[refpolicy] [ v3 PATCH 5/8] Gitweb, cgit and the git_content attribute

Dominick Grift domg472 at gmail.com
Fri Aug 26 11:14:03 CDT 2011 

On Fri, Aug 26, 2011 at 09:35:45AM -0400, Christopher J. PeBenito wrote:
> On 08/24/11 08:35, Dominick Grift wrote:
> > Cgit and gitweb are both cgi web applications that run in the httpd_git_script_t apache CGI domain.
> > The policy in this commit was taken from Fedora. It is well tested i believe.
> > These web applications display Git repositories. And they Should be able to read any Git
> > repository whether shared or personal. We implemented another attribute for it called git_content.
> 
> Really all repos?  It seems like access to user repos should be tunable.

I guess it could be tunable but is it really worth that? i mean these git webapps are made to read git content. thats their sole purpose. We could
+implement a tunable for access to git_user_content_t but it seems a bit overdone.

But if you want it tunable it will be my please to submit a follow up patch to fix this or a replacement.

By the way i already mentioned this but this httpd cgi domains should be in httpd.te. because it makes for example the git module dependent on the
+apache module whilst, git can work fine without httpd.


> 
> > This attribute will be assigned to any and all Git repository content types, either existing or
> > to be created. Hopefully the next commit should explain why this attribute makes sense.
> > 
> > Signed-off-by: Dominick Grift <domg472 at gmail.com>
> > ---
> > :100644 100644 7314ecb... c005782... M	policy/modules/services/git.fc
> > :100644 100644 f1466e1... 83356f2... M	policy/modules/services/git.if
> > :100644 100644 7040bf6... 8602887... M	policy/modules/services/git.te
> >  policy/modules/services/git.fc |    4 ++-
> >  policy/modules/services/git.if |   46 ++++++++++++++++++++++++++++++++++++++++
> >  policy/modules/services/git.te |   11 +++++++-
> >  3 files changed, 58 insertions(+), 3 deletions(-)
> > 
> > diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
> > index 7314ecb..c005782 100644
> > --- a/policy/modules/services/git.fc
> > +++ b/policy/modules/services/git.fc
> > @@ -2,8 +2,10 @@ HOME_DIR/public_git(/.*)?	gen_context(system_u:object_r:git_user_content_t,s0)
> >  
> >  /usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t,s0)
> >  
> > -/var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
> > +/var/cache/cgit(/.*)?	gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
> >  
> >  /var/lib/git(/.*)?	gen_context(system_u:object_r:git_sys_content_t,s0)
> >  
> >  /var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
> > +/var/www/git(/.*)?	gen_context(system_u:object_r:httpd_git_content_t,s0)
> > +/var/www/git/gitweb.cgi	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
> > diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
> > index f1466e1..83356f2 100644
> > --- a/policy/modules/services/git.if
> > +++ b/policy/modules/services/git.if
> > @@ -40,6 +40,52 @@ template(`git_session_role_template',`
> >  
> >  ########################################
> >  ## <summary>
> > +##	Read all Git daemon repository
> > +##	content.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`git_read_all_content',`
> > +	gen_require(`
> > +		attribute git_content;
> > +	')
> > +
> > +	list_dirs_pattern($1, git_content, git_content)
> > +	read_files_pattern($1, git_content, git_content)
> > +	userdom_search_user_home_dirs($1)
> > +	files_search_var_lib($1)
> > +
> > +	tunable_policy(`use_nfs_home_dirs',`
> > +		fs_read_nfs_files($1)
> > +	',`
> > +		fs_dontaudit_read_nfs_files($1)
> > +	')
> > +
> > +	tunable_policy(`use_samba_home_dirs',`
> > +		fs_read_cifs_files($1)
> > +	',`
> > +		fs_dontaudit_read_cifs_files($1)
> > +	')
> > +
> > +	tunable_policy(`git_system_use_cifs',`
> > +		fs_read_cifs_files($1)
> > +	',`
> > +		fs_dontaudit_read_cifs_files($1)
> > +	')
> > +
> > +	tunable_policy(`git_system_use_nfs',`
> > +		fs_read_nfs_files($1)
> > +	',`
> > +		fs_dontaudit_read_nfs_files($1)
> > +	')
> > +')
> > +
> > +########################################
> > +## <summary>
> >  ##	Execute Git daemon generic shared
> >  ##	repository content files.
> >  ## </summary>
> > diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
> > index 7040bf6..8602887 100644
> > --- a/policy/modules/services/git.te
> > +++ b/policy/modules/services/git.te
> > @@ -5,6 +5,7 @@ policy_module(git, 1.0)
> >  # Git daemon global declarations
> >  #
> >  
> > +attribute git_content;
> >  attribute git_daemon;
> >  
> >  type gitd_exec_t;
> > @@ -18,7 +19,7 @@ type git_session_t, git_daemon;
> >  application_domain(git_session_t, gitd_exec_t)
> >  ubac_constrained(git_session_t)
> >  
> > -type git_user_content_t;
> > +type git_user_content_t, git_content;
> >  userdom_user_home_content(git_user_content_t)
> >  
> >  ########################################
> > @@ -54,7 +55,7 @@ type git_system_t, git_daemon;
> >  typealias git_system_t alias gitd_t;
> >  inetd_service_domain(git_system_t, gitd_exec_t)
> >  
> > -type git_sys_content_t;
> > +type git_sys_content_t, git_content;
> >  files_type(git_sys_content_t)
> >  
> >  ########################################
> > @@ -155,3 +156,9 @@ tunable_policy(`git_system_use_nfs',`
> >  #
> >  
> >  apache_content_template(git)
> > +
> > +files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
> > +
> > +auth_use_nsswitch(httpd_git_script_t)
> > +
> > +git_read_all_content(httpd_git_script_t)
> 
> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110826/c8d7aec0/attachment.bin

More information about the refpolicy mailing list