policy for subversion post-commit hook on fc6 targeted

All of lore.kernel.org
 help / color / mirror / Atom feed

* policy for subversion post-commit hook on fc6 targeted
@ 2007-03-15 18:51 david x callaway
  0 siblings, 0 replies; only message in thread
From: david x callaway @ 2007-03-15 18:51 UTC (permalink / raw)
  To: selinux

problem:  allow the subversion post-commit hook to dump svn after each 
commit. due to a recent disk death I wanted this to produce two dumps, 
one on each of two physical disks.  I'm accessing subversion through 
apache, and I didn't want to turn selinux off.

note:  some of the paths below are specific to my setup, e.g. my repos 
are in /usr/local/svn/<repo> directories, but YMMV depending upon how 
you set up svn and apache.  obviously my backup dirs will probably not 
match yours either, and their exact location has some bearing on other 
parts of the policy.

note: the regex for the hook itself *should* mean a new repository will 
just work with no further intervention, but I didn't test this.

the dump script is simple, basically it does an svnadmin dump into a 
directory under /tmp and then copies the dump elsewhere. it takes 
advantage of the standard hook script arguments, the repos and the rev, 
to produce a file named ${REPONAME}.dump.${REV}, where REPONAME is the 
basename of the path to the repo.  the copies end up under 
/data/svn-bkup and /opt/data/svn-bkup.

to make a long story short, dan walsh helped me out here 
http://danwalsh.livejournal.com/8707.html, and asked me to post the 
result, which follows. my email client is providing some line breaks 
that should be removed.

dan said most of the policy was generated by a new tool, and I went 
through a few of the usual audit2allow/add rules cycles before getting 
it to work, but thanks to dan it was pretty simple.

dxc

---------- svnpostcommit.fc ----------

/usr/local/svn/[^/]+/hooks/post-commit -- 
gen_context(system_u:object_r:httpd_svnpostcommit_script_exec_t,s0)

/opt/data/svn-bkup(/.*)? 
gen_context(system_u:object_r:httpd_svnpostcommit_script_rw_t,s0)

/data/svn-bkup(/.*)? 
gen_context(system_u:object_r:httpd_svnpostcommit_script_rw_t,s0)

---------- svnpostcommit.if ----------

## policy for httpd_svnpostcommit_script

########################################
##
## Execute a domain transition to run httpd_svnpostcommit_script.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`httpd_svnpostcommit_script_domtrans',`
gen_require(`
type httpd_svnpostcommit_script_t, httpd_svnpostcommit_script_exec_t;
')

domain_auto_trans($1,httpd_svnpostcommit_script_exec_t,httpd_svnpostcommit_script_t)

allow httpd_svnpostcommit_script_t $1:fd use;
allow httpd_svnpostcommit_script_t $1:fifo_file rw_file_perms;
allow httpd_svnpostcommit_script_t $1:process sigchld;
')

########################################
##
## Search httpd_svnpostcommit_script rw directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`httpd_svnpostcommit_script_search_rw_dir',`
gen_require(`
type httpd_svnpostcommit_script_rw_t;
')

allow $1 httpd_svnpostcommit_script_rw_t:dir search_dir_perms;
files_search_rw($1)
')

########################################
##
## Read httpd_svnpostcommit_script rw files.
##
##
##
## Domain allowed access.
##
##
#
interface(`httpd_svnpostcommit_script_read_rw_files',`
gen_require(`
type httpd_svnpostcommit_script_rw_t;
')

allow $1 httpd_svnpostcommit_script_rw_t:file r_file_perms;
allow $1 httpd_svnpostcommit_script_rw_t:dir list_dir_perms;
files_search_rw($1)
')

########################################
##
## Create, read, write, and delete
## httpd_svnpostcommit_script rw files.
##
##
##
## Domain allowed access.
##
##
#
interface(`httpd_svnpostcommit_script_manage_rw_files',`
gen_require(`
type httpd_svnpostcommit_script_rw_t;
')

allow $1 httpd_svnpostcommit_script_rw_t:file manage_file_perms;
allow $1 httpd_svnpostcommit_script_rw_t:dir rw_dir_perms;
')

---------- svnpostcommit.te ----------

policy_module(svnpostcommit,1.0.0)

########################################
#
# Declarations
#
require {
type httpd_t;
# dxc adds
type httpd_tmp_t;
type default_t;
}

apache_content_template(svnpostcommit)

# tmp files
allow httpd_svnpostcommit_script_t httpd_svnpostcommit_script_rw_t:file 
manage_file_perms;
allow httpd_svnpostcommit_script_t httpd_svnpostcommit_script_rw_t:dir 
create_dir_perms;
files_pid_filetrans(httpd_svnpostcommit_script_t,httpd_svnpostcommit_script_rw_t, 
{ file dir })

allow httpd_t httpd_svnpostcommit_script_rw_t:dir create_dir_perms;
allow httpd_t httpd_svnpostcommit_script_rw_t:file manage_file_perms;

# dxc adds
allow httpd_svnpostcommit_script_t default_t:dir { search };
allow httpd_svnpostcommit_script_t httpd_tmp_t:dir {
      add_name getattr search write
};
allow httpd_svnpostcommit_script_t httpd_tmp_t:file {
      create getattr read write
};

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2007-03-20 16:52 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-03-15 18:51 policy for subversion post-commit hook on fc6 targeted david x callaway

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.