aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDominick Grift <dominick.grift@gmail.com>2012-10-02 12:21:20 +0200
committerSven Vermeulen <sven.vermeulen@siphos.be>2012-10-02 20:07:54 +0200
commitd5e591f953c14ed591986eb76fbe6d94259c4869 (patch)
tree6f50ae94ffcb28d49a2ba419f657ca4709511706 /policy/modules/contrib
parentChanges to the gift policy module (diff)
downloadhardened-refpolicy-d5e591f953c14ed591986eb76fbe6d94259c4869.tar.gz
hardened-refpolicy-d5e591f953c14ed591986eb76fbe6d94259c4869.tar.bz2
hardened-refpolicy-d5e591f953c14ed591986eb76fbe6d94259c4869.zip
Changes to the git policy module
Ported from Fedora with changes Use role attributes for git session Module clean up Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Diffstat (limited to 'policy/modules/contrib')
-rw-r--r--policy/modules/contrib/git.fc14
-rw-r--r--policy/modules/contrib/git.if6
-rw-r--r--policy/modules/contrib/git.te50
3 files changed, 57 insertions, 13 deletions
diff --git a/policy/modules/contrib/git.fc b/policy/modules/contrib/git.fc
index 13e72a7ad..24700f84b 100644
--- a/policy/modules/contrib/git.fc
+++ b/policy/modules/contrib/git.fc
@@ -1,11 +1,13 @@
-HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0)
+HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0)
/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
-/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
+/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
+/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
-/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
+/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
-/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
-/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
-/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
+/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/policy/modules/contrib/git.if b/policy/modules/contrib/git.if
index 2917a8630..bc6fc889f 100644
--- a/policy/modules/contrib/git.if
+++ b/policy/modules/contrib/git.if
@@ -17,6 +17,7 @@
#
template(`git_role',`
gen_require(`
+ attribute_role git_session_roles;
type git_session_t, gitd_exec_t, git_user_content_t;
')
@@ -25,7 +26,7 @@ template(`git_role',`
# Declarations
#
- role $1 types git_session_t;
+ roleattribute $1 git_session_roles;
########################################
#
@@ -66,14 +67,17 @@ interface(`git_read_generic_sys_content_files',`
list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
read_files_pattern($1, git_sys_content_t, git_sys_content_t)
+
files_search_var_lib($1)
tunable_policy(`git_system_use_cifs',`
+ fs_getattr_cifs($1)
fs_list_cifs($1)
fs_read_cifs_files($1)
')
tunable_policy(`git_system_use_nfs',`
+ fs_getattr_nfs($1)
fs_list_nfs($1)
fs_read_nfs_files($1)
')
diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te
index 2aada6b7a..080e7f40d 100644
--- a/policy/modules/contrib/git.te
+++ b/policy/modules/contrib/git.te
@@ -1,4 +1,4 @@
-policy_module(git, 1.2.1)
+policy_module(git, 1.2.2)
########################################
#
@@ -31,6 +31,15 @@ gen_tunable(git_cgi_use_nfs, false)
## <desc>
## <p>
+## Determine whether Git session daemon
+## can bind TCP sockets to all
+## unreserved ports.
+## </p>
+## </desc>
+gen_tunable(git_session_bind_all_unreserved_ports, false)
+
+## <desc>
+## <p>
## Determine whether calling user domains
## can execute Git daemon in the
## git_session_t domain.
@@ -71,6 +80,7 @@ gen_tunable(git_system_use_cifs, false)
gen_tunable(git_system_use_nfs, false)
attribute git_daemon;
+attribute_role git_session_roles;
apache_content_template(git)
@@ -80,6 +90,7 @@ inetd_service_domain(git_system_t, gitd_exec_t)
type git_session_t, git_daemon;
userdom_user_application_domain(git_session_t, gitd_exec_t)
+role git_session_roles types git_session_t;
type git_sys_content_t;
files_type(git_sys_content_t)
@@ -89,7 +100,7 @@ userdom_user_home_content(git_user_content_t)
########################################
#
-# Git session policy
+# Session policy
#
allow git_session_t self:tcp_socket { accept listen };
@@ -103,26 +114,36 @@ corenet_all_recvfrom_unlabeled(git_session_t)
corenet_tcp_bind_generic_node(git_session_t)
corenet_tcp_sendrecv_generic_if(git_session_t)
corenet_tcp_sendrecv_generic_node(git_session_t)
-corenet_tcp_sendrecv_generic_port(git_session_t)
+
+corenet_sendrecv_git_server_packets(git_session_t)
corenet_tcp_bind_git_port(git_session_t)
corenet_tcp_sendrecv_git_port(git_session_t)
-corenet_sendrecv_git_server_packets(git_session_t)
auth_use_nsswitch(git_session_t)
userdom_use_user_terminals(git_session_t)
+tunable_policy(`git_session_bind_all_unreserved_ports',`
+ corenet_sendrecv_all_server_packets(git_session_t)
+ corenet_tcp_bind_all_unreserved_ports(git_session_t)
+ corenet_tcp_sendrecv_all_ports(git_session_t)
+')
+
tunable_policy(`git_session_send_syslog_msg',`
logging_send_syslog_msg(git_session_t)
')
tunable_policy(`use_nfs_home_dirs',`
+ fs_getattr_nfs(git_session_t)
+ fs_list_nfs(git_session_t)
fs_read_nfs_files(git_session_t)
',`
fs_dontaudit_read_nfs_files(git_session_t)
')
tunable_policy(`use_samba_home_dirs',`
+ fs_getattr_cifs(git_session_t)
+ fs_list_cifs(git_session_t)
fs_read_cifs_files(git_session_t)
',`
fs_dontaudit_read_cifs_files(git_session_t)
@@ -130,11 +151,12 @@ tunable_policy(`use_samba_home_dirs',`
########################################
#
-# Git system policy
+# System policy
#
list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
+
files_search_var_lib(git_system_t)
auth_use_nsswitch(git_system_t)
@@ -146,24 +168,32 @@ tunable_policy(`git_system_enable_homedirs',`
')
tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
+ fs_getattr_nfs(git_system_t)
+ fs_list_nfs(git_system_t)
fs_read_nfs_files(git_system_t)
',`
fs_dontaudit_read_nfs_files(git_system_t)
')
tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
+ fs_getattr_cifs(git_system_t)
+ fs_list_cifs(git_system_t)
fs_read_cifs_files(git_system_t)
',`
fs_dontaudit_read_cifs_files(git_system_t)
')
tunable_policy(`git_system_use_cifs',`
+ fs_getattr_cifs(git_system_t)
+ fs_list_cifs(git_system_t)
fs_read_cifs_files(git_system_t)
',`
fs_dontaudit_read_cifs_files(git_system_t)
')
tunable_policy(`git_system_use_nfs',`
+ fs_getattr_nfs(git_system_t)
+ fs_list_nfs(git_system_t)
fs_read_nfs_files(git_system_t)
',`
fs_dontaudit_read_nfs_files(git_system_t)
@@ -171,7 +201,7 @@ tunable_policy(`git_system_use_nfs',`
########################################
#
-# Git CGI policy
+# CGI policy
#
list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
@@ -187,24 +217,32 @@ tunable_policy(`git_cgi_enable_homedirs',`
')
tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',`
+ fs_getattr_nfs(httpd_git_script_t)
+ fs_list_nfs(httpd_git_script_t)
fs_read_nfs_files(httpd_git_script_t)
',`
fs_dontaudit_read_nfs_files(httpd_git_script_t)
')
tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',`
+ fs_getattr_cifs(httpd_git_script_t)
+ fs_list_cifs(httpd_git_script_t)
fs_read_cifs_files(httpd_git_script_t)
',`
fs_dontaudit_read_cifs_files(httpd_git_script_t)
')
tunable_policy(`git_cgi_use_cifs',`
+ fs_getattr_cifs(httpd_git_script_t)
+ fs_list_cifs(httpd_git_script_t)
fs_read_cifs_files(httpd_git_script_t)
',`
fs_dontaudit_read_cifs_files(httpd_git_script_t)
')
tunable_policy(`git_cgi_use_nfs',`
+ fs_getattr_nfs(httpd_git_script_t)
+ fs_list_nfs(httpd_git_script_t)
fs_read_nfs_files(httpd_git_script_t)
',`
fs_dontaudit_read_nfs_files(httpd_git_script_t)