Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 313195 Details for
Bug 457223
confined user access to public content types
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
git_daemon domain patch
git_daemon.patch.txt (text/plain), 15.32 KB, created by
Dominick Grift
on 2008-08-01 13:18:11 UTC
(
hide
)
Description:
git_daemon domain patch
Filename:
MIME Type:
Creator:
Dominick Grift
Created:
2008-08-01 13:18:11 UTC
Size:
15.32 KB
patch
obsolete
>diff --git a/config/appconfig-mcs/gitusr_u_default_contexts b/config/appconfig-mcs/gitusr_u_default_contexts >new file mode 100644 >index 0000000..7937233 >--- /dev/null >+++ b/config/appconfig-mcs/gitusr_u_default_contexts >@@ -0,0 +1,3 @@ >+system_r:local_login_t:s0 gitusr_r:gitusr_t:s0 >+system_r:remote_login_t:s0 gitusr_r:gitusr_t:s0 >+system_r:sshd_t:s0 gitusr_r:gitusr_t:s0 >diff --git a/config/appconfig-mls/gitusr_u_default_contexts b/config/appconfig-mls/gitusr_u_default_contexts >new file mode 100644 >index 0000000..7937233 >--- /dev/null >+++ b/config/appconfig-mls/gitusr_u_default_contexts >@@ -0,0 +1,3 @@ >+system_r:local_login_t:s0 gitusr_r:gitusr_t:s0 >+system_r:remote_login_t:s0 gitusr_r:gitusr_t:s0 >+system_r:sshd_t:s0 gitusr_r:gitusr_t:s0 >diff --git a/config/appconfig-standard/gitusr_u_default_contexts b/config/appconfig-standard/gitusr_u_default_contexts >new file mode 100644 >index 0000000..c724444 >--- /dev/null >+++ b/config/appconfig-standard/gitusr_u_default_contexts >@@ -0,0 +1,3 @@ >+system_r:local_login_t gitusr_r:gitusr_t >+system_r:remote_login_t gitusr_r:gitusr_t >+system_r:sshd_t gitusr_r:gitusr_t >diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in >index 8ccf467..0f12de4 100644 >--- a/policy/modules/kernel/corenetwork.te.in >+++ b/policy/modules/kernel/corenetwork.te.in >@@ -95,6 +95,7 @@ network_port(ftp_data, tcp,20,s0) > network_port(ftp, tcp,21,s0) > network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) > network_port(giftd, tcp,1213,s0) >+network_port(git_daemon, tcp,9418,s0) > network_port(gopher, tcp,70,s0, udp,70,s0) > network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy > network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port >diff --git a/policy/modules/roles/gitusr.fc b/policy/modules/roles/gitusr.fc >new file mode 100644 >index 0000000..8b13789 >--- /dev/null >+++ b/policy/modules/roles/gitusr.fc >@@ -0,0 +1 @@ >+ >diff --git a/policy/modules/roles/gitusr.if b/policy/modules/roles/gitusr.if >new file mode 100644 >index 0000000..7f9ef0b >--- /dev/null >+++ b/policy/modules/roles/gitusr.if >@@ -0,0 +1 @@ >+## <summary>Policy for Git users</summary> >diff --git a/policy/modules/roles/gitusr.te b/policy/modules/roles/gitusr.te >new file mode 100644 >index 0000000..5eb89f8 >--- /dev/null >+++ b/policy/modules/roles/gitusr.te >@@ -0,0 +1,10 @@ >+ >+policy_module(gitusr, 0.0.1) >+ >+######################################## >+# >+# gitusr private policy >+# >+ >+userdom_git_user_template(gitusr) >+ >diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te >index f08dbee..9a5cc7a 100644 >--- a/policy/modules/services/apache.te >+++ b/policy/modules/services/apache.te >@@ -441,6 +441,12 @@ optional_policy(` > ') > > optional_policy(` >+ # make this tunable? >+ git_daemon_read_git_daemon_data(httpd_t) >+ git_daemon_read_git_daemon_user_content(httpd_t) >+') >+ >+optional_policy(` > kerberos_use(httpd_t) > kerberos_read_kdc_config(httpd_t) > ') >diff --git a/policy/modules/services/git_daemon.fc b/policy/modules/services/git_daemon.fc >new file mode 100644 >index 0000000..82fa61c >--- /dev/null >+++ b/policy/modules/services/git_daemon.fc >@@ -0,0 +1,8 @@ >+ >+/srv/git(/.*)? gen_context(system_u:object_r:git_daemon_data_t, s0) >+ >+/usr/bin/git-daemon -- gen_context(system_u:object_r:git_daemon_exec_t, s0) >+ >+/var/www/git/gitweb.cgi -- gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0) >+ >+HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_daemon_user_content_t, s0) >diff --git a/policy/modules/services/git_daemon.if b/policy/modules/services/git_daemon.if >new file mode 100644 >index 0000000..6b88c67 >--- /dev/null >+++ b/policy/modules/services/git_daemon.if >@@ -0,0 +1,249 @@ >+## <summary>SELinux policy for the Git daemon.</summary> >+## <desc> >+## <p> >+## Applies SELinux security to the Git daemon. >+## </p> >+## </desc> >+ >+####################################### >+## <summary> >+## The per role template for the Git daemon module. >+## </summary> >+## <desc> >+## <p> >+## This template creates derived domains which are used >+## for the Git daemon. >+## </p> >+## <p> >+## This template is invoked automatically for each user, and >+## generally does not need to be invoked directly >+## by policy writers. >+## </p> >+## </desc> >+## <param name="userdomain_prefix"> >+## <summary> >+## The prefix of the user domain (e.g., user >+## is the prefix for user_t). >+## </summary> >+## </param> >+## <param name="user_domain"> >+## <summary> >+## The type of the user domain. >+## </summary> >+## </param> >+## <param name="user_role"> >+## <summary> >+## The role associated with the user domain. >+## </summary> >+## </param> >+# >+template(`git_daemon_per_role_template', ` >+ gen_require(` >+ type git_daemon_exec_t, git_daemon_user_content_t; >+ ') >+ >+ ######################################## >+ # >+ # Git daemon public declarations. >+ # >+ type $1_git_daemon_t; >+ application_domain($1_git_daemon_t, git_daemon_exec_t) >+ role $3 types $1_git_daemon_t; >+ >+ ######################################## >+ # >+ # Git daemon public policy. >+ # >+ allow $1_git_daemon_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; >+ allow $1_git_daemon_t self:tcp_socket { bind create setopt listen }; >+ allow $1_git_daemon_t self:udp_socket { create connect getattr }; >+ allow $1_git_daemon_t self:fifo_file rw_fifo_file_perms; >+ allow $1_git_daemon_t self:process signal; >+ >+ allow $1_git_daemon_t $2:process sigchld; >+ >+ allow $2 $1_git_daemon_t:process { ptrace signal_perms }; >+ >+ list_dirs_pattern($1_git_daemon_t, git_daemon_user_content_t, git_daemon_user_content_t) >+ read_files_pattern($1_git_daemon_t, git_daemon_user_content_t, git_daemon_user_content_t) >+ userdom_search_user_home_dirs($1, $1_git_daemon_t) >+ >+ manage_dirs_pattern($2, git_daemon_user_content_t, git_daemon_user_content_t) >+ manage_files_pattern($2, git_daemon_user_content_t, git_daemon_user_content_t) >+ exec_files_pattern($2, git_daemon_user_content_t, git_daemon_user_content_t) >+ userdom_user_home_dir_filetrans($1, $1_git_daemon_t, git_daemon_user_content_t, { dir file }) >+ >+ relabel_dirs_pattern($2, git_daemon_user_content_t, git_daemon_user_content_t) >+ relabel_files_pattern($2, git_daemon_user_content_t, git_daemon_user_content_t) >+ >+ domain_auto_trans($2, git_daemon_exec_t, $1_git_daemon_t) >+ >+ ps_process_pattern($2, $1_git_daemon_t) >+ >+ corecmd_exec_bin($1_git_daemon_t) >+ corecmd_search_bin($1_git_daemon_t) >+ >+ corenet_all_recvfrom_unlabeled($1_git_daemon_t) >+ corenet_all_recvfrom_netlabel($1_git_daemon_t) >+ >+ corenet_tcp_sendrecv_all_if($1_git_daemon_t) >+ corenet_tcp_sendrecv_all_nodes($1_git_daemon_t) >+ >+ corenet_tcp_bind_all_nodes($1_git_daemon_t) >+ >+ corenet_tcp_bind_git_daemon_port($1_git_daemon_t) >+ >+ files_read_etc_files($1_git_daemon_t) >+ >+ files_search_home($1_git_daemon_t) >+ files_search_usr($1_git_daemon_t) >+ >+ kernel_read_system_state($1_git_daemon_t) >+ >+ libs_use_ld_so($1_git_daemon_t) >+ libs_use_shared_libs($1_git_daemon_t) >+ >+ logging_send_syslog_msg($1_git_daemon_t) >+ >+ miscfiles_read_localization($1_git_daemon_t) >+ >+ nscd_read_pid($1_git_daemon_t) >+ >+ sysnet_read_config($1_git_daemon_t) >+ >+ userdom_use_user_terminals($1, $1_git_daemon_t) >+ >+ tunable_policy(`use_nfs_home_dirs', ` >+ fs_manage_nfs_dirs($1_git_daemon_t) >+ fs_manage_nfs_files($1_git_daemon_t) >+ ') >+ >+ tunable_policy(`use_samba_home_dirs', ` >+ fs_manage_cifs_dirs($1_git_daemon_t) >+ fs_manage_cifs_files($1_git_daemon_t) >+ ') >+ >+ optional_policy(` >+ automount_dontaudit_getattr_tmp_dirs($1_git_daemon_t) >+ ') >+ >+ optional_policy(` >+ fs_search_auto_mountpoints($1_git_daemon_t) >+ ') >+ >+ optional_policy(` >+ nis_use_ypbind($1_git_daemon_t) >+ ') >+') >+ >+######################################## >+## <summary> >+## Allow the specified domain to read >+## Git daemon data. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <rolecap/> >+# >+interface(`git_daemon_read_git_daemon_data', ` >+ gen_require(` >+ type git_daemon_data_t; >+ ') >+ list_dirs_pattern($1, git_daemon_data_t, git_daemon_data_t) >+ read_files_pattern($1, git_daemon_data_t, git_daemon_data_t) >+') >+ >+######################################## >+## <summary> >+## Allow the specified domain to manage >+## Git daemon data. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <rolecap/> >+# >+interface(`git_daemon_manage_git_daemon_data', ` >+ gen_require(` >+ type git_daemon_data_t; >+ ') >+ >+ manage_dirs_pattern($1, git_daemon_data_t, git_daemon_data_t) >+ manage_files_pattern($1, git_daemon_data_t, git_daemon_data_t) >+') >+ >+######################################## >+## <summary> >+## Allow the specified domain to execute >+## Git daemon data files. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <rolecap/> >+# >+interface(`git_daemon_execute_git_daemon_data', ` >+ gen_require(` >+ type git_daemon_data_t; >+ ') >+ >+ exec_files_pattern($1, git_daemon_data_t, git_daemon_data_t) >+') >+ >+######################################## >+## <summary> >+## All of the rules required to administrate >+## an Git daemon environment >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <param name="role"> >+## <summary> >+## The role to be allowed to manage the Git daemon domain. >+## </summary> >+## </param> >+## <param name="terminal"> >+## <summary> >+## The type of the user terminal. >+## </summary> >+## </param> >+## <rolecap/> >+# >+interface(`git_daemon_admin',` >+ gen_require(` >+ type git_daemon_t, git_daemon_exec_t, git_daemon_data_t; >+ ') >+ >+ allow $1 git_daemon_t:process { ptrace signal_perms getattr }; >+# TODO >+') >+ >+######################################## >+## <summary> >+## Allow the specified domain to read >+## Git daemon user content. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <rolecap/> >+# >+interface(`git_daemon_read_git_daemon_user_content', ` >+ gen_require(` >+ type git_daemon_user_content_t; >+ ') >+ list_dirs_pattern($1, git_daemon_user_content_t, git_daemon_user_content_t) >+ read_files_pattern($1, git_daemon_user_content_t, git_daemon_user_content_t) >+') >diff --git a/policy/modules/services/git_daemon.te b/policy/modules/services/git_daemon.te >new file mode 100644 >index 0000000..5904a62 >--- /dev/null >+++ b/policy/modules/services/git_daemon.te >@@ -0,0 +1,110 @@ >+ >+policy_module(git_daemon, 0.0.1) >+ >+######################################## >+# >+# Git daemon private declarations. >+# >+type git_daemon_t; >+type git_daemon_exec_t; >+inetd_service_domain(git_daemon_t, git_daemon_exec_t) >+role system_r types git_daemon_t; >+ >+application_executable_file(git_daemon_exec_t) >+ >+type git_daemon_data_t; >+files_type(git_daemon_data_t) >+ >+type git_daemon_user_content_t; >+files_poly_member(git_daemon_user_content_t) >+userdom_user_home_content(user, git_daemon_user_content_t) >+ >+## <desc> >+## <p> >+## Allow Git daemon to read home directories >+## </p> >+## </desc> >+gen_tunable(git_daemon_enable_homedirs, false) >+ >+## <desc> >+## <p> >+## Allow Git daemon to access nfs file systems >+## </p> >+## </desc> >+gen_tunable(git_daemon_use_nfs, false) >+ >+## <desc> >+## <p> >+## Allow Git daemon to access cifs file systems >+## </p> >+## </desc> >+gen_tunable(git_daemon_use_cifs, false) >+ >+######################################## >+# >+# Git daemon private policy. >+# >+allow git_daemon_t self:fifo_file rw_fifo_file_perms; >+allow git_daemon_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; >+allow git_daemon_t self:udp_socket { write read create connect getattr }; >+allow git_daemon_t self:unix_dgram_socket { write create connect }; >+ >+list_dirs_pattern(git_daemon_t, git_daemon_data_t, git_daemon_data_t) >+read_files_pattern(git_daemon_t, git_daemon_data_t, git_daemon_data_t) >+ >+corecmd_exec_bin(git_daemon_t) >+corecmd_search_bin(git_daemon_t) >+ >+corenet_all_recvfrom_unlabeled(git_daemon_t) >+corenet_all_recvfrom_netlabel(git_daemon_t) >+ >+files_read_etc_files(git_daemon_t) >+ >+files_search_home(git_daemon_t) >+files_search_usr(git_daemon_t) >+ >+kernel_read_system_state(git_daemon_t) >+ >+libs_use_ld_so(git_daemon_t) >+libs_use_shared_libs(git_daemon_t) >+ >+logging_send_syslog_msg(git_daemon_t) >+ >+miscfiles_read_localization(git_daemon_t) >+ >+nscd_read_pid(git_daemon_t) >+ >+sysnet_read_config(git_daemon_t) >+ >+optional_policy(` >+ apache_content_template(gitweb) >+ apache_search_sys_content(httpd_gitweb_script_t) >+ files_getattr_tmp_dirs(httpd_gitweb_script_t) >+ git_daemon_read_git_daemon_data(httpd_gitweb_script_t) >+') >+ >+tunable_policy(`git_daemon_enable_homedirs',` >+ list_dirs_pattern(git_daemon_t, git_daemon_user_content_t, git_daemon_user_content_t) >+ read_files_pattern(git_daemon_t, git_daemon_user_content_t, git_daemon_user_content_t) >+ userdom_search_user_home_dirs(user, git_daemon_t) >+') >+ >+tunable_policy(`git_daemon_enable_homedirs && use_nfs_home_dirs', ` >+ fs_read_nfs_files(git_daemon_t) >+ fs_read_nfs_symlinks(git_daemon_t) >+') >+ >+tunable_policy(`git_daemon_use_nfs', ` >+ fs_read_nfs_files(git_daemon_t) >+ fs_read_nfs_symlinks(git_daemon_t) >+') >+ >+tunable_policy(`git_daemon_enable_homedirs && use_samba_home_dirs', ` >+ fs_manage_cifs_dirs(git_daemon_t) >+ fs_read_cifs_files(git_daemon_t) >+') >+ >+tunable_policy(`git_daemon_use_cifs', ` >+ fs_manage_cifs_dirs(git_daemon_t) >+ fs_read_cifs_files(git_daemon_t) >+') >diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if >index 96d11e2..d3baa09 100644 >--- a/policy/modules/system/userdomain.if >+++ b/policy/modules/system/userdomain.if >@@ -984,6 +984,11 @@ template(`userdom_login_user_template', ` > ') > > optional_policy(` >+ # unless we do not want local users read access to git_daemon_data_t. e.g. local shared repository. >+ git_daemon_read_git_daemon_data($1_t) >+ ') >+ >+ optional_policy(` > kerberos_use($1_t) > ') > >@@ -5513,3 +5518,57 @@ interface(`userdom_dbus_send_all_users',` > interface(`userdom_unconfined',` > refpolicywarn(`$0($*) has been deprecated.') > ') >+ >+####################################### >+## <summary> >+## The template for creating a Git user. >+## </summary> >+## <desc> >+## <p> >+## This template creates a user domain, types, and >+## rules for the user's tty, pty. >+## </p> >+## </desc> >+## <param name="userdomain_prefix"> >+## <summary> >+## The prefix of the user domain (e.g., user >+## is the prefix for user_t). >+## </summary> >+## </param> >+# >+template(`userdom_git_user_template',` >+ gen_require(` >+ attribute unpriv_userdomain, user_ptynode, user_ttynode; >+ ') >+ ############################## >+ # >+ # Git user public declarations >+ # >+ gen_tunable(allow_$1_exec_content, true) >+ >+ userdom_base_user_template($1) >+ >+ typeattribute $1_t unpriv_userdomain; >+ domain_interactive_fd($1_t) >+ >+ typeattribute $1_devpts_t user_ptynode; >+ typeattribute $1_tty_device_t user_ttynode; >+ >+ ############################## >+ # >+ # Git user public policy >+ # >+ allow $1_t self:capability { setgid chown fowner }; >+ dontaudit $1_t self:capability { sys_nice fsetid }; >+ >+ allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; >+ dontaudit $1_t self:process setrlimit; >+ dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; >+ >+ allow $1_t self:context contains; >+ >+ kernel_dontaudit_read_system_state($1_t) >+ >+ git_daemon_manage_git_daemon_data($1_t) >+ git_daemon_execute_git_daemon_data($1_t) >+')
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=313195">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 457223
:
312988
|
312989
|
312990
|
313027
|
313028
|
313029
|
313030
|
313031
|
313032
|
313033
|
313034
|
313035
|
313195
|
313344