[refpolicy] [ v3 PATCH 5/8] Gitweb, cgit and the git_content attribute

Dominick Grift domg472 at gmail.com
Tue Aug 30 12:15:31 CDT 2011 

On Tue, Aug 30, 2011 at 09:23:51AM -0400, Christopher J. PeBenito wrote:
> On 08/26/11 12:14, Dominick Grift wrote:
> > On Fri, Aug 26, 2011 at 09:35:45AM -0400, Christopher J. PeBenito wrote:
> >> On 08/24/11 08:35, Dominick Grift wrote:
> >>> Cgit and gitweb are both cgi web applications that run in the httpd_git_script_t apache CGI domain.
> >>> The policy in this commit was taken from Fedora. It is well tested i believe.
> >>> These web applications display Git repositories. And they Should be able to read any Git
> >>> repository whether shared or personal. We implemented another attribute for it called git_content.
> >>
> >> Really all repos?  It seems like access to user repos should be tunable.
> > 
> > I guess it could be tunable but is it really worth that? i mean these git webapps are made to read git content. thats their sole purpose. We could
> > +implement a tunable for access to git_user_content_t but it seems a bit overdone.
> 
> I understand what you're saying, I'm just thinking that there could be a server
> that has several "system" repos, but have personal user dev repos that shouldn't
> be exported.

Ok if you want it that way i can do that to. I can't say i agree. I would call this over engineering. You can configure git to specify which repositories to export and we also have good old dac.

> > But if you want it tunable it will be my please to submit a follow up patch to fix this or a replacement.
> > 
> > By the way i already mentioned this but this httpd cgi domains should be in httpd.te. because it makes for example the git module dependent on the
> > +apache module whilst, git can work fine without httpd.
> 
> You could put that all in an optional.

You cannot make a file context specification optional.

if you make an apache content template call optional, for example:

optional_policy(`
apache_content_template(git)
')

/var/www/cgi-bin/git\.pl -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)

Than it is effectively not optional, because if you decide to disable or de-install the apache module, then the git module will blow up due to the type used in the file context file specification (httpd_git_script_exec_t)

it should be in the apache module instead.

> 
> >>> This attribute will be assigned to any and all Git repository content types, either existing or
> >>> to be created. Hopefully the next commit should explain why this attribute makes sense.
> >>>
> >>> Signed-off-by: Dominick Grift <domg472 at gmail.com>
> >>> ---
> >>> :100644 100644 7314ecb... c005782... M	policy/modules/services/git.fc
> >>> :100644 100644 f1466e1... 83356f2... M	policy/modules/services/git.if
> >>> :100644 100644 7040bf6... 8602887... M	policy/modules/services/git.te
> >>>  policy/modules/services/git.fc |    4 ++-
> >>>  policy/modules/services/git.if |   46 ++++++++++++++++++++++++++++++++++++++++
> >>>  policy/modules/services/git.te |   11 +++++++-
> >>>  3 files changed, 58 insertions(+), 3 deletions(-)
> >>>
> >>> diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
> >>> index 7314ecb..c005782 100644
> >>> --- a/policy/modules/services/git.fc
> >>> +++ b/policy/modules/services/git.fc
> >>> @@ -2,8 +2,10 @@ HOME_DIR/public_git(/.*)?	gen_context(system_u:object_r:git_user_content_t,s0)
> >>>  
> >>>  /usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t,s0)
> >>>  
> >>> -/var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
> >>> +/var/cache/cgit(/.*)?	gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
> >>>  
> >>>  /var/lib/git(/.*)?	gen_context(system_u:object_r:git_sys_content_t,s0)
> >>>  
> >>>  /var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
> >>> +/var/www/git(/.*)?	gen_context(system_u:object_r:httpd_git_content_t,s0)
> >>> +/var/www/git/gitweb.cgi	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
> >>> diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
> >>> index f1466e1..83356f2 100644
> >>> --- a/policy/modules/services/git.if
> >>> +++ b/policy/modules/services/git.if
> >>> @@ -40,6 +40,52 @@ template(`git_session_role_template',`
> >>>  
> >>>  ########################################
> >>>  ## <summary>
> >>> +##	Read all Git daemon repository
> >>> +##	content.
> >>> +## </summary>
> >>> +## <param name="domain">
> >>> +##	<summary>
> >>> +##	Domain allowed access.
> >>> +##	</summary>
> >>> +## </param>
> >>> +#
> >>> +interface(`git_read_all_content',`
> >>> +	gen_require(`
> >>> +		attribute git_content;
> >>> +	')
> >>> +
> >>> +	list_dirs_pattern($1, git_content, git_content)
> >>> +	read_files_pattern($1, git_content, git_content)
> >>> +	userdom_search_user_home_dirs($1)
> >>> +	files_search_var_lib($1)
> >>> +
> >>> +	tunable_policy(`use_nfs_home_dirs',`
> >>> +		fs_read_nfs_files($1)
> >>> +	',`
> >>> +		fs_dontaudit_read_nfs_files($1)
> >>> +	')
> >>> +
> >>> +	tunable_policy(`use_samba_home_dirs',`
> >>> +		fs_read_cifs_files($1)
> >>> +	',`
> >>> +		fs_dontaudit_read_cifs_files($1)
> >>> +	')
> >>> +
> >>> +	tunable_policy(`git_system_use_cifs',`
> >>> +		fs_read_cifs_files($1)
> >>> +	',`
> >>> +		fs_dontaudit_read_cifs_files($1)
> >>> +	')
> >>> +
> >>> +	tunable_policy(`git_system_use_nfs',`
> >>> +		fs_read_nfs_files($1)
> >>> +	',`
> >>> +		fs_dontaudit_read_nfs_files($1)
> >>> +	')
> >>> +')
> >>> +
> >>> +########################################
> >>> +## <summary>
> >>>  ##	Execute Git daemon generic shared
> >>>  ##	repository content files.
> >>>  ## </summary>
> >>> diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
> >>> index 7040bf6..8602887 100644
> >>> --- a/policy/modules/services/git.te
> >>> +++ b/policy/modules/services/git.te
> >>> @@ -5,6 +5,7 @@ policy_module(git, 1.0)
> >>>  # Git daemon global declarations
> >>>  #
> >>>  
> >>> +attribute git_content;
> >>>  attribute git_daemon;
> >>>  
> >>>  type gitd_exec_t;
> >>> @@ -18,7 +19,7 @@ type git_session_t, git_daemon;
> >>>  application_domain(git_session_t, gitd_exec_t)
> >>>  ubac_constrained(git_session_t)
> >>>  
> >>> -type git_user_content_t;
> >>> +type git_user_content_t, git_content;
> >>>  userdom_user_home_content(git_user_content_t)
> >>>  
> >>>  ########################################
> >>> @@ -54,7 +55,7 @@ type git_system_t, git_daemon;
> >>>  typealias git_system_t alias gitd_t;
> >>>  inetd_service_domain(git_system_t, gitd_exec_t)
> >>>  
> >>> -type git_sys_content_t;
> >>> +type git_sys_content_t, git_content;
> >>>  files_type(git_sys_content_t)
> >>>  
> >>>  ########################################
> >>> @@ -155,3 +156,9 @@ tunable_policy(`git_system_use_nfs',`
> >>>  #
> >>>  
> >>>  apache_content_template(git)
> >>> +
> >>> +files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
> >>> +
> >>> +auth_use_nsswitch(httpd_git_script_t)
> >>> +
> >>> +git_read_all_content(httpd_git_script_t)
> >>
> >>
> >> -- 
> >> Chris PeBenito
> >> Tresys Technology, LLC
> >> www.tresys.com | oss.tresys.com
> >>
> >>
> >> _______________________________________________
> >> refpolicy mailing list
> >> refpolicy at oss.tresys.com
> >> http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110830/fcd8fabd/attachment.bin

More information about the refpolicy mailing list