_recvfrom_unlabeled(git_session_t)
> > +corenet_tcp_bind_generic_node(git_session_t)
> > +corenet_tcp_sendrecv_generic_if(git_session_t)
> > +corenet_tcp_sendrecv_generic_node(git_session_t)
> > +corenet_tcp_sendrecv_generic_port(git_session_t)
> > +corenet_tcp_bind_git_port(git_session_t)
> > +corenet_tcp_sendrecv_git_port(git_session_t)
> > +corenet_sendrecv_git_server_packets(git_session_t)
> >
> > -corecmd_exec_bin(gitd_t)
> > +userdom_use_user_terminals(git_session_t)
> >
> > -files_read_usr_files(gitd_t)
> > +tunable_policy(`use_nfs_home_dirs',`
> > + fs_read_nfs_files(git_session_t)
> > +',`
> > + fs_dontaudit_read_nfs_files(git_session_t)
> > +')
> >
> > -auth_use_nsswitch(gitd_t)
> > +tunable_policy(`use_samba_home_dirs',`
> > + fs_read_cifs_files(git_session_t)
> > +',`
> > + fs_dontaudit_read_cifs_files(git_session_t)
> > +')
> >
> > -logging_send_syslog_msg(gitd_t)
> > +########################################
> > +#
> > +# Git system daemon policy
> > +#
> >
> > -miscfiles_read_localization(gitd_t)
> > +list_dirs_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
> > +read_files_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
> > +files_search_var_lib(git_system_t)
> >
> > -tunable_policy(`gitd_enable_homedirs',`
> > - userdom_search_user_home_dirs(gitd_t)
> > +tunable_policy(`git_system_enable_homedirs',`
> > + userdom_search_user_home_dirs(git_system_t)
> > ')
> >
> > -tunable_policy(`gitd_enable_homedirs && use_nfs_home_dirs',`
> > - fs_read_nfs_files(gitd_t)
> > +tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
> > + fs_read_nfs_files(git_system_t)
> > ',`
> > - fs_dontaudit_read_nfs_files(gitd_t)
> > + fs_dontaudit_read_nfs_files(git_system_t)
> > ')
> >
> > -tunable_policy(`gitd_enable_homedirs && use_samba_home_dirs',`
> > - fs_read_cifs_files(gitd_t)
> > +tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
> > + fs_read_cifs_files(git_system_t)
> > ',`
> > - fs_dontaudit_read_cifs_files(gitd_t)
> > + fs_dontaudit_read_cifs_files(git_system_t)
> > ')
> >
> > -tunable_policy(`gitd_use_cifs',`
> > - fs_read_cifs_files(gitd_t)
> > +tunable_policy(`git_system_use_cifs',`
> > + fs_read_cifs_files(git_system_t)
> > ',`
> > - fs_dontaudit_read_cifs_files(gitd_t)
> > + fs_dontaudit_read_cifs_files(git_system_t)
> > ')
> >
> > -tunable_policy(`gitd_use_nfs',`
> > - fs_read_nfs_files(gitd_t)
> > +tunable_policy(`git_system_use_nfs',`
> > + fs_read_nfs_files(git_system_t)
> > ',`
> > - fs_dontaudit_read_nfs_files(gitd_t)
> > + fs_dontaudit_read_nfs_files(git_system_t)
> > ')
> >
> > ########################################
>
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110826/ea89b1f9/attachment.bin
More information about the refpolicy
mailing list