From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [ v6 PATCH 1/1] Git daemon policy
Date: Fri, 2 Sep 2011 09:22:14 -0400 [thread overview]
Message-ID: <4E60D886.9020902@tresys.com> (raw)
In-Reply-To: <20110830190905.GA4952@localhost.localdomain>
On 08/30/11 15:09, Dominick Grift wrote:
> Renamed git_session_role_template to git_role as per requested.
> Only allow callers of the git_role to manage, execute and relabel git user content as per request.
> Make callers of the git_role transition to git session tunable as per request.
> Make logging to syslog for git session tunable as per request.
> Make git cgi script access to search user home directories tunable as per request.
>
> Dumbed down policy:
>
> No longer support git shell, if administrators want this functionality they better start learning how to write selinux policy because it is currently not supported.
> Admins best bet is to create a userdomain based off of userdom_restricted_user_template, and allow this user domain to manage and execute git sys content.
>
> No longer support the use of Type enforcement to enforce git shared repository isolation, There is only one git shared repository type (git_sys_content). If admin wants to use selinux to restrict access to the various shared repositories, then admins best bet currently is to use MCS.
Merged, with some adjustment and fixes and without a passive-aggressive commit message.
> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :100644 100644 2be17d2... cdc6c98... M policy/modules/roles/staff.te
> :100644 100644 0f96353... a27e9a4... M policy/modules/roles/sysadm.te
> :100644 100644 7e9da77... 3043ea8... M policy/modules/roles/unprivuser.te
> :100644 100644 54f0737... 65b7dbc... M policy/modules/services/git.fc
> :100644 100644 458aac6... 6daf082... M policy/modules/services/git.if
> :100644 100644 7382f85... 12d93d8... M policy/modules/services/git.te
> policy/modules/roles/staff.te | 4 +
> policy/modules/roles/sysadm.te | 4 +
> policy/modules/roles/unprivuser.te | 4 +
> policy/modules/services/git.fc | 12 ++-
> policy/modules/services/git.if | 60 +++++++++-
> policy/modules/services/git.te | 228 +++++++++++++++++++++++++++++++++++-
> 6 files changed, 308 insertions(+), 4 deletions(-)
>
> diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> index 2be17d2..cdc6c98 100644
> --- a/policy/modules/roles/staff.te
> +++ b/policy/modules/roles/staff.te
> @@ -27,6 +27,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + git_role(staff_r, staff_t)
> +')
> +
> +optional_policy(`
> postgresql_role(staff_r, staff_t)
> ')
>
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 0f96353..a27e9a4 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -148,6 +148,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + git_role(sysadm_r, sysadm_t)
> +')
> +
> +optional_policy(`
> hostname_run(sysadm_t, sysadm_r)
> ')
>
> diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> index 7e9da77..3043ea8 100644
> --- a/policy/modules/roles/unprivuser.te
> +++ b/policy/modules/roles/unprivuser.te
> @@ -17,6 +17,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + git_role(user_r, user_t)
> +')
> +
> +optional_policy(`
> screen_role_template(user, user_r, user_t)
> ')
>
> diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
> index 54f0737..65b7dbc 100644
> --- a/policy/modules/services/git.fc
> +++ b/policy/modules/services/git.fc
> @@ -1,3 +1,11 @@
> -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
> -/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
> +HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0)
> +
> +/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
> +
> +/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
> +
> +/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
> +
> /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
> +/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
> +/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
> diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
> index 458aac6..6daf082 100644
> --- a/policy/modules/services/git.if
> +++ b/policy/modules/services/git.if
> @@ -1 +1,59 @@
> -## <summary>GIT revision control system</summary>
> +## <summary>GIT revision control system.</summary>
> +
> +########################################
> +## <summary>
> +## Role access for Git session.
> +## </summary>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## User domain for the role.
> +## </summary>
> +## </param>
> +#
> +template(`git_role',`
> + gen_require(`
> + type git_session_t, gitd_exec_t, git_user_content_t;
> + ')
> +
> + ########################################
> + #
> + # Declarations
> + #
> +
> + ## <desc>
> + ## <p>
> + ## Determine whether calling user domains
> + ## can execute Git daemon in the
> + ## git_session_t domain.
> + ## </p>
> + ## </desc>
> + gen_tunable(git_session_users, false)
> +
> + role $1 types git_session_t;
> +
> + ########################################
> + #
> + # Policy
> + #
> +
> + manage_dirs_pattern($2, git_user_content_t, git_user_content_t)
> + relabel_dirs_pattern($2, git_user_content_t, git_user_content_t)
> +
> + exec_files_pattern($2, git_user_content_t, git_user_content_t)
> + manage_files_pattern($2, git_user_content_t, git_user_content_t)
> + relabel_files_pattern($2, git_user_content_t, git_user_content_t)
> +
> + allow $2 git_session_t:process { ptrace signal_perms };
> + ps_process_pattern($2, git_session_t)
> +
> + tunable_policy(`git_session_users',`
> + domtrans_pattern($2, gitd_exec_t, git_session_t)
> + ',`
> + can_exec($2, gitd_exec_t)
> + ')
> +')
> diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
> index 7382f85..12d93d8 100644
> --- a/policy/modules/services/git.te
> +++ b/policy/modules/services/git.te
> @@ -2,7 +2,233 @@ policy_module(git, 1.0)
>
> ########################################
> #
> -# Declarations
> +# Git global declarations
> #
>
> +attribute git_daemon;
> +
> +type gitd_exec_t;
> +
> +########################################
> +#
> +# Git CGI declarations
> +#
> +
> +## <desc>
> +## <p>
> +## Determine whether Git CGI
> +## can search home directories.
> +## </p>
> +## </desc>
> +gen_tunable(git_cgi_enable_homedirs, false)
> +
> +## <desc>
> +## <p>
> +## Determine whether Git CGI
> +## can access cifs file systems.
> +## </p>
> +## </desc>
> +gen_tunable(git_cgi_use_cifs, false)
> +
> +## <desc>
> +## <p>
> +## Determine whether Git CGI
> +## can access nfs file systems.
> +## </p>
> +## </desc>
> +gen_tunable(git_cgi_use_nfs, false)
> +
> apache_content_template(git)
> +
> +########################################
> +#
> +# Git session declarations
> +#
> +
> +## <desc>
> +## <p>
> +## Determine whether Git session daemons
> +## can send syslog messages.
> +## </p>
> +## </desc>
> +gen_tunable(git_session_send_syslog_msg, false)
> +
> +type git_session_t, git_daemon;
> +application_domain(git_session_t, gitd_exec_t)
> +ubac_constrained(git_session_t)
> +
> +type git_user_content_t;
> +userdom_user_home_content(git_user_content_t)
> +
> +########################################
> +#
> +# Git system declarations
> +#
> +
> +## <desc>
> +## <p>
> +## Determine whether Git system daemon
> +## can search home directories.
> +## </p>
> +## </desc>
> +gen_tunable(git_system_enable_homedirs, false)
> +
> +## <desc>
> +## <p>
> +## Determine whether Git system daemon
> +## can access cifs file systems.
> +## </p>
> +## </desc>
> +gen_tunable(git_system_use_cifs, false)
> +
> +## <desc>
> +## <p>
> +## Determine whether Git system daemon
> +## can access nfs file systems.
> +## </p>
> +## </desc>
> +gen_tunable(git_system_use_nfs, false)
> +
> +type git_system_t, git_daemon;
> +inetd_service_domain(git_system_t, gitd_exec_t)
> +
> +type git_sys_content_t;
> +files_type(git_sys_content_t)
> +
> +########################################
> +#
> +# Git global policy
> +#
> +
> +allow git_daemon self:fifo_file rw_fifo_file_perms;
> +
> +kernel_read_system_state(git_daemon)
> +
> +corecmd_exec_bin(git_daemon)
> +
> +files_read_usr_files(git_daemon)
> +
> +fs_search_auto_mountpoints(git_daemon)
> +
> +auth_use_nsswitch(git_daemon)
> +
> +miscfiles_read_localization(git_daemon)
> +
> +########################################
> +#
> +# Git session policy
> +#
> +
> +allow git_session_t self:tcp_socket { accept listen };
> +
> +list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
> +read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
> +userdom_search_user_home_dirs(git_session_t)
> +
> +corenet_all_recvfrom_netlabel(git_session_t)
> +corenet_all_recvfrom_unlabeled(git_session_t)
> +corenet_tcp_bind_generic_node(git_session_t)
> +corenet_tcp_sendrecv_generic_if(git_session_t)
> +corenet_tcp_sendrecv_generic_node(git_session_t)
> +corenet_tcp_sendrecv_generic_port(git_session_t)
> +corenet_tcp_bind_git_port(git_session_t)
> +corenet_tcp_sendrecv_git_port(git_session_t)
> +corenet_sendrecv_git_server_packets(git_session_t)
> +
> +userdom_use_user_terminals(git_session_t)
> +
> +tunable_policy(`git_session_send_syslog_msg',`
> + logging_send_syslog_msg(git_session_t)
> +')
> +
> +tunable_policy(`use_nfs_home_dirs',`
> + fs_read_nfs_files(git_session_t)
> +',`
> + fs_dontaudit_read_nfs_files(git_session_t)
> +')
> +
> +tunable_policy(`use_samba_home_dirs',`
> + fs_read_cifs_files(git_session_t)
> +',`
> + fs_dontaudit_read_cifs_files(git_session_t)
> +')
> +
> +########################################
> +#
> +# Git system policy
> +#
> +
> +list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
> +read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
> +files_search_var_lib(git_system_t)
> +
> +logging_send_syslog_msg(git_system_t)
> +
> +tunable_policy(`git_system_enable_homedirs',`
> + userdom_search_user_home_dirs(git_system_t)
> +')
> +
> +tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
> + fs_read_nfs_files(git_system_t)
> +',`
> + fs_dontaudit_read_nfs_files(git_system_t)
> +')
> +
> +tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
> + fs_read_cifs_files(git_system_t)
> +',`
> + fs_dontaudit_read_cifs_files(git_system_t)
> +')
> +
> +tunable_policy(`git_system_use_cifs',`
> + fs_read_cifs_files(git_system_t)
> +',`
> + fs_dontaudit_read_cifs_files(git_system_t)
> +')
> +
> +tunable_policy(`git_system_use_nfs',`
> + fs_read_nfs_files(git_system_t)
> +',`
> + fs_dontaudit_read_nfs_files(git_system_t)
> +')
> +
> +########################################
> +#
> +# Git CGI policy
> +#
> +
> +list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
> +read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
> +files_search_var_lib(httpd_git_script_t)
> +
> +files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
> +
> +auth_use_nsswitch(httpd_git_script_t)
> +
> +tunable_policy(`git_cgi_enable_homedirs',`
> + userdom_search_user_home_dirs(httpd_git_script_t)
> +')
> +
> +tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',`
> + fs_read_nfs_files(httpd_git_script_t)
> +',`
> + fs_dontaudit_read_nfs_files(httpd_git_script_t)
> +')
> +
> +tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',`
> + fs_read_cifs_files(httpd_git_script_t)
> +',`
> + fs_dontaudit_read_cifs_files(httpd_git_script_t)
> +')
> +
> +tunable_policy(`git_cgi_use_cifs',`
> + fs_read_cifs_files(httpd_git_script_t)
> +',`
> + fs_dontaudit_read_cifs_files(httpd_git_script_t)
> +')
> +
> +tunable_policy(`git_cgi_use_nfs',`
> + fs_read_nfs_files(httpd_git_script_t)
> +',`
> + fs_dontaudit_read_nfs_files(httpd_git_script_t)
> +')
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
prev parent reply other threads:[~2011-09-02 13:22 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-30 19:09 [refpolicy] [ v6 PATCH 1/1] Git daemon policy Dominick Grift
2011-09-02 13:22 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E60D886.9020902@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.