1 policy_module(git, 1.0.3)
5 ## Allow Git daemon system to search home directories.
8 gen_tunable(git_system_enable_homedirs, false)
12 ## Allow Git daemon system to access cifs file systems.
15 gen_tunable(git_system_use_cifs, false)
19 ## Allow Git daemon system to access nfs file systems.
22 gen_tunable(git_system_use_nfs, false)
24 ########################################
26 # Git daemon global private declarations.
29 attribute git_domains;
30 attribute git_system_content;
31 attribute git_content;
35 ########################################
37 # Git daemon system private declarations.
40 type git_system_t, git_domains;
41 inetd_service_domain(git_system_t, gitd_exec_t)
42 role system_r types git_system_t;
44 type git_system_content_t, git_system_content, git_content;
45 files_type(git_system_content_t)
46 typealias git_system_content_t alias git_data_t;
48 ########################################
50 # Git daemon session private declarations.
55 ## Allow Git daemon session to bind
56 ## tcp sockets to all unreserved ports.
59 gen_tunable(git_session_bind_all_unreserved_ports, false)
61 type git_session_t, git_domains;
62 application_domain(git_session_t, gitd_exec_t)
63 ubac_constrained(git_session_t)
65 type git_session_content_t, git_content;
66 userdom_user_home_content(git_session_content_t)
68 ########################################
70 # Git daemon global private policy.
73 allow git_domains self:fifo_file rw_fifo_file_perms;
74 allow git_domains self:netlink_route_socket create_netlink_socket_perms;
75 allow git_domains self:tcp_socket create_socket_perms;
76 allow git_domains self:udp_socket create_socket_perms;
77 allow git_domains self:unix_dgram_socket create_socket_perms;
79 corenet_all_recvfrom_netlabel(git_domains)
80 corenet_all_recvfrom_unlabeled(git_domains)
81 corenet_tcp_bind_generic_node(git_domains)
82 corenet_tcp_sendrecv_generic_if(git_domains)
83 corenet_tcp_sendrecv_generic_node(git_domains)
84 corenet_tcp_sendrecv_generic_port(git_domains)
85 corenet_tcp_bind_git_port(git_domains)
86 corenet_sendrecv_git_server_packets(git_domains)
88 corecmd_exec_bin(git_domains)
90 files_read_etc_files(git_domains)
91 files_read_usr_files(git_domains)
93 fs_search_auto_mountpoints(git_domains)
95 kernel_read_system_state(git_domains)
97 auth_use_nsswitch(git_domains)
99 logging_send_syslog_msg(git_domains)
101 miscfiles_read_localization(git_domains)
103 sysnet_read_config(git_domains)
106 automount_dontaudit_getattr_tmp_dirs(git_domains)
110 nis_use_ypbind(git_domains)
113 ########################################
115 # Git daemon system repository private policy.
118 list_dirs_pattern(git_system_t, git_content, git_content)
119 read_files_pattern(git_system_t, git_content, git_content)
120 files_search_var_lib(git_system_t)
122 tunable_policy(`git_system_enable_homedirs', `
123 userdom_search_user_home_dirs(git_system_t)
126 tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', `
127 fs_list_nfs(git_system_t)
128 fs_read_nfs_files(git_system_t)
131 tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', `
132 fs_list_cifs(git_system_t)
133 fs_read_cifs_files(git_system_t)
136 tunable_policy(`git_system_use_cifs', `
137 fs_list_cifs(git_system_t)
138 fs_read_cifs_files(git_system_t)
141 tunable_policy(`git_system_use_nfs', `
142 fs_list_nfs(git_system_t)
143 fs_read_nfs_files(git_system_t)
146 ########################################
148 # Git daemon session repository private policy.
151 allow git_session_t self:tcp_socket { accept listen };
153 list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
154 read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
155 userdom_search_user_home_dirs(git_session_t)
157 userdom_use_user_terminals(git_session_t)
159 tunable_policy(`git_session_bind_all_unreserved_ports', `
160 corenet_tcp_bind_all_unreserved_ports(git_session_t)
161 corenet_sendrecv_generic_server_packets(git_session_t)
164 tunable_policy(`use_nfs_home_dirs', `
165 fs_list_nfs(git_session_t)
166 fs_read_nfs_files(git_session_t)
169 tunable_policy(`use_samba_home_dirs', `
170 fs_list_cifs(git_session_t)
171 fs_read_cifs_files(git_session_t)
174 ########################################
176 # cgi git Declarations
180 apache_content_template(git)
181 git_read_all_content_files(httpd_git_script_t)
182 files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
185 ########################################
187 # Git-shell private policy.
190 git_role_template(git_shell)
191 gen_user(git_shell_u, user, git_shell_r, s0, s0)