1 policy_module(git, 1.0.3)
5 ## Allow Git daemon system to search home directories.
8 gen_tunable(git_system_enable_homedirs, false)
12 ## Allow Git daemon system to access cifs file systems.
15 gen_tunable(git_system_use_cifs, false)
19 ## Allow Git daemon system to access nfs file systems.
22 gen_tunable(git_system_use_nfs, false)
24 ########################################
26 # Git daemon global private declarations.
29 attribute git_domains;
30 attribute git_system_content;
31 attribute git_content;
34 application_executable_file(gitd_exec_t)
38 ########################################
40 # Git daemon system private declarations.
43 type git_system_t, git_domains;
44 inetd_service_domain(git_system_t, gitd_exec_t)
45 role system_r types git_system_t;
47 type git_system_content_t, git_system_content, git_content;
48 files_type(git_system_content_t)
49 typealias git_system_content_t alias git_data_t;
51 ########################################
53 # Git daemon session private declarations.
58 ## Allow Git daemon session to bind
59 ## tcp sockets to all unreserved ports.
62 gen_tunable(git_session_bind_all_unreserved_ports, false)
64 type git_session_t, git_domains;
65 application_domain(git_session_t, gitd_exec_t)
66 ubac_constrained(git_session_t)
68 type git_session_content_t, git_content;
69 userdom_user_home_content(git_session_content_t)
71 ########################################
73 # Git daemon global private policy.
76 allow git_domains self:fifo_file rw_fifo_file_perms;
77 allow git_domains self:netlink_route_socket create_netlink_socket_perms;
78 allow git_domains self:tcp_socket create_socket_perms;
79 allow git_domains self:udp_socket create_socket_perms;
80 allow git_domains self:unix_dgram_socket create_socket_perms;
82 corenet_all_recvfrom_netlabel(git_domains)
83 corenet_all_recvfrom_unlabeled(git_domains)
84 corenet_tcp_bind_generic_node(git_domains)
85 corenet_tcp_sendrecv_generic_if(git_domains)
86 corenet_tcp_sendrecv_generic_node(git_domains)
87 corenet_tcp_sendrecv_generic_port(git_domains)
88 corenet_tcp_bind_git_port(git_domains)
89 corenet_sendrecv_git_server_packets(git_domains)
91 corecmd_exec_bin(git_domains)
93 files_read_etc_files(git_domains)
94 files_read_usr_files(git_domains)
96 fs_search_auto_mountpoints(git_domains)
98 kernel_read_system_state(git_domains)
100 logging_send_syslog_msg(git_domains)
102 miscfiles_read_localization(git_domains)
104 sysnet_read_config(git_domains)
107 automount_dontaudit_getattr_tmp_dirs(git_domains)
111 nis_use_ypbind(git_domains)
114 ########################################
116 # Git daemon system repository private policy.
119 list_dirs_pattern(git_system_t, git_content, git_content)
120 read_files_pattern(git_system_t, git_content, git_content)
121 files_search_var_lib(git_system_t)
123 auth_use_nsswitch(git_system_t)
125 tunable_policy(`git_system_enable_homedirs',`
126 userdom_search_user_home_dirs(git_system_t)
129 tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
130 fs_list_nfs(git_system_t)
131 fs_read_nfs_files(git_system_t)
134 tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
135 fs_list_cifs(git_system_t)
136 fs_read_cifs_files(git_system_t)
139 tunable_policy(`git_system_use_cifs',`
140 fs_list_cifs(git_system_t)
141 fs_read_cifs_files(git_system_t)
144 tunable_policy(`git_system_use_nfs',`
145 fs_list_nfs(git_system_t)
146 fs_read_nfs_files(git_system_t)
149 ########################################
151 # Git daemon session repository private policy.
154 allow git_session_t self:tcp_socket { accept listen };
156 auth_use_nsswitch(git_session_t)
158 list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
159 read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
160 userdom_search_user_home_dirs(git_session_t)
162 userdom_use_inherited_user_terminals(git_session_t)
164 tunable_policy(`git_session_bind_all_unreserved_ports',`
165 corenet_tcp_bind_all_unreserved_ports(git_session_t)
166 corenet_sendrecv_generic_server_packets(git_session_t)
169 userdom_home_reader(git_session_t)
171 ########################################
173 # cgi git Declarations
177 apache_content_template(git)
178 git_read_all_content_files(httpd_git_script_t)
179 files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
181 auth_use_nsswitch(httpd_git_script_t)
184 ########################################
186 # Git-shell private policy.
188 git_role_template(git_shell)
189 gen_user(git_shell_u, user, git_shell_r, s0, s0)