policy/modules/services/git.te

   1 policy_module(git, 1.0.3)
   2
   3 ## <desc>
   4 ## <p>
   5 ## Allow Git daemon system to search home directories.
   6 ## </p>
   7 ## </desc>
   8 gen_tunable(git_system_enable_homedirs, false)
   9
  10 ## <desc>
  11 ## <p>
  12 ## Allow Git daemon system to access cifs file systems.
  13 ## </p>
  14 ## </desc>
  15 gen_tunable(git_system_use_cifs, false)
  16
  17 ## <desc>
  18 ## <p>
  19 ## Allow Git daemon system to access nfs file systems.
  20 ## </p>
  21 ## </desc>
  22 gen_tunable(git_system_use_nfs, false)
  23
  24 ########################################
  25 #
  26 # Git daemon global private declarations.
  27 #
  28
  29 attribute git_domains;
  30 attribute git_system_content;
  31 attribute git_content;
  32
  33 type gitd_exec_t;
  34
  35 ########################################
  36 #
  37 # Git daemon system private declarations.
  38 #
  39
  40 type git_system_t, git_domains;
  41 inetd_service_domain(git_system_t, gitd_exec_t)
  42 role system_r types git_system_t;
  43
  44 type git_system_content_t, git_system_content, git_content;
  45 files_type(git_system_content_t)
  46 typealias git_system_content_t alias git_data_t;
  47
  48 ########################################
  49 #
  50 # Git daemon session private declarations.
  51 #
  52
  53 ## <desc>
  54 ## <p>
  55 ## Allow Git daemon session to bind
  56 ## tcp sockets to all unreserved ports.
  57 ## </p>
  58 ## </desc>
  59 gen_tunable(git_session_bind_all_unreserved_ports, false)
  60
  61 type git_session_t, git_domains;
  62 application_domain(git_session_t, gitd_exec_t)
  63 ubac_constrained(git_session_t)
  64
  65 type git_session_content_t, git_content;
  66 userdom_user_home_content(git_session_content_t)
  67
  68 ########################################
  69 #
  70 # Git daemon global private policy.
  71 #
  72
  73 allow git_domains self:fifo_file rw_fifo_file_perms;
  74 allow git_domains self:netlink_route_socket create_netlink_socket_perms;
  75 allow git_domains self:tcp_socket create_socket_perms;
  76 allow git_domains self:udp_socket create_socket_perms;
  77 allow git_domains self:unix_dgram_socket create_socket_perms;
  78
  79 corenet_all_recvfrom_netlabel(git_domains)
  80 corenet_all_recvfrom_unlabeled(git_domains)
  81 corenet_tcp_bind_generic_node(git_domains)
  82 corenet_tcp_sendrecv_generic_if(git_domains)
  83 corenet_tcp_sendrecv_generic_node(git_domains)
  84 corenet_tcp_sendrecv_generic_port(git_domains)
  85 corenet_tcp_bind_git_port(git_domains)
  86 corenet_sendrecv_git_server_packets(git_domains)
  87
  88 corecmd_exec_bin(git_domains)
  89
  90 files_read_etc_files(git_domains)
  91 files_read_usr_files(git_domains)
  92
  93 fs_search_auto_mountpoints(git_domains)
  94
  95 kernel_read_system_state(git_domains)
  96
  97 auth_use_nsswitch(git_domains)
  98
  99 logging_send_syslog_msg(git_domains)
 100
 101 miscfiles_read_localization(git_domains)
 102
 103 sysnet_read_config(git_domains)
 104
 105 optional_policy(`
 106         automount_dontaudit_getattr_tmp_dirs(git_domains)
 107 ')
 108
 109 optional_policy(`
 110         nis_use_ypbind(git_domains)
 111 ')
 112
 113 ########################################
 114 #
 115 # Git daemon system repository private policy.
 116 #
 117
 118 list_dirs_pattern(git_system_t, git_content, git_content)
 119 read_files_pattern(git_system_t, git_content, git_content)
 120 files_search_var_lib(git_system_t)
 121
 122 tunable_policy(`git_system_enable_homedirs', `
 123         userdom_search_user_home_dirs(git_system_t)
 124 ')
 125
 126 tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', `
 127         fs_list_nfs(git_system_t)
 128         fs_read_nfs_files(git_system_t)
 129 ')
 130
 131 tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', `
 132         fs_list_cifs(git_system_t)
 133         fs_read_cifs_files(git_system_t)
 134 ')
 135
 136 tunable_policy(`git_system_use_cifs', `
 137         fs_list_cifs(git_system_t)
 138         fs_read_cifs_files(git_system_t)
 139 ')
 140
 141 tunable_policy(`git_system_use_nfs', `
 142         fs_list_nfs(git_system_t)
 143         fs_read_nfs_files(git_system_t)
 144 ')
 145
 146 ########################################
 147 #
 148 # Git daemon session repository private policy.
 149 #
 150
 151 allow git_session_t self:tcp_socket { accept listen };
 152
 153 list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
 154 read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
 155 userdom_search_user_home_dirs(git_session_t)
 156
 157 userdom_use_user_terminals(git_session_t)
 158
 159 tunable_policy(`git_session_bind_all_unreserved_ports', `
 160         corenet_tcp_bind_all_unreserved_ports(git_session_t)
 161         corenet_sendrecv_generic_server_packets(git_session_t)
 162 ')
 163
 164 tunable_policy(`use_nfs_home_dirs', `
 165         fs_list_nfs(git_session_t)
 166         fs_read_nfs_files(git_session_t)
 167 ')
 168
 169 tunable_policy(`use_samba_home_dirs', `
 170         fs_list_cifs(git_session_t)
 171         fs_read_cifs_files(git_session_t)
 172 ')
 173
 174 ########################################
 175 #
 176 # cgi git Declarations
 177 #
 178
 179 optional_policy(`
 180         apache_content_template(git)
 181         git_read_all_content_files(httpd_git_script_t)
 182         files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
 183 ')
 184
 185 ########################################
 186 #
 187 # Git-shell private policy.
 188 #
 189
 190 git_role_template(git_shell)
 191 gen_user(git_shell_u, user, git_shell_r, s0, s0)
 192