From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id EC85E138010 for ; Tue, 2 Oct 2012 21:02:28 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 90940E0369 for ; Tue, 2 Oct 2012 21:02:28 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 9620521C01D for ; Tue, 2 Oct 2012 18:11:18 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 400C033D77B for ; Tue, 2 Oct 2012 18:11:05 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 37C68E5441 for ; Tue, 2 Oct 2012 18:11:02 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1349201274.d5e591f953c14ed591986eb76fbe6d94259c4869.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/git.fc policy/modules/contrib/git.if policy/modules/contrib/git.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: d5e591f953c14ed591986eb76fbe6d94259c4869 X-VCS-Branch: master Date: Tue, 2 Oct 2012 18:11:02 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 7fe194ed-e0a4-4963-9943-d719d88b681b X-Archives-Hash: b3bb4fe8e3f41fe993b1c1f5d72f2259 commit: d5e591f953c14ed591986eb76fbe6d94259c4869 Author: Dominick Grift gmail com> AuthorDate: Tue Oct 2 10:21:20 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Tue Oct 2 18:07:54 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d5e591f9 Changes to the git policy module Ported from Fedora with changes Use role attributes for git session Module clean up Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/git.fc | 14 ++++++----- policy/modules/contrib/git.if | 6 ++++- policy/modules/contrib/git.te | 50 ++++++++++++++++++++++++++++++++++++----- 3 files changed, 57 insertions(+), 13 deletions(-) diff --git a/policy/modules/contrib/git.fc b/policy/modules/contrib/git.fc index 13e72a7..24700f8 100644 --- a/policy/modules/contrib/git.fc +++ b/policy/modules/contrib/git.fc @@ -1,11 +1,13 @@ -HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0) +HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0) /usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0) -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) +/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) +/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) -/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0) +/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0) -/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) -/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) -/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) +/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) diff --git a/policy/modules/contrib/git.if b/policy/modules/contrib/git.if index 2917a86..bc6fc88 100644 --- a/policy/modules/contrib/git.if +++ b/policy/modules/contrib/git.if @@ -17,6 +17,7 @@ # template(`git_role',` gen_require(` + attribute_role git_session_roles; type git_session_t, gitd_exec_t, git_user_content_t; ') @@ -25,7 +26,7 @@ template(`git_role',` # Declarations # - role $1 types git_session_t; + roleattribute $1 git_session_roles; ######################################## # @@ -66,14 +67,17 @@ interface(`git_read_generic_sys_content_files',` list_dirs_pattern($1, git_sys_content_t, git_sys_content_t) read_files_pattern($1, git_sys_content_t, git_sys_content_t) + files_search_var_lib($1) tunable_policy(`git_system_use_cifs',` + fs_getattr_cifs($1) fs_list_cifs($1) fs_read_cifs_files($1) ') tunable_policy(`git_system_use_nfs',` + fs_getattr_nfs($1) fs_list_nfs($1) fs_read_nfs_files($1) ') diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te index 2aada6b..080e7f4 100644 --- a/policy/modules/contrib/git.te +++ b/policy/modules/contrib/git.te @@ -1,4 +1,4 @@ -policy_module(git, 1.2.1) +policy_module(git, 1.2.2) ######################################## # @@ -31,6 +31,15 @@ gen_tunable(git_cgi_use_nfs, false) ## ##

+## Determine whether Git session daemon +## can bind TCP sockets to all +## unreserved ports. +##

+## +gen_tunable(git_session_bind_all_unreserved_ports, false) + +## +##

## Determine whether calling user domains ## can execute Git daemon in the ## git_session_t domain. @@ -71,6 +80,7 @@ gen_tunable(git_system_use_cifs, false) gen_tunable(git_system_use_nfs, false) attribute git_daemon; +attribute_role git_session_roles; apache_content_template(git) @@ -80,6 +90,7 @@ inetd_service_domain(git_system_t, gitd_exec_t) type git_session_t, git_daemon; userdom_user_application_domain(git_session_t, gitd_exec_t) +role git_session_roles types git_session_t; type git_sys_content_t; files_type(git_sys_content_t) @@ -89,7 +100,7 @@ userdom_user_home_content(git_user_content_t) ######################################## # -# Git session policy +# Session policy # allow git_session_t self:tcp_socket { accept listen }; @@ -103,26 +114,36 @@ corenet_all_recvfrom_unlabeled(git_session_t) corenet_tcp_bind_generic_node(git_session_t) corenet_tcp_sendrecv_generic_if(git_session_t) corenet_tcp_sendrecv_generic_node(git_session_t) -corenet_tcp_sendrecv_generic_port(git_session_t) + +corenet_sendrecv_git_server_packets(git_session_t) corenet_tcp_bind_git_port(git_session_t) corenet_tcp_sendrecv_git_port(git_session_t) -corenet_sendrecv_git_server_packets(git_session_t) auth_use_nsswitch(git_session_t) userdom_use_user_terminals(git_session_t) +tunable_policy(`git_session_bind_all_unreserved_ports',` + corenet_sendrecv_all_server_packets(git_session_t) + corenet_tcp_bind_all_unreserved_ports(git_session_t) + corenet_tcp_sendrecv_all_ports(git_session_t) +') + tunable_policy(`git_session_send_syslog_msg',` logging_send_syslog_msg(git_session_t) ') tunable_policy(`use_nfs_home_dirs',` + fs_getattr_nfs(git_session_t) + fs_list_nfs(git_session_t) fs_read_nfs_files(git_session_t) ',` fs_dontaudit_read_nfs_files(git_session_t) ') tunable_policy(`use_samba_home_dirs',` + fs_getattr_cifs(git_session_t) + fs_list_cifs(git_session_t) fs_read_cifs_files(git_session_t) ',` fs_dontaudit_read_cifs_files(git_session_t) @@ -130,11 +151,12 @@ tunable_policy(`use_samba_home_dirs',` ######################################## # -# Git system policy +# System policy # list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t) read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t) + files_search_var_lib(git_system_t) auth_use_nsswitch(git_system_t) @@ -146,24 +168,32 @@ tunable_policy(`git_system_enable_homedirs',` ') tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',` + fs_getattr_nfs(git_system_t) + fs_list_nfs(git_system_t) fs_read_nfs_files(git_system_t) ',` fs_dontaudit_read_nfs_files(git_system_t) ') tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',` + fs_getattr_cifs(git_system_t) + fs_list_cifs(git_system_t) fs_read_cifs_files(git_system_t) ',` fs_dontaudit_read_cifs_files(git_system_t) ') tunable_policy(`git_system_use_cifs',` + fs_getattr_cifs(git_system_t) + fs_list_cifs(git_system_t) fs_read_cifs_files(git_system_t) ',` fs_dontaudit_read_cifs_files(git_system_t) ') tunable_policy(`git_system_use_nfs',` + fs_getattr_nfs(git_system_t) + fs_list_nfs(git_system_t) fs_read_nfs_files(git_system_t) ',` fs_dontaudit_read_nfs_files(git_system_t) @@ -171,7 +201,7 @@ tunable_policy(`git_system_use_nfs',` ######################################## # -# Git CGI policy +# CGI policy # list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) @@ -187,24 +217,32 @@ tunable_policy(`git_cgi_enable_homedirs',` ') tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',` + fs_getattr_nfs(httpd_git_script_t) + fs_list_nfs(httpd_git_script_t) fs_read_nfs_files(httpd_git_script_t) ',` fs_dontaudit_read_nfs_files(httpd_git_script_t) ') tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',` + fs_getattr_cifs(httpd_git_script_t) + fs_list_cifs(httpd_git_script_t) fs_read_cifs_files(httpd_git_script_t) ',` fs_dontaudit_read_cifs_files(httpd_git_script_t) ') tunable_policy(`git_cgi_use_cifs',` + fs_getattr_cifs(httpd_git_script_t) + fs_list_cifs(httpd_git_script_t) fs_read_cifs_files(httpd_git_script_t) ',` fs_dontaudit_read_cifs_files(httpd_git_script_t) ') tunable_policy(`git_cgi_use_nfs',` + fs_getattr_nfs(httpd_git_script_t) + fs_list_nfs(httpd_git_script_t) fs_read_nfs_files(httpd_git_script_t) ',` fs_dontaudit_read_nfs_files(httpd_git_script_t)