1 ## <summary>Fast Version Control System.</summary>
4 ## A really simple TCP git daemon that normally listens on
5 ## port DEFAULT_GIT_PORT aka 9418. It waits for a
6 ## connection asking for a service, and will serve that
7 ## service if it is enabled.
11 #######################################
13 ## Role access for Git daemon session.
15 ## <param name="role">
17 ## Role allowed access.
20 ## <param name="domain">
22 ## User domain for the role.
26 interface(`git_session_role',`
28 type git_session_t, gitd_exec_t, git_session_content_t;
31 ########################################
33 # Git daemon session shared declarations.
36 role $1 types git_session_t;
38 ########################################
40 # Git daemon session shared policy.
43 domtrans_pattern($2, gitd_exec_t, git_session_t)
45 allow $2 git_session_t:process signal_perms;
46 ps_process_pattern($2, git_session_t)
47 tunable_policy(`deny_ptrace',`',`
48 allow $2 git_session_t:process ptrace;
52 ########################################
54 ## Create a set of derived types for Git
55 ## daemon shared repository content.
57 ## <param name="prefix">
59 ## The prefix to be used for deriving type names.
63 template(`git_content_template',`
65 attribute git_system_content, git_content;
68 ########################################
70 # Git daemon content shared declarations.
73 type git_$1_content_t, git_system_content, git_content;
74 files_type(git_$1_content_t)
77 ########################################
79 ## Create a set of derived types for Git
80 ## daemon shared repository roles.
82 ## <param name="prefix">
84 ## The prefix to be used for deriving type names.
88 template(`git_role_template',`
90 class context contains;
94 ########################################
96 # Git daemon role shared declarations.
99 attribute $1_usertype;
102 userdom_unpriv_usertype($1, $1_t)
105 role $1_r types $1_t;
108 ########################################
110 # Git daemon role shared policy.
113 allow $1_t self:context contains;
114 allow $1_t self:fifo_file rw_fifo_file_perms;
116 corecmd_exec_bin($1_t)
117 corecmd_bin_entry_type($1_t)
118 corecmd_shell_entry_type($1_t)
120 domain_interactive_fd($1_t)
121 domain_user_exemption_target($1_t)
123 kernel_read_system_state($1_t)
125 files_read_etc_files($1_t)
126 files_dontaudit_search_home($1_t)
128 miscfiles_read_localization($1_t)
130 git_rwx_generic_system_content($1_t)
132 ssh_rw_stream_sockets($1_t)
134 tunable_policy(`git_system_use_cifs',`
135 fs_exec_cifs_files($1_t)
136 fs_manage_cifs_dirs($1_t)
137 fs_manage_cifs_files($1_t)
140 tunable_policy(`git_system_use_nfs',`
141 fs_exec_nfs_files($1_t)
142 fs_manage_nfs_dirs($1_t)
143 fs_manage_nfs_files($1_t)
151 #######################################
153 ## Allow specified domain access to the
154 ## specified Git daemon content.
156 ## <param name="domain">
158 ## Domain allowed access.
161 ## <param name="object">
163 ## Type of the object that access is allowed to.
167 interface(`git_content_delegation',`
172 exec_files_pattern($1, $2, $2)
173 manage_dirs_pattern($1, $2, $2)
174 manage_files_pattern($1, $2, $2)
175 files_search_var_lib($1)
177 tunable_policy(`git_system_use_cifs',`
178 fs_exec_cifs_files($1)
179 fs_manage_cifs_dirs($1)
180 fs_manage_cifs_files($1)
183 tunable_policy(`git_system_use_nfs',`
184 fs_exec_nfs_files($1)
185 fs_manage_nfs_dirs($1)
186 fs_manage_nfs_files($1)
190 ########################################
192 ## Allow the specified domain to manage
193 ## and execute all Git daemon content.
195 ## <param name="domain">
197 ## Domain allowed access.
201 interface(`git_rwx_all_content',`
203 attribute git_content;
206 exec_files_pattern($1, git_content, git_content)
207 manage_dirs_pattern($1, git_content, git_content)
208 manage_files_pattern($1, git_content, git_content)
209 userdom_search_user_home_dirs($1)
210 files_search_var_lib($1)
212 userdom_home_manager($1)
214 tunable_policy(`git_system_use_cifs',`
215 fs_exec_cifs_files($1)
216 fs_manage_cifs_dirs($1)
217 fs_manage_cifs_files($1)
220 tunable_policy(`git_system_use_nfs',`
221 fs_exec_nfs_files($1)
222 fs_manage_nfs_dirs($1)
223 fs_manage_nfs_files($1)
227 ########################################
229 ## Allow the specified domain to manage
230 ## and execute all Git daemon system content.
232 ## <param name="domain">
234 ## Domain allowed access.
238 interface(`git_rwx_all_system_content',`
240 attribute git_system_content;
243 exec_files_pattern($1, git_system_content, git_system_content)
244 manage_dirs_pattern($1, git_system_content, git_system_content)
245 manage_files_pattern($1, git_system_content, git_system_content)
246 files_search_var_lib($1)
248 tunable_policy(`git_system_use_cifs',`
249 fs_exec_cifs_files($1)
250 fs_manage_cifs_dirs($1)
251 fs_manage_cifs_files($1)
254 tunable_policy(`git_system_use_nfs',`
255 fs_exec_nfs_files($1)
256 fs_manage_nfs_dirs($1)
257 fs_manage_nfs_files($1)
261 ########################################
263 ## Allow the specified domain to manage
264 ## and execute Git daemon generic system content.
266 ## <param name="domain">
268 ## Domain allowed access.
272 interface(`git_rwx_generic_system_content',`
274 type git_system_content_t;
277 exec_files_pattern($1, git_system_content_t, git_system_content_t)
278 manage_dirs_pattern($1, git_system_content_t, git_system_content_t)
279 manage_files_pattern($1, git_system_content_t, git_system_content_t)
280 files_search_var_lib($1)
282 tunable_policy(`git_system_use_cifs',`
283 fs_exec_cifs_files($1)
284 fs_manage_cifs_dirs($1)
285 fs_manage_cifs_files($1)
288 tunable_policy(`git_system_use_nfs',`
289 fs_exec_nfs_files($1)
290 fs_manage_nfs_dirs($1)
291 fs_manage_nfs_files($1)
295 ########################################
297 ## Allow the specified domain to read
298 ## all Git daemon content files.
300 ## <param name="domain">
302 ## Domain allowed access.
306 interface(`git_read_all_content_files',`
308 attribute git_content;
311 list_dirs_pattern($1, git_content, git_content)
312 read_files_pattern($1, git_content, git_content)
313 userdom_search_user_home_dirs($1)
314 files_search_var_lib($1)
316 userdom_home_reader($1)
318 tunable_policy(`git_system_use_cifs',`
320 fs_read_cifs_files($1)
323 tunable_policy(`git_system_use_nfs',`
325 fs_read_nfs_files($1)
329 ########################################
331 ## Allow the specified domain to read
332 ## Git daemon session content files.
334 ## <param name="domain">
336 ## Domain allowed access.
340 interface(`git_read_session_content_files',`
342 type git_session_content_t;
345 list_dirs_pattern($1, git_session_content_t, git_session_content_t)
346 read_files_pattern($1, git_session_content_t, git_session_content_t)
347 userdom_search_user_home_dirs($1)
348 userdom_home_reader($1)
351 #######################################
353 ## Dontaudit the specified domain to read
354 ## Git daemon session content files.
356 ## <param name="domain">
358 ## Domain to not audit.
362 interface(`git_dontaudit_read_session_content_files',`
364 type git_session_content_t;
367 dontaudit $1 git_session_content_t:file read_file_perms;
370 ########################################
372 ## Allow the specified domain to read
373 ## all Git daemon system content files.
375 ## <param name="domain">
377 ## Domain allowed access.
381 interface(`git_read_all_system_content_files',`
383 attribute git_system_content;
386 list_dirs_pattern($1, git_system_content, git_system_content)
387 read_files_pattern($1, git_system_content, git_system_content)
388 files_search_var_lib($1)
390 tunable_policy(`git_system_use_cifs',`
392 fs_read_cifs_files($1)
395 tunable_policy(`git_system_use_nfs',`
397 fs_read_nfs_files($1)
401 ########################################
403 ## Allow the specified domain to read
404 ## Git daemon generic system content files.
406 ## <param name="domain">
408 ## Domain allowed access.
412 interface(`git_read_generic_system_content_files',`
414 type git_system_content_t;
417 list_dirs_pattern($1, git_system_content_t, git_system_content_t)
418 read_files_pattern($1, git_system_content_t, git_system_content_t)
419 files_search_var_lib($1)
421 tunable_policy(`git_system_use_cifs',`
423 fs_read_cifs_files($1)
426 tunable_policy(`git_system_use_nfs',`
428 fs_read_nfs_files($1)
432 ########################################
434 ## Allow the specified domain to relabel
435 ## all Git daemon content.
437 ## <param name="domain">
439 ## Domain allowed access.
443 interface(`git_relabel_all_content',`
445 attribute git_content;
448 relabel_dirs_pattern($1, git_content, git_content)
449 relabel_files_pattern($1, git_content, git_content)
450 userdom_search_user_home_dirs($1)
451 files_search_var_lib($1)
454 ########################################
456 ## Allow the specified domain to relabel
457 ## all Git daemon system content.
459 ## <param name="domain">
461 ## Domain allowed access.
465 interface(`git_relabel_all_system_content',`
467 attribute git_system_content;
470 relabel_dirs_pattern($1, git_system_content, git_system_content)
471 relabel_files_pattern($1, git_system_content, git_system_content)
472 files_search_var_lib($1)
475 ########################################
477 ## Allow the specified domain to relabel
478 ## Git daemon generic system content.
480 ## <param name="domain">
482 ## Domain allowed access.
486 interface(`git_relabel_generic_system_content',`
488 type git_system_content_t;
491 relabel_dirs_pattern($1, git_system_content_t, git_system_content_t)
492 relabel_files_pattern($1, git_system_content_t, git_system_content_t)
493 files_search_var_lib($1)
496 ########################################
498 ## Allow the specified domain to relabel
499 ## Git daemon session content.
501 ## <param name="domain">
503 ## Domain allowed access.
507 interface(`git_relabel_session_content',`
509 type git_session_content_t;
512 relabel_dirs_pattern($1, git_session_content_t, git_session_content_t)
513 relabel_files_pattern($1, git_session_content_t, git_session_content_t)
514 userdom_search_user_home_dirs($1)