[refpolicy] [ v3 PATCH 4/8] Git session daemon

[domg472@gmail.com (Dominick Grift)]

On Fri, Aug 26, 2011 at 09:33:54AM -0400, Christopher J. PeBenito wrote:
> On 08/24/11 08:35, Dominick Grift wrote:
> > Wait! Theres more. Besides running Git daemon as a inetd service domain, unprivileged users can also
> > run Git daemon by executing /usr/libexec/git-core/git-daemon from a shell to allow it to
> > read and serve their Git personal repositories in ~/public_git. It in large parts does the same
> > as Git daemon run by inetd but there are some differences. Most notably is the network access
> > that the Git session daemon requires to listen on the Git port for service.
> > 
> > The Git system daemon does not need this because inetd takes care of the network for it.
> > Another difference is that Git session daemon can only read and serve users Git personal
> > repositories, where Git system daemon can, if configured, read and serve both shared as well
> > as personal repositories. Since much of the policy is common to both session and
> > system, we declared a git_daemon attribute and assigned that to both the Git system and
> > session daemons. This allows use to write policy that both daemon have in common once.
> > Leaving the policy as compact as possible. So now we have two Git daemon domains, one
> > session domain started by unprivileged users and one system domain started by inetd.
> > 
> > Fix: since we renamed gitd_t to git_system_t, add alias.
> > Change back gitd_use_nfs, gitd_use_cifs to git_system_use_nfs and git_system_use_cifs respectively
> 
> Perhaps I missed something, but how did it make sense to separate out
> the content types from this patch?

The git_user_content_t has no relation to git session per se. 

in the git.fc file there is a context spec for HOME_DIR/\public_git(/.*)? ...
this means all login users will get content at ~/public_git labeled git_user_content_t, whether they call git_session_role_template or not.
So they need to be able to manage that. what if a user creates ~/pubic_git, and administrator runs filefiles relabel or restorecon -R -v /home? then ~/public_git will get relabeled to git_user_content_t and that user can no longer interact with it.

By splitting the git_user_content_t type from the git session t policy we make it more flexible.

administrator may want to allow git system domain to read and service ~/public_git even though the user owning it is not allowed to run git session in the git session domain.

in short git_user_content_t and git_session_t arent strictly related. I was hoping the descriptions accompanying the patches would make that clear

> 
> I'm confused why its renaming things from previous patches.  Why not
> create it right in the first place?

I initially started with gitd_t rather than git_system_t because that made sense at that stage. There was no git_session_t yet at that point. Besides, what does it matter i created an alias to git_system_t in the patch that introduce git session t


> git_session_role_template() isn't creating any types, so it should be
> renamed to git_session_role().  Or in light of the previous patches,
> git_role().

Ok that pretty minor and i can just submit a patch to apply that after the other applicable patches are submitted. If i have  to rebase the whole thing for every nit then ill probably be rebasing until next year.

> > Signed-off-by: Dominick Grift <domg472@gmail.com>
> > ---
> > :100644 100644 2be17d2... 17fc624... M	policy/modules/roles/staff.te
> > :100644 100644 0f96353... 7461e65... M	policy/modules/roles/sysadm.te
> > :100644 100644 7e9da77... 52156cd... M	policy/modules/roles/unprivuser.te
> > :100644 100644 6238d54... f1466e1... M	policy/modules/services/git.if
> > :100644 100644 6c8e672... 7040bf6... M	policy/modules/services/git.te
> >  policy/modules/roles/staff.te      |    4 +
> >  policy/modules/roles/sysadm.te     |    4 +
> >  policy/modules/roles/unprivuser.te |    4 +
> >  policy/modules/services/git.if     |   46 +++++++++++-
> >  policy/modules/services/git.te     |  134 ++++++++++++++++++++++++++----------
> >  5 files changed, 150 insertions(+), 42 deletions(-)
> > 
> > diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> > index 2be17d2..17fc624 100644
> > --- a/policy/modules/roles/staff.te
> > +++ b/policy/modules/roles/staff.te
> > @@ -89,6 +89,10 @@ ifndef(`distro_redhat',`
> >  	')
> >  
> >  	optional_policy(`
> > +		git_session_role_template(staff_r, staff_t)
> > +	')
> > +
> > +	optional_policy(`
> >  		gnome_role(staff_r, staff_t)
> >  	')
> >  
> > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> > index 0f96353..7461e65 100644
> > --- a/policy/modules/roles/sysadm.te
> > +++ b/policy/modules/roles/sysadm.te
> > @@ -438,6 +438,10 @@ ifndef(`distro_redhat',`
> >  	')
> >  
> >  	optional_policy(`
> > +		git_session_role_template(sysadm_r, sysadm_t)
> > +	')
> > +
> > +	optional_policy(`
> >  		gnome_role(sysadm_r, sysadm_t)
> >  	')
> >  
> > diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> > index 7e9da77..52156cd 100644
> > --- a/policy/modules/roles/unprivuser.te
> > +++ b/policy/modules/roles/unprivuser.te
> > @@ -62,6 +62,10 @@ ifndef(`distro_redhat',`
> >  	')
> >  
> >  	optional_policy(`
> > +		git_session_role_template(user_r, user_t)
> > +	')
> > +
> > +	optional_policy(`
> >  		gnome_role(user_r, user_t)
> >  	')
> >  
> > diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
> > index 6238d54..f1466e1 100644
> > --- a/policy/modules/services/git.if
> > +++ b/policy/modules/services/git.if
> > @@ -2,6 +2,44 @@
> >  
> >  ########################################
> >  ## <summary>
> > +##	Role access for Git session daemon.
> > +## </summary>
> > +## <param name="role">
> > +##	<summary>
> > +##	Role allowed access.
> > +##	</summary>
> > +## </param>
> > +## <param name="domain">
> > +##	<summary>
> > +##	User domain for the role.
> > +##	</summary>
> > +## </param>
> > +#
> > +template(`git_session_role_template',`
> > +	gen_require(`
> > +		type git_session_t, gitd_exec_t;
> > +	')
> > +
> > +	########################################
> > +	#
> > +	# Git session daemon shared declarations
> > +	#
> > +
> > +	role $1 types git_session_t;
> > +
> > +	########################################
> > +	#
> > +	# Git session daemon shared policy
> > +	#
> > +
> > +	domtrans_pattern($2, gitd_exec_t, git_session_t)
> > +
> > +	allow $2 git_session_t:process { ptrace signal_perms };
> > +	ps_process_pattern($2, git_session_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> >  ##	Execute Git daemon generic shared
> >  ##	repository content files.
> >  ## </summary>
> > @@ -19,11 +57,11 @@ interface(`git_exec_generic_sys_content_files',`
> >  	exec_files_pattern($1, git_sys_content_t, git_sys_content_t)
> >  	files_search_var_lib($1)
> >  
> > -	tunable_policy(`gitd_use_cifs',`
> > +	tunable_policy(`git_system_use_cifs',`
> >  		fs_exec_cifs_files($1)
> >  	')
> >  
> > -	tunable_policy(`gitd_use_nfs',`
> > +	tunable_policy(`git_system_use_nfs',`
> >  		fs_exec_nfs_files($1)
> >  	')
> >  ')
> > @@ -49,7 +87,7 @@ interface(`git_manage_generic_sys_content',`
> >  	manage_files_pattern($1, git_sys_content_t, git_sys_content_t)
> >  	files_search_var_lib($1)
> >  
> > -	tunable_policy(`gitd_use_cifs',`
> > +	tunable_policy(`git_system_use_cifs',`
> >  		fs_manage_cifs_dirs($1)
> >  		fs_manage_cifs_files($1)
> >  	',`
> > @@ -57,7 +95,7 @@ interface(`git_manage_generic_sys_content',`
> >  		fs_dontaudit_manage_cifs_files($1)
> >  	')
> >  
> > -	tunable_policy(`gitd_use_nfs',`
> > +	tunable_policy(`git_system_use_nfs',`
> >  		fs_manage_nfs_dirs($1)
> >  		fs_manage_nfs_files($1)
> >  	',`
> > diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
> > index 6c8e672..7040bf6 100644
> > --- a/policy/modules/services/git.te
> > +++ b/policy/modules/services/git.te
> > @@ -2,93 +2,151 @@ policy_module(git, 1.0)
> >  
> >  ########################################
> >  #
> > -# Declarations
> > +# Git daemon global declarations
> > +#
> > +
> > +attribute git_daemon;
> > +
> > +type gitd_exec_t;
> > +
> > +########################################
> > +#
> > +# Git session daemon declarations
> > +#
> > +
> > +type git_session_t, git_daemon;
> > +application_domain(git_session_t, gitd_exec_t)
> > +ubac_constrained(git_session_t)
> > +
> > +type git_user_content_t;
> > +userdom_user_home_content(git_user_content_t)
> > +
> > +########################################
> > +#
> > +# Git system daemon declarations
> >  #
> >  
> >  ## <desc>
> >  ##	<p>
> > -##	Determine whether Git daemon
> > +##	Determine whether Git system daemon
> >  ##	can search home directories.
> >  ##	</p>
> >  ## </desc>
> > -gen_tunable(gitd_enable_homedirs, false)
> > +gen_tunable(git_system_enable_homedirs, false)
> >  
> >  ## <desc>
> >  ##	<p>
> > -##	Determine whether Git daemon
> > +##	Determine whether Git system daemon
> >  ##	can access cifs file systems.
> >  ##	</p>
> >  ## </desc>
> > -gen_tunable(gitd_use_cifs, false)
> > +gen_tunable(git_system_use_cifs, false)
> >  
> >  ## <desc>
> >  ##	<p>
> > -##	Determine whether Git daemon
> > +##	Determine whether Git system daemon
> >  ##	can access nfs file systems.
> >  ##	</p>
> >  ## </desc>
> > -gen_tunable(gitd_use_nfs, false)
> > +gen_tunable(git_system_use_nfs, false)
> >  
> > -type gitd_t;
> > -type gitd_exec_t;
> > -inetd_service_domain(gitd_t, gitd_exec_t)
> > +type git_system_t, git_daemon;
> > +typealias git_system_t alias gitd_t;
> > +inetd_service_domain(git_system_t, gitd_exec_t)
> >  
> >  type git_sys_content_t;
> >  files_type(git_sys_content_t)
> >  
> > -type git_user_content_t;
> > -userdom_user_home_content(git_user_content_t)
> > +########################################
> > +#
> > +# Git daemon global policy
> > +#
> > +
> > +allow git_daemon self:fifo_file rw_fifo_file_perms;
> > +allow git_daemon self:unix_dgram_socket create_socket_perms;
> > +
> > +kernel_read_system_state(git_daemon)
> > +
> > +corecmd_exec_bin(git_daemon)
> > +
> > +files_read_usr_files(git_daemon)
> > +
> > +auth_use_nsswitch(git_daemon)
> > +
> > +logging_send_syslog_msg(git_daemon)
> > +
> > +miscfiles_read_localization(git_daemon)
> >  
> >  ########################################
> >  #
> > -# Local policy
> > +# Git session daemon policy
> >  #
> >  
> > -allow gitd_t self:fifo_file rw_fifo_file_perms;
> > -allow gitd_t self:unix_dgram_socket create_socket_perms;
> > +allow git_session_t self:tcp_socket { accept listen };
> >  
> > -list_dirs_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
> > -read_files_pattern(gitd_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
> > -files_search_var_lib(gitd_t)
> > +list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
> > +read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
> > +userdom_search_user_home_dirs(git_session_t)
> >  
> > -kernel_read_system_state(gitd_t)
> > +corenet_all_recvfrom_netlabel(git_session_t)
> > +corenet_all_recvfrom_unlabeled(git_session_t)
> > +corenet_tcp_bind_generic_node(git_session_t)
> > +corenet_tcp_sendrecv_generic_if(git_session_t)
> > +corenet_tcp_sendrecv_generic_node(git_session_t)
> > +corenet_tcp_sendrecv_generic_port(git_session_t)
> > +corenet_tcp_bind_git_port(git_session_t)
> > +corenet_tcp_sendrecv_git_port(git_session_t)
> > +corenet_sendrecv_git_server_packets(git_session_t)
> >  
> > -corecmd_exec_bin(gitd_t)
> > +userdom_use_user_terminals(git_session_t)
> >  
> > -files_read_usr_files(gitd_t)
> > +tunable_policy(`use_nfs_home_dirs',`
> > +	fs_read_nfs_files(git_session_t)
> > +',`
> > +	fs_dontaudit_read_nfs_files(git_session_t)
> > +')
> >  
> > -auth_use_nsswitch(gitd_t)
> > +tunable_policy(`use_samba_home_dirs',`
> > +	fs_read_cifs_files(git_session_t)
> > +',`
> > +	fs_dontaudit_read_cifs_files(git_session_t)
> > +')
> >  
> > -logging_send_syslog_msg(gitd_t)
> > +########################################
> > +#
> > +# Git system daemon policy
> > +#
> >  
> > -miscfiles_read_localization(gitd_t)
> > +list_dirs_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
> > +read_files_pattern(git_system_t, { git_user_content_t git_sys_content_t }, { git_user_content_t git_sys_content_t })
> > +files_search_var_lib(git_system_t)
> >  
> > -tunable_policy(`gitd_enable_homedirs',`
> > -	userdom_search_user_home_dirs(gitd_t)
> > +tunable_policy(`git_system_enable_homedirs',`
> > +	userdom_search_user_home_dirs(git_system_t)
> >  ')
> >  
> > -tunable_policy(`gitd_enable_homedirs && use_nfs_home_dirs',`
> > -	fs_read_nfs_files(gitd_t)
> > +tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
> > +	fs_read_nfs_files(git_system_t)
> >  ',`
> > -	fs_dontaudit_read_nfs_files(gitd_t)
> > +	fs_dontaudit_read_nfs_files(git_system_t)
> >  ')
> >  
> > -tunable_policy(`gitd_enable_homedirs && use_samba_home_dirs',`
> > -	fs_read_cifs_files(gitd_t)
> > +tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
> > +	fs_read_cifs_files(git_system_t)
> >  ',`
> > -	fs_dontaudit_read_cifs_files(gitd_t)
> > +	fs_dontaudit_read_cifs_files(git_system_t)
> >  ')
> >  
> > -tunable_policy(`gitd_use_cifs',`
> > -	fs_read_cifs_files(gitd_t)
> > +tunable_policy(`git_system_use_cifs',`
> > +	fs_read_cifs_files(git_system_t)
> >  ',`
> > -	fs_dontaudit_read_cifs_files(gitd_t)
> > +	fs_dontaudit_read_cifs_files(git_system_t)
> >  ')
> >  
> > -tunable_policy(`gitd_use_nfs',`
> > -	fs_read_nfs_files(gitd_t)
> > +tunable_policy(`git_system_use_nfs',`
> > +	fs_read_nfs_files(git_system_t)
> >  ',`
> > -	fs_dontaudit_read_nfs_files(gitd_t)
> > +	fs_dontaudit_read_nfs_files(git_system_t)
> >  ')
> >  
> >  ########################################
> 
> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110826/ea89b1f9/attachment.bin