diff -urN default/domains/program/svn.te current/domains/program/svn.te --- default/domains/program/svn.te 1970-01-01 01:00:00.000000000 +0100 +++ current/domains/program/svn.te 2002-10-25 14:17:41.000000000 +0200 @@ -0,0 +1,28 @@ +#DESC Subversion revision control system +# +# Author: Tom Vogt +# + +################################# +# +# Rules for the subversion domains +# +# The client programs (svn_exec_t) have a domain defined in +# macros/program/svn_macros.te +# +# svn_repos_t is the type of the repository files. +# +type svn_exec_t, file_type, sysadmfile, exec_type; +type svn_repos_t, file_type; + +############################################################################### +# +# Rules for the server +# +# Subversion server runs as an apache2 module +# +ifdef(`apache.te', ` +allow httpd_t svn_repos_t:dir create_dir_perms; +allow httpd_t svn_repos_t:file create_file_perms; +') + diff -urN default/file_contexts/program/svn.fc current/file_contexts/program/svn.fc --- default/file_contexts/program/svn.fc 1970-01-01 01:00:00.000000000 +0100 +++ current/file_contexts/program/svn.fc 2002-10-25 14:19:01.000000000 +0200 @@ -0,0 +1,5 @@ +# types for subversion version control system +/usr/bin/svn system_u:object_r:svn_exec_t +/usr/bin/svnlook system_u:object_r:svn_exec_t +/usr/bin/svnadmin system_u:object_r:svn_exec_t +/var/svn(/.*)? system_u:object_r:svn_repos_t diff -urN default/macros/program/svn_macros.te current/macros/program/svn_macros.te --- default/macros/program/svn_macros.te 1970-01-01 01:00:00.000000000 +0100 +++ current/macros/program/svn_macros.te 2002-10-25 15:49:05.000000000 +0200 @@ -0,0 +1,81 @@ +# +# Macros for subversion domains. +# +# Author: Tom Vogt +# + +# +# svn_domain(domain_prefix) +# +# Define a derived domain for the svn programs when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/svn.te. +# +undefine(`svn_domain') +ifdef(`svn.te', ` +define(`svn_domain',` +# Derived domain based on the calling user domain and the program. +type $1_svn_t, domain; + +# Transition from the user domain to this domain. +domain_auto_trans($1_t, svn_exec_t, $1_svn_t) + +# The user role is authorized for this domain. +role $1_r types $1_svn_t; + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te', +`allow $1_svn_t $1_gph_t:fd use; +allow $1_t $1_gph_t:fd use;') + +# Inherit and use descriptors from newrole. +ifdef(`newrole.te', `allow $1_svn_t newrole_t:fd use;') + +# allow ps to show svn +allow $1_t $1_svn_t:dir { search getattr read }; +allow $1_t $1_svn_t:{ file lnk_file } { read getattr }; +allow $1_t $1_svn_t:process signal; + +# access to the repository +allow $1_svn_t svn_repos_t:dir create_dir_perms; +allow $1_svn_t svn_repos_t:file create_file_perms; + +# Use the network. +# 2nd line is for local or labeled networking +can_network($1_svn_t) +can_tcp_connect($1_svn_t,httpd_t) + +uses_shlib($1_svn_t) +general_domain_access($1_svn_t) +general_file_read_access($1_svn_t) +allow $1_svn_t proc_t:dir { search }; + +# ignore this stuff, svn works just fine without +dontaudit $1_svn_t devtty_t:chr_file { read write }; +dontaudit $1_svn_t sysctl_kernel_t:dir { search }; +dontaudit $1_svn_t sysctl_t:dir { search }; + + +# Write to the user domain tty. +allow $1_svn_t $1_tty_device_t:chr_file rw_file_perms; +allow $1_svn_t $1_devpts_t:chr_file rw_file_perms; + + +# Create, access, and remove files in home directory. +file_type_auto_trans($1_svn_t, $1_home_dir_t, $1_home_t) +allow $1_svn_t $1_home_t:dir_file_class_set { relabelfrom relabelto }; +allow $1_svn_t $1_home_dir_t:dir { search }; +allow $1_svn_t $1_home_t:dir create_file_perms; +allow $1_svn_t $1_home_t:file create_file_perms; + +# access files under /tmp +file_type_auto_trans($1_svn_t, tmp_t, $1_tmp_t) +') + +', ` + +define(`svn_domain',`') + +') diff -urN default/macros/user_macros.te current/macros/user_macros.te --- default/macros/user_macros.te 2002-10-17 01:24:36.000000000 +0200 +++ current/macros/user_macros.te 2002-10-25 17:31:15.000000000 +0200 @@ -133,6 +133,7 @@ ifdef(`sendmail.te', `sendmail_user_domain($1)') ifdef(`crontab.te', `crontab_domain($1)') ifdef(`ssh.te', `ssh_domain($1)') +ifdef(`svn.te', `svn_domain($1)') ifdef(`irc.te', `irc_domain($1)') ifdef(`clamav.te', `user_clamscan_domain($1)') ifdef(`fingerd.te', `fingerd_macro($1)')