]>
Commit | Line | Data |
---|---|---|
3eaa9939 DW |
1 | policy_module(git, 1.0.3) |
2 | ||
3 | ## <desc> | |
4 | ## <p> | |
5 | ## Allow Git daemon system to search home directories. | |
6 | ## </p> | |
7 | ## </desc> | |
8 | gen_tunable(git_system_enable_homedirs, false) | |
9 | ||
10 | ## <desc> | |
11 | ## <p> | |
12 | ## Allow Git daemon system to access cifs file systems. | |
13 | ## </p> | |
14 | ## </desc> | |
15 | gen_tunable(git_system_use_cifs, false) | |
16 | ||
17 | ## <desc> | |
18 | ## <p> | |
19 | ## Allow Git daemon system to access nfs file systems. | |
20 | ## </p> | |
21 | ## </desc> | |
22 | gen_tunable(git_system_use_nfs, false) | |
23 | ||
24 | ######################################## | |
25 | # | |
26 | # Git daemon global private declarations. | |
27 | # | |
28 | ||
29 | attribute git_domains; | |
30 | attribute git_system_content; | |
31 | attribute git_content; | |
32 | ||
33 | type gitd_exec_t; | |
34 | ||
35 | ######################################## | |
36 | # | |
37 | # Git daemon system private declarations. | |
38 | # | |
39 | ||
40 | type git_system_t, git_domains; | |
41 | inetd_service_domain(git_system_t, gitd_exec_t) | |
42 | role system_r types git_system_t; | |
43 | ||
44 | type git_system_content_t, git_system_content, git_content; | |
45 | files_type(git_system_content_t) | |
46 | typealias git_system_content_t alias git_data_t; | |
47 | ||
48 | ######################################## | |
49 | # | |
50 | # Git daemon session private declarations. | |
51 | # | |
52 | ||
53 | ## <desc> | |
54 | ## <p> | |
55 | ## Allow Git daemon session to bind | |
56 | ## tcp sockets to all unreserved ports. | |
57 | ## </p> | |
58 | ## </desc> | |
59 | gen_tunable(git_session_bind_all_unreserved_ports, false) | |
60 | ||
61 | type git_session_t, git_domains; | |
62 | application_domain(git_session_t, gitd_exec_t) | |
63 | ubac_constrained(git_session_t) | |
64 | ||
65 | type git_session_content_t, git_content; | |
66 | userdom_user_home_content(git_session_content_t) | |
67 | ||
68 | ######################################## | |
69 | # | |
70 | # Git daemon global private policy. | |
71 | # | |
72 | ||
73 | allow git_domains self:fifo_file rw_fifo_file_perms; | |
74 | allow git_domains self:netlink_route_socket create_netlink_socket_perms; | |
75 | allow git_domains self:tcp_socket create_socket_perms; | |
76 | allow git_domains self:udp_socket create_socket_perms; | |
77 | allow git_domains self:unix_dgram_socket create_socket_perms; | |
78 | ||
79 | corenet_all_recvfrom_netlabel(git_domains) | |
80 | corenet_all_recvfrom_unlabeled(git_domains) | |
81 | corenet_tcp_bind_generic_node(git_domains) | |
82 | corenet_tcp_sendrecv_generic_if(git_domains) | |
83 | corenet_tcp_sendrecv_generic_node(git_domains) | |
84 | corenet_tcp_sendrecv_generic_port(git_domains) | |
85 | corenet_tcp_bind_git_port(git_domains) | |
86 | corenet_sendrecv_git_server_packets(git_domains) | |
87 | ||
88 | corecmd_exec_bin(git_domains) | |
89 | ||
90 | files_read_etc_files(git_domains) | |
91 | files_read_usr_files(git_domains) | |
92 | ||
93 | fs_search_auto_mountpoints(git_domains) | |
94 | ||
95 | kernel_read_system_state(git_domains) | |
96 | ||
97 | auth_use_nsswitch(git_domains) | |
98 | ||
99 | logging_send_syslog_msg(git_domains) | |
100 | ||
101 | miscfiles_read_localization(git_domains) | |
102 | ||
103 | sysnet_read_config(git_domains) | |
104 | ||
105 | optional_policy(` | |
106 | automount_dontaudit_getattr_tmp_dirs(git_domains) | |
107 | ') | |
108 | ||
109 | optional_policy(` | |
110 | nis_use_ypbind(git_domains) | |
111 | ') | |
112 | ||
113 | ######################################## | |
114 | # | |
115 | # Git daemon system repository private policy. | |
116 | # | |
117 | ||
118 | list_dirs_pattern(git_system_t, git_content, git_content) | |
119 | read_files_pattern(git_system_t, git_content, git_content) | |
120 | files_search_var_lib(git_system_t) | |
121 | ||
122 | tunable_policy(`git_system_enable_homedirs', ` | |
123 | userdom_search_user_home_dirs(git_system_t) | |
124 | ') | |
125 | ||
126 | tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', ` | |
127 | fs_list_nfs(git_system_t) | |
128 | fs_read_nfs_files(git_system_t) | |
129 | ') | |
130 | ||
131 | tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', ` | |
132 | fs_list_cifs(git_system_t) | |
133 | fs_read_cifs_files(git_system_t) | |
134 | ') | |
135 | ||
136 | tunable_policy(`git_system_use_cifs', ` | |
137 | fs_list_cifs(git_system_t) | |
138 | fs_read_cifs_files(git_system_t) | |
139 | ') | |
140 | ||
141 | tunable_policy(`git_system_use_nfs', ` | |
142 | fs_list_nfs(git_system_t) | |
143 | fs_read_nfs_files(git_system_t) | |
144 | ') | |
153fe24b CP |
145 | |
146 | ######################################## | |
147 | # | |
3eaa9939 | 148 | # Git daemon session repository private policy. |
153fe24b CP |
149 | # |
150 | ||
3eaa9939 DW |
151 | allow git_session_t self:tcp_socket { accept listen }; |
152 | ||
153 | list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t) | |
154 | read_files_pattern(git_session_t, git_session_content_t, git_session_content_t) | |
155 | userdom_search_user_home_dirs(git_session_t) | |
156 | ||
157 | userdom_use_user_terminals(git_session_t) | |
158 | ||
159 | tunable_policy(`git_session_bind_all_unreserved_ports', ` | |
160 | corenet_tcp_bind_all_unreserved_ports(git_session_t) | |
161 | corenet_sendrecv_generic_server_packets(git_session_t) | |
162 | ') | |
163 | ||
164 | tunable_policy(`use_nfs_home_dirs', ` | |
165 | fs_list_nfs(git_session_t) | |
166 | fs_read_nfs_files(git_session_t) | |
167 | ') | |
168 | ||
169 | tunable_policy(`use_samba_home_dirs', ` | |
170 | fs_list_cifs(git_session_t) | |
171 | fs_read_cifs_files(git_session_t) | |
172 | ') | |
173 | ||
174 | ######################################## | |
175 | # | |
176 | # cgi git Declarations | |
177 | # | |
178 | ||
179 | optional_policy(` | |
180 | apache_content_template(git) | |
181 | git_read_all_content_files(httpd_git_script_t) | |
182 | files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) | |
183 | ') | |
184 | ||
185 | ######################################## | |
186 | # | |
187 | # Git-shell private policy. | |
188 | # | |
189 | ||
190 | git_role_template(git_shell) | |
191 | gen_user(git_shell_u, user, git_shell_r, s0, s0) | |
192 |