policy/modules/services/git.if

   1 ## <summary>Fast Version Control System.</summary>
   2 ## <desc>
   3 ##      <p>
   4 ##      A really simple TCP git daemon that normally listens on
   5 ##      port DEFAULT_GIT_PORT aka 9418. It waits for a
   6 ##      connection asking for a service, and will serve that
   7 ##      service if it is enabled.
   8 ##      </p>
   9 ## </desc>
  10
  11 #######################################
  12 ## <summary>
  13 ##      Role access for Git daemon session.
  14 ## </summary>
  15 ## <param name="role">
  16 ##      <summary>
  17 ##      Role allowed access.
  18 ##      </summary>
  19 ## </param>
  20 ## <param name="domain">
  21 ##      <summary>
  22 ##      User domain for the role.
  23 ##      </summary>
  24 ## </param>
  25 #
  26 interface(`git_session_role',`
  27         gen_require(`
  28                 type git_session_t, gitd_exec_t, git_session_content_t;
  29         ')
  30
  31         ########################################
  32         #
  33         # Git daemon session shared declarations.
  34         #
  35
  36         role $1 types git_session_t;
  37
  38         ########################################
  39         #
  40         # Git daemon session shared policy.
  41         #
  42
  43         domtrans_pattern($2, gitd_exec_t, git_session_t)
  44
  45         allow $2 git_session_t:process signal_perms;
  46         ps_process_pattern($2, git_session_t)
  47         tunable_policy(`deny_ptrace',`',`
  48                 allow $2 git_session_t:process ptrace;
  49         ')
  50 ')
  51
  52 ########################################
  53 ## <summary>
  54 ##      Create a set of derived types for Git
  55 ##      daemon shared repository content.
  56 ## </summary>
  57 ## <param name="prefix">
  58 ##      <summary>
  59 ##      The prefix to be used for deriving type names.
  60 ##      </summary>
  61 ## </param>
  62 #
  63 template(`git_content_template',`
  64         gen_require(`
  65                 attribute git_system_content, git_content;
  66         ')
  67
  68         ########################################
  69         #
  70         # Git daemon content shared declarations.
  71         #
  72
  73         type git_$1_content_t, git_system_content, git_content;
  74         files_type(git_$1_content_t)
  75 ')
  76
  77 ########################################
  78 ## <summary>
  79 ##      Create a set of derived types for Git
  80 ##      daemon shared repository roles.
  81 ## </summary>
  82 ## <param name="prefix">
  83 ##      <summary>
  84 ##      The prefix to be used for deriving type names.
  85 ##      </summary>
  86 ## </param>
  87 #
  88 template(`git_role_template',`
  89         gen_require(`
  90                 class context contains;
  91                 role system_r;
  92         ')
  93
  94         ########################################
  95         #
  96         # Git daemon role shared declarations.
  97         #
  98
  99         attribute $1_usertype;
 100
 101         type $1_t;
 102         userdom_unpriv_usertype($1, $1_t)
 103         domain_type($1_t)
 104
 105         role $1_r types $1_t;
 106         allow system_r $1_r;
 107
 108         ########################################
 109         #
 110         # Git daemon role shared policy.
 111         #
 112
 113         allow $1_t self:context contains;
 114         allow $1_t self:fifo_file rw_fifo_file_perms;
 115
 116         corecmd_exec_bin($1_t)
 117         corecmd_bin_entry_type($1_t)
 118         corecmd_shell_entry_type($1_t)
 119
 120         domain_interactive_fd($1_t)
 121         domain_user_exemption_target($1_t)
 122
 123         kernel_read_system_state($1_t)
 124
 125         files_read_etc_files($1_t)
 126         files_dontaudit_search_home($1_t)
 127
 128         miscfiles_read_localization($1_t)
 129
 130         git_rwx_generic_system_content($1_t)
 131
 132         ssh_rw_stream_sockets($1_t)
 133
 134         tunable_policy(`git_system_use_cifs',`
 135                 fs_exec_cifs_files($1_t)
 136                 fs_manage_cifs_dirs($1_t)
 137                 fs_manage_cifs_files($1_t)
 138         ')
 139
 140         tunable_policy(`git_system_use_nfs',`
 141                 fs_exec_nfs_files($1_t)
 142                 fs_manage_nfs_dirs($1_t)
 143                 fs_manage_nfs_files($1_t)
 144         ')
 145
 146         optional_policy(`
 147                 nscd_read_pid($1_t)
 148         ')
 149 ')
 150
 151 #######################################
 152 ## <summary>
 153 ##      Allow specified domain access to the
 154 ##      specified Git daemon content.
 155 ## </summary>
 156 ## <param name="domain">
 157 ##      <summary>
 158 ##      Domain allowed access.
 159 ##      </summary>
 160 ## </param>
 161 ## <param name="object">
 162 ##      <summary>
 163 ##      Type of the object that access is allowed to.
 164 ##      </summary>
 165 ## </param>
 166 #
 167 interface(`git_content_delegation',`
 168         gen_require(`
 169                 type $1, $2;
 170         ')
 171
 172         exec_files_pattern($1, $2, $2)
 173         manage_dirs_pattern($1, $2, $2)
 174         manage_files_pattern($1, $2, $2)
 175         files_search_var_lib($1)
 176
 177         tunable_policy(`git_system_use_cifs',`
 178                 fs_exec_cifs_files($1)
 179                 fs_manage_cifs_dirs($1)
 180                 fs_manage_cifs_files($1)
 181         ')
 182
 183         tunable_policy(`git_system_use_nfs',`
 184                 fs_exec_nfs_files($1)
 185                 fs_manage_nfs_dirs($1)
 186                 fs_manage_nfs_files($1)
 187         ')
 188 ')
 189
 190 ########################################
 191 ## <summary>
 192 ##      Allow the specified domain to manage
 193 ##      and execute all Git daemon content.
 194 ## </summary>
 195 ## <param name="domain">
 196 ##      <summary>
 197 ##      Domain allowed access.
 198 ##      </summary>
 199 ## </param>
 200 #
 201 interface(`git_rwx_all_content',`
 202         gen_require(`
 203                 attribute git_content;
 204         ')
 205
 206         exec_files_pattern($1, git_content, git_content)
 207         manage_dirs_pattern($1, git_content, git_content)
 208         manage_files_pattern($1, git_content, git_content)
 209         userdom_search_user_home_dirs($1)
 210         files_search_var_lib($1)
 211
 212         userdom_home_manager($1)
 213
 214         tunable_policy(`git_system_use_cifs',`
 215                 fs_exec_cifs_files($1)
 216                 fs_manage_cifs_dirs($1)
 217                 fs_manage_cifs_files($1)
 218         ')
 219
 220         tunable_policy(`git_system_use_nfs',`
 221                 fs_exec_nfs_files($1)
 222                 fs_manage_nfs_dirs($1)
 223                 fs_manage_nfs_files($1)
 224         ')
 225 ')
 226
 227 ########################################
 228 ## <summary>
 229 ##      Allow the specified domain to manage
 230 ##      and execute all Git daemon system content.
 231 ## </summary>
 232 ## <param name="domain">
 233 ##      <summary>
 234 ##      Domain allowed access.
 235 ##      </summary>
 236 ## </param>
 237 #
 238 interface(`git_rwx_all_system_content',`
 239         gen_require(`
 240                 attribute git_system_content;
 241         ')
 242
 243         exec_files_pattern($1, git_system_content, git_system_content)
 244         manage_dirs_pattern($1, git_system_content, git_system_content)
 245         manage_files_pattern($1, git_system_content, git_system_content)
 246         files_search_var_lib($1)
 247
 248         tunable_policy(`git_system_use_cifs',`
 249                 fs_exec_cifs_files($1)
 250                 fs_manage_cifs_dirs($1)
 251                 fs_manage_cifs_files($1)
 252         ')
 253
 254         tunable_policy(`git_system_use_nfs',`
 255                 fs_exec_nfs_files($1)
 256                 fs_manage_nfs_dirs($1)
 257                 fs_manage_nfs_files($1)
 258         ')
 259 ')
 260
 261 ########################################
 262 ## <summary>
 263 ##      Allow the specified domain to manage
 264 ##      and execute Git daemon generic system content.
 265 ## </summary>
 266 ## <param name="domain">
 267 ##      <summary>
 268 ##      Domain allowed access.
 269 ##      </summary>
 270 ## </param>
 271 #
 272 interface(`git_rwx_generic_system_content',`
 273         gen_require(`
 274                 type git_system_content_t;
 275         ')
 276
 277         exec_files_pattern($1, git_system_content_t, git_system_content_t)
 278         manage_dirs_pattern($1, git_system_content_t, git_system_content_t)
 279         manage_files_pattern($1, git_system_content_t, git_system_content_t)
 280         files_search_var_lib($1)
 281
 282         tunable_policy(`git_system_use_cifs',`
 283                 fs_exec_cifs_files($1)
 284                 fs_manage_cifs_dirs($1)
 285                 fs_manage_cifs_files($1)
 286         ')
 287
 288         tunable_policy(`git_system_use_nfs',`
 289                 fs_exec_nfs_files($1)
 290                 fs_manage_nfs_dirs($1)
 291                 fs_manage_nfs_files($1)
 292         ')
 293 ')
 294
 295 ########################################
 296 ## <summary>
 297 ##      Allow the specified domain to read
 298 ##      all Git daemon content files.
 299 ## </summary>
 300 ## <param name="domain">
 301 ##      <summary>
 302 ##      Domain allowed access.
 303 ##      </summary>
 304 ## </param>
 305 #
 306 interface(`git_read_all_content_files',`
 307         gen_require(`
 308                 attribute git_content;
 309         ')
 310
 311         list_dirs_pattern($1, git_content, git_content)
 312         read_files_pattern($1, git_content, git_content)
 313         userdom_search_user_home_dirs($1)
 314         files_search_var_lib($1)
 315
 316         userdom_home_reader($1)
 317
 318         tunable_policy(`git_system_use_cifs',`
 319                 fs_list_cifs($1)
 320                 fs_read_cifs_files($1)
 321         ')
 322
 323         tunable_policy(`git_system_use_nfs',`
 324                 fs_list_nfs($1)
 325                 fs_read_nfs_files($1)
 326         ')
 327 ')
 328
 329 ########################################
 330 ## <summary>
 331 ##      Allow the specified domain to read
 332 ##      Git daemon session content files.
 333 ## </summary>
 334 ## <param name="domain">
 335 ##      <summary>
 336 ##      Domain allowed access.
 337 ##      </summary>
 338 ## </param>
 339 #
 340 interface(`git_read_session_content_files',`
 341         gen_require(`
 342                 type git_session_content_t;
 343         ')
 344
 345         list_dirs_pattern($1, git_session_content_t, git_session_content_t)
 346         read_files_pattern($1, git_session_content_t, git_session_content_t)
 347         userdom_search_user_home_dirs($1)
 348         userdom_home_reader($1)
 349 ')
 350
 351 #######################################
 352 ## <summary>
 353 ##  Dontaudit the specified domain to read
 354 ##  Git daemon session content files.
 355 ## </summary>
 356 ## <param name="domain">
 357 ##  <summary>
 358 ##      Domain to not audit.
 359 ##  </summary>
 360 ## </param>
 361 #
 362 interface(`git_dontaudit_read_session_content_files',`
 363     gen_require(`
 364         type git_session_content_t;
 365     ')
 366
 367         dontaudit $1 git_session_content_t:file read_file_perms;
 368 ')
 369
 370 ########################################
 371 ## <summary>
 372 ##      Allow the specified domain to read
 373 ##      all Git daemon system content files.
 374 ## </summary>
 375 ## <param name="domain">
 376 ##      <summary>
 377 ##      Domain allowed access.
 378 ##      </summary>
 379 ## </param>
 380 #
 381 interface(`git_read_all_system_content_files',`
 382         gen_require(`
 383                 attribute git_system_content;
 384         ')
 385
 386         list_dirs_pattern($1, git_system_content, git_system_content)
 387         read_files_pattern($1, git_system_content, git_system_content)
 388         files_search_var_lib($1)
 389
 390         tunable_policy(`git_system_use_cifs',`
 391                 fs_list_cifs($1)
 392                 fs_read_cifs_files($1)
 393         ')
 394
 395         tunable_policy(`git_system_use_nfs',`
 396                 fs_list_nfs($1)
 397                 fs_read_nfs_files($1)
 398         ')
 399 ')
 400
 401 ########################################
 402 ## <summary>
 403 ##      Allow the specified domain to read
 404 ##      Git daemon generic system content files.
 405 ## </summary>
 406 ## <param name="domain">
 407 ##      <summary>
 408 ##      Domain allowed access.
 409 ##      </summary>
 410 ## </param>
 411 #
 412 interface(`git_read_generic_system_content_files',`
 413         gen_require(`
 414                 type git_system_content_t;
 415         ')
 416
 417         list_dirs_pattern($1, git_system_content_t, git_system_content_t)
 418         read_files_pattern($1, git_system_content_t, git_system_content_t)
 419         files_search_var_lib($1)
 420
 421         tunable_policy(`git_system_use_cifs',`
 422                 fs_list_cifs($1)
 423                 fs_read_cifs_files($1)
 424         ')
 425
 426         tunable_policy(`git_system_use_nfs',`
 427                 fs_list_nfs($1)
 428                 fs_read_nfs_files($1)
 429         ')
 430 ')
 431
 432 ########################################
 433 ## <summary>
 434 ##      Allow the specified domain to relabel
 435 ##      all Git daemon content.
 436 ## </summary>
 437 ## <param name="domain">
 438 ##      <summary>
 439 ##      Domain allowed access.
 440 ##      </summary>
 441 ## </param>
 442 #
 443 interface(`git_relabel_all_content',`
 444         gen_require(`
 445                 attribute git_content;
 446         ')
 447
 448         relabel_dirs_pattern($1, git_content, git_content)
 449         relabel_files_pattern($1, git_content, git_content)
 450         userdom_search_user_home_dirs($1)
 451         files_search_var_lib($1)
 452 ')
 453
 454 ########################################
 455 ## <summary>
 456 ##      Allow the specified domain to relabel
 457 ##      all Git daemon system content.
 458 ## </summary>
 459 ## <param name="domain">
 460 ##      <summary>
 461 ##      Domain allowed access.
 462 ##      </summary>
 463 ## </param>
 464 #
 465 interface(`git_relabel_all_system_content',`
 466         gen_require(`
 467                 attribute git_system_content;
 468         ')
 469
 470         relabel_dirs_pattern($1, git_system_content, git_system_content)
 471         relabel_files_pattern($1, git_system_content, git_system_content)
 472         files_search_var_lib($1)
 473 ')
 474
 475 ########################################
 476 ## <summary>
 477 ##      Allow the specified domain to relabel
 478 ##      Git daemon generic system content.
 479 ## </summary>
 480 ## <param name="domain">
 481 ##      <summary>
 482 ##      Domain allowed access.
 483 ##      </summary>
 484 ## </param>
 485 #
 486 interface(`git_relabel_generic_system_content',`
 487         gen_require(`
 488                 type git_system_content_t;
 489         ')
 490
 491         relabel_dirs_pattern($1, git_system_content_t, git_system_content_t)
 492         relabel_files_pattern($1, git_system_content_t, git_system_content_t)
 493         files_search_var_lib($1)
 494 ')
 495
 496 ########################################
 497 ## <summary>
 498 ##      Allow the specified domain to relabel
 499 ##      Git daemon session content.
 500 ## </summary>
 501 ## <param name="domain">
 502 ##      <summary>
 503 ##      Domain allowed access.
 504 ##      </summary>
 505 ## </param>
 506 #
 507 interface(`git_relabel_session_content',`
 508         gen_require(`
 509                 type git_session_content_t;
 510         ')
 511
 512         relabel_dirs_pattern($1, git_session_content_t, git_session_content_t)
 513         relabel_files_pattern($1, git_session_content_t, git_session_content_t)
 514         userdom_search_user_home_dirs($1)
 515 ')