diff options
-rw-r--r-- | policy/modules/contrib/git.fc | 14 | ||||
-rw-r--r-- | policy/modules/contrib/git.if | 6 | ||||
-rw-r--r-- | policy/modules/contrib/git.te | 50 |
3 files changed, 57 insertions, 13 deletions
diff --git a/policy/modules/contrib/git.fc b/policy/modules/contrib/git.fc index 13e72a7a..24700f84 100644 --- a/policy/modules/contrib/git.fc +++ b/policy/modules/contrib/git.fc @@ -1,11 +1,13 @@ -HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0) +HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0) /usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0) -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) +/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) +/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) -/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0) +/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0) -/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) -/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) -/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) +/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) diff --git a/policy/modules/contrib/git.if b/policy/modules/contrib/git.if index 2917a863..bc6fc889 100644 --- a/policy/modules/contrib/git.if +++ b/policy/modules/contrib/git.if @@ -17,6 +17,7 @@ # template(`git_role',` gen_require(` + attribute_role git_session_roles; type git_session_t, gitd_exec_t, git_user_content_t; ') @@ -25,7 +26,7 @@ template(`git_role',` # Declarations # - role $1 types git_session_t; + roleattribute $1 git_session_roles; ######################################## # @@ -66,14 +67,17 @@ interface(`git_read_generic_sys_content_files',` list_dirs_pattern($1, git_sys_content_t, git_sys_content_t) read_files_pattern($1, git_sys_content_t, git_sys_content_t) + files_search_var_lib($1) tunable_policy(`git_system_use_cifs',` + fs_getattr_cifs($1) fs_list_cifs($1) fs_read_cifs_files($1) ') tunable_policy(`git_system_use_nfs',` + fs_getattr_nfs($1) fs_list_nfs($1) fs_read_nfs_files($1) ') diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te index 2aada6b7..080e7f40 100644 --- a/policy/modules/contrib/git.te +++ b/policy/modules/contrib/git.te @@ -1,4 +1,4 @@ -policy_module(git, 1.2.1) +policy_module(git, 1.2.2) ######################################## # @@ -31,6 +31,15 @@ gen_tunable(git_cgi_use_nfs, false) ## <desc> ## <p> +## Determine whether Git session daemon +## can bind TCP sockets to all +## unreserved ports. +## </p> +## </desc> +gen_tunable(git_session_bind_all_unreserved_ports, false) + +## <desc> +## <p> ## Determine whether calling user domains ## can execute Git daemon in the ## git_session_t domain. @@ -71,6 +80,7 @@ gen_tunable(git_system_use_cifs, false) gen_tunable(git_system_use_nfs, false) attribute git_daemon; +attribute_role git_session_roles; apache_content_template(git) @@ -80,6 +90,7 @@ inetd_service_domain(git_system_t, gitd_exec_t) type git_session_t, git_daemon; userdom_user_application_domain(git_session_t, gitd_exec_t) +role git_session_roles types git_session_t; type git_sys_content_t; files_type(git_sys_content_t) @@ -89,7 +100,7 @@ userdom_user_home_content(git_user_content_t) ######################################## # -# Git session policy +# Session policy # allow git_session_t self:tcp_socket { accept listen }; @@ -103,26 +114,36 @@ corenet_all_recvfrom_unlabeled(git_session_t) corenet_tcp_bind_generic_node(git_session_t) corenet_tcp_sendrecv_generic_if(git_session_t) corenet_tcp_sendrecv_generic_node(git_session_t) -corenet_tcp_sendrecv_generic_port(git_session_t) + +corenet_sendrecv_git_server_packets(git_session_t) corenet_tcp_bind_git_port(git_session_t) corenet_tcp_sendrecv_git_port(git_session_t) -corenet_sendrecv_git_server_packets(git_session_t) auth_use_nsswitch(git_session_t) userdom_use_user_terminals(git_session_t) +tunable_policy(`git_session_bind_all_unreserved_ports',` + corenet_sendrecv_all_server_packets(git_session_t) + corenet_tcp_bind_all_unreserved_ports(git_session_t) + corenet_tcp_sendrecv_all_ports(git_session_t) +') + tunable_policy(`git_session_send_syslog_msg',` logging_send_syslog_msg(git_session_t) ') tunable_policy(`use_nfs_home_dirs',` + fs_getattr_nfs(git_session_t) + fs_list_nfs(git_session_t) fs_read_nfs_files(git_session_t) ',` fs_dontaudit_read_nfs_files(git_session_t) ') tunable_policy(`use_samba_home_dirs',` + fs_getattr_cifs(git_session_t) + fs_list_cifs(git_session_t) fs_read_cifs_files(git_session_t) ',` fs_dontaudit_read_cifs_files(git_session_t) @@ -130,11 +151,12 @@ tunable_policy(`use_samba_home_dirs',` ######################################## # -# Git system policy +# System policy # list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t) read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t) + files_search_var_lib(git_system_t) auth_use_nsswitch(git_system_t) @@ -146,24 +168,32 @@ tunable_policy(`git_system_enable_homedirs',` ') tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',` + fs_getattr_nfs(git_system_t) + fs_list_nfs(git_system_t) fs_read_nfs_files(git_system_t) ',` fs_dontaudit_read_nfs_files(git_system_t) ') tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',` + fs_getattr_cifs(git_system_t) + fs_list_cifs(git_system_t) fs_read_cifs_files(git_system_t) ',` fs_dontaudit_read_cifs_files(git_system_t) ') tunable_policy(`git_system_use_cifs',` + fs_getattr_cifs(git_system_t) + fs_list_cifs(git_system_t) fs_read_cifs_files(git_system_t) ',` fs_dontaudit_read_cifs_files(git_system_t) ') tunable_policy(`git_system_use_nfs',` + fs_getattr_nfs(git_system_t) + fs_list_nfs(git_system_t) fs_read_nfs_files(git_system_t) ',` fs_dontaudit_read_nfs_files(git_system_t) @@ -171,7 +201,7 @@ tunable_policy(`git_system_use_nfs',` ######################################## # -# Git CGI policy +# CGI policy # list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) @@ -187,24 +217,32 @@ tunable_policy(`git_cgi_enable_homedirs',` ') tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',` + fs_getattr_nfs(httpd_git_script_t) + fs_list_nfs(httpd_git_script_t) fs_read_nfs_files(httpd_git_script_t) ',` fs_dontaudit_read_nfs_files(httpd_git_script_t) ') tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',` + fs_getattr_cifs(httpd_git_script_t) + fs_list_cifs(httpd_git_script_t) fs_read_cifs_files(httpd_git_script_t) ',` fs_dontaudit_read_cifs_files(httpd_git_script_t) ') tunable_policy(`git_cgi_use_cifs',` + fs_getattr_cifs(httpd_git_script_t) + fs_list_cifs(httpd_git_script_t) fs_read_cifs_files(httpd_git_script_t) ',` fs_dontaudit_read_cifs_files(httpd_git_script_t) ') tunable_policy(`git_cgi_use_nfs',` + fs_getattr_nfs(httpd_git_script_t) + fs_list_nfs(httpd_git_script_t) fs_read_nfs_files(httpd_git_script_t) ',` fs_dontaudit_read_nfs_files(httpd_git_script_t) |