[people/stevee/selinux-policy.git] / policy / modules / services / git.te

policy_module(git, 1.0.3)

## <desc>
## <p>
## Allow Git daemon system to search home directories.
## </p>
## </desc>
gen_tunable(git_system_enable_homedirs, false)

## <desc>
## <p>
## Allow Git daemon system to access cifs file systems.
## </p>
## </desc>
gen_tunable(git_system_use_cifs, false)

## <desc>
## <p>
## Allow Git daemon system to access nfs file systems.
## </p>
## </desc>
gen_tunable(git_system_use_nfs, false)

########################################
#
# Git daemon global private declarations.
#

attribute git_domains;
attribute git_system_content;
attribute git_content;

type gitd_exec_t;

########################################
#
# Git daemon system private declarations.
#

type git_system_t, git_domains;
inetd_service_domain(git_system_t, gitd_exec_t)
role system_r types git_system_t;

type git_system_content_t, git_system_content, git_content;
files_type(git_system_content_t)
typealias git_system_content_t alias git_data_t;

########################################
#
# Git daemon session private declarations.
#

## <desc>
## <p>
## Allow Git daemon session to bind
## tcp sockets to all unreserved ports.
## </p>
## </desc>
gen_tunable(git_session_bind_all_unreserved_ports, false)

type git_session_t, git_domains;
application_domain(git_session_t, gitd_exec_t)
ubac_constrained(git_session_t)

type git_session_content_t, git_content;
userdom_user_home_content(git_session_content_t)

########################################
#
# Git daemon global private policy.
#

allow git_domains self:fifo_file rw_fifo_file_perms;
allow git_domains self:netlink_route_socket create_netlink_socket_perms;
allow git_domains self:tcp_socket create_socket_perms;
allow git_domains self:udp_socket create_socket_perms;
allow git_domains self:unix_dgram_socket create_socket_perms;

corenet_all_recvfrom_netlabel(git_domains)
corenet_all_recvfrom_unlabeled(git_domains)
corenet_tcp_bind_generic_node(git_domains)
corenet_tcp_sendrecv_generic_if(git_domains)
corenet_tcp_sendrecv_generic_node(git_domains)
corenet_tcp_sendrecv_generic_port(git_domains)
corenet_tcp_bind_git_port(git_domains)
corenet_sendrecv_git_server_packets(git_domains)

corecmd_exec_bin(git_domains)

files_read_etc_files(git_domains)
files_read_usr_files(git_domains)

fs_search_auto_mountpoints(git_domains)

kernel_read_system_state(git_domains)

auth_use_nsswitch(git_domains)

logging_send_syslog_msg(git_domains)

miscfiles_read_localization(git_domains)

sysnet_read_config(git_domains)

optional_policy(`
	automount_dontaudit_getattr_tmp_dirs(git_domains)
')

optional_policy(`
	nis_use_ypbind(git_domains)
')

########################################
#
# Git daemon system repository private policy.
#

list_dirs_pattern(git_system_t, git_content, git_content)
read_files_pattern(git_system_t, git_content, git_content)
files_search_var_lib(git_system_t)

tunable_policy(`git_system_enable_homedirs', `
	userdom_search_user_home_dirs(git_system_t)
')

tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', `
	fs_list_nfs(git_system_t)
	fs_read_nfs_files(git_system_t)
')

tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', `
	fs_list_cifs(git_system_t)
	fs_read_cifs_files(git_system_t)
')

tunable_policy(`git_system_use_cifs', `
	fs_list_cifs(git_system_t)
	fs_read_cifs_files(git_system_t)
')

tunable_policy(`git_system_use_nfs', `
	fs_list_nfs(git_system_t)
	fs_read_nfs_files(git_system_t)
')

########################################
#
# Git daemon session repository private policy.
#

allow git_session_t self:tcp_socket { accept listen };

list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
userdom_search_user_home_dirs(git_session_t)

userdom_use_user_terminals(git_session_t)

tunable_policy(`git_session_bind_all_unreserved_ports', `
	corenet_tcp_bind_all_unreserved_ports(git_session_t)
	corenet_sendrecv_generic_server_packets(git_session_t)
')

tunable_policy(`use_nfs_home_dirs', `
	fs_list_nfs(git_session_t)
	fs_read_nfs_files(git_session_t)
')

tunable_policy(`use_samba_home_dirs', `
	fs_list_cifs(git_session_t)
	fs_read_cifs_files(git_session_t)
')

########################################
#
# cgi git Declarations
#

optional_policy(`
	apache_content_template(git)
	git_read_all_content_files(httpd_git_script_t)
	files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
')

########################################
#
# Git-shell private policy.
#

git_role_template(git_shell)
gen_user(git_shell_u, user, git_shell_r, s0, s0)
Commit	Line	Data
3eaa9939 DW	1	policy_module(git, 1.0.3)
	2
	3	## <desc>
	4	## <p>
	5	## Allow Git daemon system to search home directories.
	6	## </p>
	7	## </desc>
	8	gen_tunable(git_system_enable_homedirs, false)
	9
	10	## <desc>
	11	## <p>
	12	## Allow Git daemon system to access cifs file systems.
	13	## </p>
	14	## </desc>
	15	gen_tunable(git_system_use_cifs, false)
	16
	17	## <desc>
	18	## <p>
	19	## Allow Git daemon system to access nfs file systems.
	20	## </p>
	21	## </desc>
	22	gen_tunable(git_system_use_nfs, false)
	23
	24	########################################
	25	#
	26	# Git daemon global private declarations.
	27	#
	28
	29	attribute git_domains;
	30	attribute git_system_content;
	31	attribute git_content;
	32
	33	type gitd_exec_t;
	34
	35	########################################
	36	#
	37	# Git daemon system private declarations.
	38	#
	39
	40	type git_system_t, git_domains;
	41	inetd_service_domain(git_system_t, gitd_exec_t)
	42	role system_r types git_system_t;
	43
	44	type git_system_content_t, git_system_content, git_content;
	45	files_type(git_system_content_t)
	46	typealias git_system_content_t alias git_data_t;
	47
	48	########################################
	49	#
	50	# Git daemon session private declarations.
	51	#
	52
	53	## <desc>
	54	## <p>
	55	## Allow Git daemon session to bind
	56	## tcp sockets to all unreserved ports.
	57	## </p>
	58	## </desc>
	59	gen_tunable(git_session_bind_all_unreserved_ports, false)
	60
	61	type git_session_t, git_domains;
	62	application_domain(git_session_t, gitd_exec_t)
	63	ubac_constrained(git_session_t)
	64
65	type git_session_content_t, git_content;
66	userdom_user_home_content(git_session_content_t)
67
68	########################################
69	#
70	# Git daemon global private policy.
71	#
72
73	allow git_domains self:fifo_file rw_fifo_file_perms;
74	allow git_domains self:netlink_route_socket create_netlink_socket_perms;
75	allow git_domains self:tcp_socket create_socket_perms;
76	allow git_domains self:udp_socket create_socket_perms;
77	allow git_domains self:unix_dgram_socket create_socket_perms;
78
79	corenet_all_recvfrom_netlabel(git_domains)
80	corenet_all_recvfrom_unlabeled(git_domains)
81	corenet_tcp_bind_generic_node(git_domains)
82	corenet_tcp_sendrecv_generic_if(git_domains)
83	corenet_tcp_sendrecv_generic_node(git_domains)
84	corenet_tcp_sendrecv_generic_port(git_domains)
85	corenet_tcp_bind_git_port(git_domains)
86	corenet_sendrecv_git_server_packets(git_domains)
87
88	corecmd_exec_bin(git_domains)
89
90	files_read_etc_files(git_domains)
91	files_read_usr_files(git_domains)
92
93	fs_search_auto_mountpoints(git_domains)
94
95	kernel_read_system_state(git_domains)
96
97	auth_use_nsswitch(git_domains)
98
99	logging_send_syslog_msg(git_domains)
100
101	miscfiles_read_localization(git_domains)
102
103	sysnet_read_config(git_domains)
104
105	optional_policy(`
106	automount_dontaudit_getattr_tmp_dirs(git_domains)
107	')
108
109	optional_policy(`
110	nis_use_ypbind(git_domains)
111	')
112
113	########################################
114	#
115	# Git daemon system repository private policy.
116	#
117
118	list_dirs_pattern(git_system_t, git_content, git_content)
119	read_files_pattern(git_system_t, git_content, git_content)
120	files_search_var_lib(git_system_t)
121
122	tunable_policy(`git_system_enable_homedirs', `
123	userdom_search_user_home_dirs(git_system_t)
124	')
125
126	tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', `
127	fs_list_nfs(git_system_t)
128	fs_read_nfs_files(git_system_t)
129	')
130
131	tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', `
132	fs_list_cifs(git_system_t)
133	fs_read_cifs_files(git_system_t)
134	')
135
136	tunable_policy(`git_system_use_cifs', `
137	fs_list_cifs(git_system_t)
138	fs_read_cifs_files(git_system_t)
139	')
140
141	tunable_policy(`git_system_use_nfs', `
142	fs_list_nfs(git_system_t)
143	fs_read_nfs_files(git_system_t)
144	')
153fe24b CP	145
	146	########################################
	147	#
3eaa9939	148	# Git daemon session repository private policy.
153fe24b CP	149	#
153fe24b CP	150
3eaa9939 DW	151	allow git_session_t self:tcp_socket { accept listen };
	152
	153	list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
	154	read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
	155	userdom_search_user_home_dirs(git_session_t)
	156
	157	userdom_use_user_terminals(git_session_t)
	158
	159	tunable_policy(`git_session_bind_all_unreserved_ports', `
	160	corenet_tcp_bind_all_unreserved_ports(git_session_t)
	161	corenet_sendrecv_generic_server_packets(git_session_t)
	162	')
	163
	164	tunable_policy(`use_nfs_home_dirs', `
	165	fs_list_nfs(git_session_t)
	166	fs_read_nfs_files(git_session_t)
	167	')
	168
	169	tunable_policy(`use_samba_home_dirs', `
	170	fs_list_cifs(git_session_t)
	171	fs_read_cifs_files(git_session_t)
	172	')
	173
	174	########################################
	175	#
	176	# cgi git Declarations
	177	#
	178
	179	optional_policy(`
	180	apache_content_template(git)
	181	git_read_all_content_files(httpd_git_script_t)
	182	files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
	183	')
	184
	185	########################################
	186	#
	187	# Git-shell private policy.
	188	#
	189
	190	git_role_template(git_shell)
	191	gen_user(git_shell_u, user, git_shell_r, s0, s0)
	192