policy/modules/services/git.te

   1 policy_module(git, 1.0.3)
   2
   3 ## <desc>
   4 ##      <p>
   5 ##      Allow Git daemon system to search home directories.
   6 ##      </p>
   7 ## </desc>
   8 gen_tunable(git_system_enable_homedirs, false)
   9
  10 ## <desc>
  11 ##      <p>
  12 ##      Allow Git daemon system to access cifs file systems.
  13 ##      </p>
  14 ## </desc>
  15 gen_tunable(git_system_use_cifs, false)
  16
  17 ## <desc>
  18 ##      <p>
  19 ##      Allow Git daemon system to access nfs file systems.
  20 ##      </p>
  21 ## </desc>
  22 gen_tunable(git_system_use_nfs, false)
  23
  24 ########################################
  25 #
  26 # Git daemon global private declarations.
  27 #
  28
  29 attribute git_domains;
  30 attribute git_system_content;
  31 attribute git_content;
  32
  33 type gitd_exec_t;
  34 application_executable_file(gitd_exec_t)
  35
  36 role git_shell_r;
  37
  38 ########################################
  39 #
  40 # Git daemon system private declarations.
  41 #
  42
  43 type git_system_t, git_domains;
  44 inetd_service_domain(git_system_t, gitd_exec_t)
  45 role system_r types git_system_t;
  46
  47 type git_system_content_t, git_system_content, git_content;
  48 files_type(git_system_content_t)
  49 typealias git_system_content_t alias git_data_t;
  50
  51 ########################################
  52 #
  53 # Git daemon session private declarations.
  54 #
  55
  56 ## <desc>
  57 ##      <p>
  58 ##      Allow Git daemon session to bind
  59 ##      tcp sockets to all unreserved ports.
  60 ##      </p>
  61 ## </desc>
  62 gen_tunable(git_session_bind_all_unreserved_ports, false)
  63
  64 type git_session_t, git_domains;
  65 application_domain(git_session_t, gitd_exec_t)
  66 ubac_constrained(git_session_t)
  67
  68 type git_session_content_t, git_content;
  69 userdom_user_home_content(git_session_content_t)
  70
  71 ########################################
  72 #
  73 # Git daemon global private policy.
  74 #
  75
  76 allow git_domains self:fifo_file rw_fifo_file_perms;
  77 allow git_domains self:netlink_route_socket create_netlink_socket_perms;
  78 allow git_domains self:tcp_socket create_socket_perms;
  79 allow git_domains self:udp_socket create_socket_perms;
  80 allow git_domains self:unix_dgram_socket create_socket_perms;
  81
  82 corenet_all_recvfrom_netlabel(git_domains)
  83 corenet_all_recvfrom_unlabeled(git_domains)
  84 corenet_tcp_bind_generic_node(git_domains)
  85 corenet_tcp_sendrecv_generic_if(git_domains)
  86 corenet_tcp_sendrecv_generic_node(git_domains)
  87 corenet_tcp_sendrecv_generic_port(git_domains)
  88 corenet_tcp_bind_git_port(git_domains)
  89 corenet_sendrecv_git_server_packets(git_domains)
  90
  91 corecmd_exec_bin(git_domains)
  92
  93 files_read_etc_files(git_domains)
  94 files_read_usr_files(git_domains)
  95
  96 fs_search_auto_mountpoints(git_domains)
  97
  98 kernel_read_system_state(git_domains)
  99
 100 logging_send_syslog_msg(git_domains)
 101
 102 miscfiles_read_localization(git_domains)
 103
 104 sysnet_read_config(git_domains)
 105
 106 optional_policy(`
 107         automount_dontaudit_getattr_tmp_dirs(git_domains)
 108 ')
 109
 110 optional_policy(`
 111         nis_use_ypbind(git_domains)
 112 ')
 113
 114 ########################################
 115 #
 116 # Git daemon system repository private policy.
 117 #
 118
 119 list_dirs_pattern(git_system_t, git_content, git_content)
 120 read_files_pattern(git_system_t, git_content, git_content)
 121 files_search_var_lib(git_system_t)
 122
 123 auth_use_nsswitch(git_system_t)
 124
 125 tunable_policy(`git_system_enable_homedirs',`
 126         userdom_search_user_home_dirs(git_system_t)
 127 ')
 128
 129 tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
 130         fs_list_nfs(git_system_t)
 131         fs_read_nfs_files(git_system_t)
 132 ')
 133
 134 tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
 135         fs_list_cifs(git_system_t)
 136         fs_read_cifs_files(git_system_t)
 137 ')
 138
 139 tunable_policy(`git_system_use_cifs',`
 140         fs_list_cifs(git_system_t)
 141         fs_read_cifs_files(git_system_t)
 142 ')
 143
 144 tunable_policy(`git_system_use_nfs',`
 145         fs_list_nfs(git_system_t)
 146         fs_read_nfs_files(git_system_t)
 147 ')
 148
 149 ########################################
 150 #
 151 # Git daemon session repository private policy.
 152 #
 153
 154 allow git_session_t self:tcp_socket { accept listen };
 155
 156 auth_use_nsswitch(git_session_t)
 157
 158 list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
 159 read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
 160 userdom_search_user_home_dirs(git_session_t)
 161
 162 userdom_use_inherited_user_terminals(git_session_t)
 163
 164 tunable_policy(`git_session_bind_all_unreserved_ports',`
 165         corenet_tcp_bind_all_unreserved_ports(git_session_t)
 166         corenet_sendrecv_generic_server_packets(git_session_t)
 167 ')
 168
 169 userdom_home_reader(git_session_t)
 170
 171 ########################################
 172 #
 173 # cgi git Declarations
 174 #
 175
 176 optional_policy(`
 177         apache_content_template(git)
 178         git_read_all_content_files(httpd_git_script_t)
 179         files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
 180
 181         auth_use_nsswitch(httpd_git_script_t)
 182 ')
 183
 184 ########################################
 185 #
 186 # Git-shell private policy.
 187 #
 188 git_role_template(git_shell)
 189 gen_user(git_shell_u, user, git_shell_r, s0, s0)