[refpolicy] [ v6 PATCH 1/1] Git daemon policy

Christopher J. PeBenito cpebenito at tresys.com
Fri Sep 2 08:22:14 CDT 2011


On 08/30/11 15:09, Dominick Grift wrote:
>     Renamed git_session_role_template to git_role as per requested.
>     Only allow callers of the git_role to manage, execute and relabel git user content as per request.
>     Make callers of the git_role transition to git session tunable as per request.
>     Make logging to syslog for git session tunable as per request.
>     Make git cgi script access to search user home directories tunable as per request.
> 
> Dumbed down policy:
> 
> No longer support git shell, if administrators want this functionality they better start learning how to write selinux policy because it is currently not supported.
> Admins best bet is to create a userdomain based off of userdom_restricted_user_template, and allow this user domain to manage and execute git sys content.
> 
> No longer support the use of Type enforcement to enforce git shared repository isolation, There is only one git shared repository type (git_sys_content). If admin wants to use selinux to restrict access to the various shared repositories, then admins best bet currently is to use MCS.

Merged, with some adjustment and fixes and without a passive-aggressive commit message.


> Signed-off-by: Dominick Grift <domg472 at gmail.com>
> ---
> :100644 100644 2be17d2... cdc6c98... M	policy/modules/roles/staff.te
> :100644 100644 0f96353... a27e9a4... M	policy/modules/roles/sysadm.te
> :100644 100644 7e9da77... 3043ea8... M	policy/modules/roles/unprivuser.te
> :100644 100644 54f0737... 65b7dbc... M	policy/modules/services/git.fc
> :100644 100644 458aac6... 6daf082... M	policy/modules/services/git.if
> :100644 100644 7382f85... 12d93d8... M	policy/modules/services/git.te
>  policy/modules/roles/staff.te      |    4 +
>  policy/modules/roles/sysadm.te     |    4 +
>  policy/modules/roles/unprivuser.te |    4 +
>  policy/modules/services/git.fc     |   12 ++-
>  policy/modules/services/git.if     |   60 +++++++++-
>  policy/modules/services/git.te     |  228 +++++++++++++++++++++++++++++++++++-
>  6 files changed, 308 insertions(+), 4 deletions(-)
> 
> diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> index 2be17d2..cdc6c98 100644
> --- a/policy/modules/roles/staff.te
> +++ b/policy/modules/roles/staff.te
> @@ -27,6 +27,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	git_role(staff_r, staff_t)
> +')
> +
> +optional_policy(`
>  	postgresql_role(staff_r, staff_t)
>  ')
>  
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 0f96353..a27e9a4 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -148,6 +148,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	git_role(sysadm_r, sysadm_t)
> +')
> +
> +optional_policy(`
>  	hostname_run(sysadm_t, sysadm_r)
>  ')
>  
> diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> index 7e9da77..3043ea8 100644
> --- a/policy/modules/roles/unprivuser.te
> +++ b/policy/modules/roles/unprivuser.te
> @@ -17,6 +17,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	git_role(user_r, user_t)
> +')
> +
> +optional_policy(`
>  	screen_role_template(user, user_r, user_t)
>  ')
>  
> diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
> index 54f0737..65b7dbc 100644
> --- a/policy/modules/services/git.fc
> +++ b/policy/modules/services/git.fc
> @@ -1,3 +1,11 @@
> -/var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
> -/var/lib/git(/.*)?		gen_context(system_u:object_r:httpd_git_content_t,s0)
> +HOME_DIR/public_git(/.*)?	gen_context(system_u:object_r:git_user_content_t,s0)
> +
> +/usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t,s0)
> +
> +/var/cache/cgit(/.*)?	gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
> +
> +/var/lib/git(/.*)?	gen_context(system_u:object_r:git_sys_content_t,s0)
> +
>  /var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
> +/var/www/git(/.*)?	gen_context(system_u:object_r:httpd_git_content_t,s0)
> +/var/www/git/gitweb\.cgi	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
> diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
> index 458aac6..6daf082 100644
> --- a/policy/modules/services/git.if
> +++ b/policy/modules/services/git.if
> @@ -1 +1,59 @@
> -## <summary>GIT revision control system</summary>
> +## <summary>GIT revision control system.</summary>
> +
> +########################################
> +## <summary>
> +##	Role access for Git session.
> +## </summary>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +## <param name="domain">
> +##	<summary>
> +##	User domain for the role.
> +##	</summary>
> +## </param>
> +#
> +template(`git_role',`
> +	gen_require(`
> +		type git_session_t, gitd_exec_t, git_user_content_t;
> +	')
> +
> +	########################################
> +	#
> +	# Declarations
> +	#
> +
> +	## <desc>
> +	##	<p>
> +	##	Determine whether calling user domains
> +	##	can execute Git daemon in the
> +	##	git_session_t domain.
> +	##	</p>
> +	## </desc>
> +	gen_tunable(git_session_users, false)
> +
> +	role $1 types git_session_t;
> +
> +	########################################
> +	#
> +	# Policy
> +	#
> +
> +	manage_dirs_pattern($2, git_user_content_t, git_user_content_t)
> +	relabel_dirs_pattern($2, git_user_content_t, git_user_content_t)
> +
> +	exec_files_pattern($2, git_user_content_t, git_user_content_t)
> +	manage_files_pattern($2, git_user_content_t, git_user_content_t)
> +	relabel_files_pattern($2, git_user_content_t, git_user_content_t)
> +
> +	allow $2 git_session_t:process { ptrace signal_perms };
> +	ps_process_pattern($2, git_session_t)
> +
> +	tunable_policy(`git_session_users',`
> +		domtrans_pattern($2, gitd_exec_t, git_session_t)
> +	',`
> +		can_exec($2, gitd_exec_t)
> +	')
> +')
> diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
> index 7382f85..12d93d8 100644
> --- a/policy/modules/services/git.te
> +++ b/policy/modules/services/git.te
> @@ -2,7 +2,233 @@ policy_module(git, 1.0)
>  
>  ########################################
>  #
> -# Declarations
> +# Git global declarations
>  #
>  
> +attribute git_daemon;
> +
> +type gitd_exec_t;
> +
> +########################################
> +#
> +# Git CGI declarations
> +#
> +
> +## <desc>
> +##	<p>
> +##	Determine whether Git CGI
> +##	can search home directories.
> +##	</p>
> +## </desc>
> +gen_tunable(git_cgi_enable_homedirs, false)
> +
> +## <desc>
> +##	<p>
> +##	Determine whether Git CGI
> +##	can access cifs file systems.
> +##	</p>
> +## </desc>
> +gen_tunable(git_cgi_use_cifs, false)
> +
> +## <desc>
> +##	<p>
> +##	Determine whether Git CGI
> +##	can access nfs file systems.
> +##	</p>
> +## </desc>
> +gen_tunable(git_cgi_use_nfs, false)
> +
>  apache_content_template(git)
> +
> +########################################
> +#
> +# Git session declarations
> +#
> +
> +## <desc>
> +##	<p>
> +##	Determine whether Git session daemons
> +##	can send syslog messages.
> +##	</p>
> +## </desc>
> +gen_tunable(git_session_send_syslog_msg, false)
> +
> +type git_session_t, git_daemon;
> +application_domain(git_session_t, gitd_exec_t)
> +ubac_constrained(git_session_t)
> +
> +type git_user_content_t;
> +userdom_user_home_content(git_user_content_t)
> +
> +########################################
> +#
> +# Git system declarations
> +#
> +
> +## <desc>
> +##	<p>
> +##	Determine whether Git system daemon
> +##	can search home directories.
> +##	</p>
> +## </desc>
> +gen_tunable(git_system_enable_homedirs, false)
> +
> +## <desc>
> +##	<p>
> +##	Determine whether Git system daemon
> +##	can access cifs file systems.
> +##	</p>
> +## </desc>
> +gen_tunable(git_system_use_cifs, false)
> +
> +## <desc>
> +##	<p>
> +##	Determine whether Git system daemon
> +##	can access nfs file systems.
> +##	</p>
> +## </desc>
> +gen_tunable(git_system_use_nfs, false)
> +
> +type git_system_t, git_daemon;
> +inetd_service_domain(git_system_t, gitd_exec_t)
> +
> +type git_sys_content_t;
> +files_type(git_sys_content_t)
> +
> +########################################
> +#
> +# Git global policy
> +#
> +
> +allow git_daemon self:fifo_file rw_fifo_file_perms;
> +
> +kernel_read_system_state(git_daemon)
> +
> +corecmd_exec_bin(git_daemon)
> +
> +files_read_usr_files(git_daemon)
> +
> +fs_search_auto_mountpoints(git_daemon)
> +
> +auth_use_nsswitch(git_daemon)
> +
> +miscfiles_read_localization(git_daemon)
> +
> +########################################
> +#
> +# Git session policy
> +#
> +
> +allow git_session_t self:tcp_socket { accept listen };
> +
> +list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
> +read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
> +userdom_search_user_home_dirs(git_session_t)
> +
> +corenet_all_recvfrom_netlabel(git_session_t)
> +corenet_all_recvfrom_unlabeled(git_session_t)
> +corenet_tcp_bind_generic_node(git_session_t)
> +corenet_tcp_sendrecv_generic_if(git_session_t)
> +corenet_tcp_sendrecv_generic_node(git_session_t)
> +corenet_tcp_sendrecv_generic_port(git_session_t)
> +corenet_tcp_bind_git_port(git_session_t)
> +corenet_tcp_sendrecv_git_port(git_session_t)
> +corenet_sendrecv_git_server_packets(git_session_t)
> +
> +userdom_use_user_terminals(git_session_t)
> +
> +tunable_policy(`git_session_send_syslog_msg',`
> +	logging_send_syslog_msg(git_session_t)
> +')
> +
> +tunable_policy(`use_nfs_home_dirs',`
> +	fs_read_nfs_files(git_session_t)
> +',`
> +	fs_dontaudit_read_nfs_files(git_session_t)
> +')
> +
> +tunable_policy(`use_samba_home_dirs',`
> +	fs_read_cifs_files(git_session_t)
> +',`
> +	fs_dontaudit_read_cifs_files(git_session_t)
> +')
> +
> +########################################
> +#
> +# Git system policy
> +#
> +
> +list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
> +read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
> +files_search_var_lib(git_system_t)
> +
> +logging_send_syslog_msg(git_system_t)
> +
> +tunable_policy(`git_system_enable_homedirs',`
> +	userdom_search_user_home_dirs(git_system_t)
> +')
> +
> +tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
> +	fs_read_nfs_files(git_system_t)
> +',`
> +	fs_dontaudit_read_nfs_files(git_system_t)
> +')
> +
> +tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
> +	fs_read_cifs_files(git_system_t)
> +',`
> +	fs_dontaudit_read_cifs_files(git_system_t)
> +')
> +
> +tunable_policy(`git_system_use_cifs',`
> +	fs_read_cifs_files(git_system_t)
> +',`
> +	fs_dontaudit_read_cifs_files(git_system_t)
> +')
> +
> +tunable_policy(`git_system_use_nfs',`
> +	fs_read_nfs_files(git_system_t)
> +',`
> +	fs_dontaudit_read_nfs_files(git_system_t)
> +')
> +
> +########################################
> +#
> +# Git CGI policy
> +#
> +
> +list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
> +read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
> +files_search_var_lib(httpd_git_script_t)
> +
> +files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
> +
> +auth_use_nsswitch(httpd_git_script_t)
> +
> +tunable_policy(`git_cgi_enable_homedirs',`
> +	userdom_search_user_home_dirs(httpd_git_script_t)
> +')
> +
> +tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',`
> +	fs_read_nfs_files(httpd_git_script_t)
> +',`
> +	fs_dontaudit_read_nfs_files(httpd_git_script_t)
> +')
> +
> +tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',`
> +	fs_read_cifs_files(httpd_git_script_t)
> +',`
> +	fs_dontaudit_read_cifs_files(httpd_git_script_t)
> +')
> +
> +tunable_policy(`git_cgi_use_cifs',`
> +	fs_read_cifs_files(httpd_git_script_t)
> +',`
> +	fs_dontaudit_read_cifs_files(httpd_git_script_t)
> +')
> +
> +tunable_policy(`git_cgi_use_nfs',`
> +	fs_read_nfs_files(httpd_git_script_t)
> +',`
> +	fs_dontaudit_read_nfs_files(httpd_git_script_t)
> +')

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list