Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 313344 Details for
Bug 457223
confined user access to public content types
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
git_daemon domain.
gitd.patch.txt (text/plain), 20.50 KB, created by
Dominick Grift
on 2008-08-04 10:02:23 UTC
(
hide
)
Description:
git_daemon domain.
Filename:
MIME Type:
Creator:
Dominick Grift
Created:
2008-08-04 10:02:23 UTC
Size:
20.50 KB
patch
obsolete
>diff --git a/man/man8/git_daemon_selinux.8 b/man/man8/git_daemon_selinux.8 >new file mode 100644 >index 0000000..1b8e338 >--- /dev/null >+++ b/man/man8/git_daemon_selinux.8 >@@ -0,0 +1,82 @@ >+.TH "git_daemon_selinux" "8" "03 Aug 2008" "domg472@gmail.com" "Git daemon SELinux Policy documentation" >+.de EX >+.nf >+.ft CW >+.. >+.de EE >+.ft R >+.fi >+.. >+.SH "NAME" >+.PP >+git_daemon_selinux \- Security-Enhanced Linux policy for Git daemon. >+.SH "DESCRIPTION" >+.PP >+Security-Enhanced Linux provides security for Git daemon via flexible mandatory access control. >+.SH FILE_CONTEXTS >+.PP >+SELinux requires files to have a files type. Files types may be specified system wide by the administrator with the semanage command and are restored with the restorecon command. Users may use the chcon command to change the files type of it's files. Policy governs the access that Git daemon has to files. >+.TP >+Allow Git daemon to read the shared repository by adding the git_daemon_system_content_t files type to the files and directories and by restoring the files types. >+.PP >+.B >+semanage fcontext -a -t git_daemon_system_content_t "/srv/git(/.*)?" >+.TP >+.B >+restorecon -R -v /srv/git >+.TP >+Allow Git daemon to read the user personal repository directories by adding the git_daemon_user_content_t files type to the files and directories and by restoring the files types. This also requires the git_daemon_enable_homedirs boolean is set to true. >+.PP >+.B >+semanage fcontext -a -t git_daemon_user_content_t "/home/*/public_git(/.*)?" >+.TP >+.B >+restorecon -R -v /home/*/public_git >+.TP >+Allow Git daemon to read the user personal configuration file. >+.PP >+.B >+chcon -t git_daemon_user_content_t /home/joe/.gitconfig >+.SH BOOLEANS >+.PP >+SELinux policy is based on least privilege required and may also be customizable by setting a boolean with the setsebool command. >+.TP >+Allow Git daemon to read user personal repository directories with the git_daemon_user_content_t files type. >+.PP >+.B >+setsebool -P git_daemon_enable_homedirs on >+.TP >+Allow Git daemon to use cifs for public file transfer services. >+.PP >+.B >+setsebool -P git_daemon_use_cifs on >+.TP >+Allow Git daemon to use nfs for public file transfer services. >+.PP >+.B >+setsebool -P git_daemon_use_nfs on >+.SH ROLES >+.PP >+Allow Git daemon SELinux user role to read, write and execute shared repositories. >+.PP >+.B >+semanage user -a -L s0 -r s0-s0 -R git_user_r -P user git_user_u >+.PP >+.B >+semanage login -a -s git_user_u joe >+.TP >+Allow Git daemon SELinux admin role to manage a Git deamon environment. >+.PP >+.B >+semanage user -a -L s0 -r s0-s0 -R "git_admin_r staff_r" -P user git_admin_u >+.PP >+.B >+semanage login -a -s git_admin_u joe >+.TP >+system-config-selinux is a GUI tool available to customize SELinux policy settings. >+.SH AUTHOR >+.PP >+This manual page was written by Dominick Grift <domg472@gmail.com>. >+.SH "SEE ALSO" >+.PP >+selinux(8), git-daemon(8), setsebool(8), semanage(8), restorecon(8), chcon(8) >diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in >index 5e174c7..1f4274a 100644 >--- a/policy/modules/kernel/corenetwork.te.in >+++ b/policy/modules/kernel/corenetwork.te.in >@@ -98,6 +98,7 @@ network_port(ftp_data, tcp,20,s0) > network_port(ftp, tcp,21,s0) > network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) > network_port(giftd, tcp,1213,s0) >+network_port(git_daemon, tcp,9418,s0) > network_port(gopher, tcp,70,s0, udp,70,s0) > network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy > network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port >diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te >index b137680..93cbf3d 100644 >--- a/policy/modules/services/apache.te >+++ b/policy/modules/services/apache.te >@@ -536,6 +536,11 @@ optional_policy(` > avahi_dbus_chat(httpd_t) > ') > ') >+ >+optional_policy(` >+ git_daemon_read_all_git_daemon_content(httpd_t) >+') >+ > optional_policy(` > kerberos_keytab_template(httpd, httpd_t) > ') >diff --git a/policy/modules/services/git_daemon.fc b/policy/modules/services/git_daemon.fc >new file mode 100644 >index 0000000..9e40b44 >--- /dev/null >+++ b/policy/modules/services/git_daemon.fc >@@ -0,0 +1,10 @@ >+ >+/srv/git(/.*)? gen_context(system_u:object_r:git_daemon_system_content_t, s0) >+ >+/usr/bin/git-daemon -- gen_context(system_u:object_r:git_daemon_exec_t, s0) >+ >+/var/www/git/gitweb.cgi -- gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0) >+ >+HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_daemon_user_content_t, s0) >+ >+HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_daemon_user_content_t, s0) >diff --git a/policy/modules/services/git_daemon.if b/policy/modules/services/git_daemon.if >new file mode 100644 >index 0000000..e7382d4 >--- /dev/null >+++ b/policy/modules/services/git_daemon.if >@@ -0,0 +1,453 @@ >+## <summary>SELinux policy for Git daemon.</summary> >+## <desc> >+## <p> >+## Applies SELinux security to Git daemon. >+## </p> >+## </desc> >+ >+####################################### >+## <summary> >+## The per role template for the Git daemon module. >+## </summary> >+## <desc> >+## <p> >+## This template creates derived domains which are used >+## for the Git daemon. >+## </p> >+## <p> >+## This template is invoked automatically for each user, and >+## generally does not need to be invoked directly >+## by policy writers. >+## </p> >+## </desc> >+## <param name="userdomain_prefix"> >+## <summary> >+## The prefix of the user domain (e.g., user >+## is the prefix for user_t). >+## </summary> >+## </param> >+## <param name="user_domain"> >+## <summary> >+## The type of the user domain. >+## </summary> >+## </param> >+## <param name="user_role"> >+## <summary> >+## The role associated with the user domain. >+## </summary> >+## </param> >+# >+template(`git_daemon_per_role_template', ` >+ gen_require(` >+ type git_daemon_exec_t, git_daemon_user_content_t; >+ ') >+ >+ ######################################## >+ # >+ # Git daemon public declarations. >+ # >+ type $1_git_daemon_t; >+ application_domain($1_git_daemon_t, git_daemon_exec_t) >+ role $3 types $1_git_daemon_t; >+ >+ ######################################## >+ # >+ # Git daemon public policy. >+ # >+ allow $1_git_daemon_t self:fifo_file rw_fifo_file_perms; >+ allow $1_git_daemon_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; >+ allow $1_git_daemon_t self:tcp_socket { bind read write accept create setopt listen }; >+ allow $1_git_daemon_t self:udp_socket { create connect write read getattr }; >+ >+ allow $1_git_daemon_t $2:process sigchld; >+ >+ allow $2 $1_git_daemon_t:process { ptrace signal_perms }; >+ >+ list_dirs_pattern($1_git_daemon_t, git_daemon_user_content_t, git_daemon_user_content_t) >+ read_files_pattern($1_git_daemon_t, git_daemon_user_content_t, git_daemon_user_content_t) >+ userdom_search_user_home_dirs($1, $1_git_daemon_t) >+ >+ manage_dirs_pattern($2, git_daemon_user_content_t, git_daemon_user_content_t) >+ manage_files_pattern($2, git_daemon_user_content_t, git_daemon_user_content_t) >+ exec_files_pattern($2, git_daemon_user_content_t, git_daemon_user_content_t) >+ userdom_user_home_dir_filetrans($1, $1_git_daemon_t, git_daemon_user_content_t, { dir file }) >+ >+ relabel_dirs_pattern($2, git_daemon_user_content_t, git_daemon_user_content_t) >+ relabel_files_pattern($2, git_daemon_user_content_t, git_daemon_user_content_t) >+ >+ domain_auto_trans($2, git_daemon_exec_t, $1_git_daemon_t) >+ >+ ps_process_pattern($2, $1_git_daemon_t) >+ >+ corecmd_exec_bin($1_git_daemon_t) >+ corecmd_search_bin($1_git_daemon_t) >+ >+ corenet_all_recvfrom_unlabeled($1_git_daemon_t) >+ corenet_all_recvfrom_netlabel($1_git_daemon_t) >+ >+ corenet_tcp_sendrecv_all_if($1_git_daemon_t) >+ corenet_tcp_sendrecv_all_nodes($1_git_daemon_t) >+ >+ corenet_tcp_bind_all_nodes($1_git_daemon_t) >+ >+ corenet_tcp_bind_git_daemon_port($1_git_daemon_t) >+ >+ files_read_etc_files($1_git_daemon_t) >+ >+ files_search_home($1_git_daemon_t) >+ files_search_usr($1_git_daemon_t) >+ >+ kernel_read_system_state($1_git_daemon_t) >+ >+ libs_use_ld_so($1_git_daemon_t) >+ libs_use_shared_libs($1_git_daemon_t) >+ >+ logging_send_syslog_msg($1_git_daemon_t) >+ >+ miscfiles_read_localization($1_git_daemon_t) >+ >+ nscd_read_pid($1_git_daemon_t) >+ >+ sysnet_read_config($1_git_daemon_t) >+ >+ userdom_use_user_terminals($1, $1_git_daemon_t) >+ >+ tunable_policy(`use_nfs_home_dirs', ` >+ fs_list_nfs($1_git_daemon_t) >+ fs_read_nfs_files($1_git_daemon_t) >+ ') >+ >+ tunable_policy(`use_samba_home_dirs', ` >+ fs_list_cifs($1_git_daemon_t) >+ fs_read_cifs_files($1_git_daemon_t) >+ ') >+ >+ optional_policy(` >+ automount_dontaudit_getattr_tmp_dirs($1_git_daemon_t) >+ fs_search_auto_mountpoints($1_git_daemon_t) >+ ') >+ >+ optional_policy(` >+ nis_use_ypbind($1_git_daemon_t) >+ ') >+') >+ >+######################################## >+## <summary> >+## Allow the specified domain to read >+## Git daemon system content. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <rolecap/> >+# >+interface(`git_daemon_read_git_daemon_system_content', ` >+ gen_require(` >+ type git_daemon_system_content_t; >+ ') >+ >+ list_dirs_pattern($1, git_daemon_system_content_t, git_daemon_system_content_t) >+ read_files_pattern($1, git_daemon_system_content_t, git_daemon_system_content_t) >+') >+ >+######################################## >+## <summary> >+## Allow the specified domain to manage >+## Git daemon system content. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <rolecap/> >+# >+interface(`git_daemon_manage_git_daemon_system_content', ` >+ gen_require(` >+ type git_daemon_system_content_t; >+ ') >+ >+ manage_dirs_pattern($1, git_daemon_system_content_t, git_daemon_system_content_t) >+ manage_files_pattern($1, git_daemon_system_content_t, git_daemon_system_content_t) >+') >+ >+######################################## >+## <summary> >+## Allow the specified domain to execute >+## Git daemon system content files. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <rolecap/> >+# >+interface(`git_daemon_execute_git_daemon_system_content_files', ` >+ gen_require(` >+ type git_daemon_system_content_t; >+ ') >+ >+ exec_files_pattern($1, git_daemon_system_content_t, git_daemon_system_content_t) >+') >+ >+######################################## >+## <summary> >+## All of the rules required to administrate >+## an Git daemon environment >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <param name="role"> >+## <summary> >+## The role to be allowed to manage the Git daemon domain. >+## </summary> >+## </param> >+## <param name="terminal"> >+## <summary> >+## The type of the user terminal. >+## </summary> >+## </param> >+## <rolecap/> >+# >+interface(`git_daemon_admin',` >+ gen_require(` >+ type git_daemon_t, git_daemon_exec_t, git_daemon_system_content_t, git_daemon_user_content_t; >+ ') >+ >+ allow $1 git_daemon_t:process { ptrace signal_perms getattr }; >+ >+ git_daemon_manage_all_git_daemon_content($1) >+ git_daemon_relabel_all_git_daemon_content($1) >+ >+# TODO >+') >+ >+######################################## >+## <summary> >+## Allow the specified domain to read >+## Git daemon user content. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <rolecap/> >+# >+interface(`git_daemon_read_git_daemon_user_content', ` >+ gen_require(` >+ type git_daemon_user_content_t; >+ ') >+ >+ list_dirs_pattern($1, git_daemon_user_content_t, git_daemon_user_content_t) >+ read_files_pattern($1, git_daemon_user_content_t, git_daemon_user_content_t) >+') >+ >+######################################## >+## <summary> >+## Allow the specified domain to manage >+## Git daemon user content. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <rolecap/> >+# >+interface(`git_daemon_manage_git_daemon_user_content', ` >+ gen_require(` >+ type git_daemon_user_content_t; >+ ') >+ >+ manage_dirs_pattern($1, git_daemon_user_content_t, git_daemon_user_content_t) >+ manage_files_pattern($1, git_daemon_user_content_t, git_daemon_user_content_t) >+') >+ >+######################################## >+## <summary> >+## Allow the specified domain to manage >+## all Git daemon content. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <rolecap/> >+# >+interface(`git_daemon_manage_all_git_daemon_content', ` >+ gen_require(` >+ type git_daemon_user_content_t, git_daemon_system_content_t; >+ ') >+ >+ manage_dirs_pattern($1, git_daemon_user_content_t, git_daemon_user_content_t) >+ manage_files_pattern($1, git_daemon_user_content_t, git_daemon_user_content_t) >+ >+ manage_dirs_pattern($1, git_daemon_system_content_t, git_daemon_system_content_t) >+ manage_files_pattern($1, git_daemon_system_content_t, git_daemon_system_content_t) >+') >+ >+######################################## >+## <summary> >+## Allow the specified domain to read >+## all Git daemon content. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <rolecap/> >+# >+interface(`git_daemon_read_all_git_daemon_content', ` >+ gen_require(` >+ type git_daemon_user_content_t, git_daemon_system_content_t; >+ ') >+ >+ list_dirs_pattern($1, git_daemon_user_content_t, git_daemon_user_content_t) >+ read_files_pattern($1, git_daemon_user_content_t, git_daemon_user_content_t) >+ >+ list_dirs_pattern($1, git_daemon_system_content_t, git_daemon_system_content_t) >+ read_files_pattern($1, git_daemon_system_content_t, git_daemon_system_content_t) >+') >+ >+######################################## >+## <summary> >+## Allow the specified domain to relabel >+## all Git daemon content. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <rolecap/> >+# >+interface(`git_daemon_relabel_all_git_daemon_content', ` >+ gen_require(` >+ type git_daemon_user_content_t, git_daemon_system_content_t; >+ ') >+ >+ relabel_dirs_pattern($1, git_daemon_user_content_t, git_daemon_user_content_t) >+ relabel_files_pattern($1, git_daemon_user_content_t, git_daemon_user_content_t) >+ >+ relabel_dirs_pattern($1, git_daemon_system_content_t, git_daemon_system_content_t) >+ relabel_files_pattern($1, git_daemon_system_content_t, git_daemon_system_content_t) >+') >+ >+######################################## >+## <summary> >+## Allow the specified domain to list >+## Git daemon system content directories. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <rolecap/> >+# >+interface(`git_daemon_list_git_daemon_system_content_dirs', ` >+ gen_require(` >+ type git_daemon_system_content_t; >+ ') >+ >+ list_dirs_pattern($1, git_daemon_system_content_t, git_daemon_system_content_t) >+') >+ >+####################################### >+## <summary> >+## The template for creating a Git user domain. >+## </summary> >+## <desc> >+## <p> >+## This template creates a user domain, types, and >+## rules for the user's pty. >+## </p> >+## </desc> >+## <param name="userdomain_prefix"> >+## <summary> >+## The prefix of the user domain (e.g., user >+## is the prefix for user_t). >+## </summary> >+## </param> >+# >+template(`git_daemon_git_user_template',` >+ gen_require(` >+ attribute unpriv_userdomain, user_ptynode, userdomain; >+ class context contains; >+ ') >+ ############################## >+ # >+ # Git user public declarations >+ # >+ attribute $1_file_type; >+ attribute $1_usertype; >+ >+ type $1_t, userdomain, $1_usertype; >+ domain_type($1_t) >+ >+ corecmd_shell_entry_type($1_t) >+ corecmd_bin_entry_type($1_t) >+ domain_user_exemption_target($1_t) >+ >+ role $1_r types $1_t; >+ allow system_r $1_r; >+ >+ type $1_devpts_t; >+ term_user_pty($1_t, $1_devpts_t) >+ files_type($1_devpts_t) >+ >+ typeattribute $1_t unpriv_userdomain; >+ domain_interactive_fd($1_t) >+ >+ typeattribute $1_devpts_t user_ptynode; >+ >+ ############################## >+ # >+ # Git user public policy >+ # >+ allow $1_usertype self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; >+ allow $1_usertype self:context contains; # test me. >+ >+ allow $1_usertype $1_t:key { create view read write search link setattr }; # test me. >+ >+ allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms; >+ allow $1_usertype $1_usertype:fd use; # test me. >+ >+ allow $1_usertype $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; >+ >+ term_create_pty($1_usertype, $1_devpts_t) >+ >+ corecmd_exec_bin($1_usertype) >+ >+ kernel_read_system_state($1_usertype) >+ >+ files_read_etc_files($1_usertype) >+ >+ files_search_home($1_usertype) >+ >+ libs_use_ld_so($1_usertype) >+ libs_use_shared_libs($1_usertype) >+ >+ miscfiles_read_localization($1_usertype) >+ >+ nscd_read_pid($1_usertype) >+ >+ optional_policy(` >+ git_daemon_manage_git_daemon_system_content($1_usertype) >+ git_daemon_execute_git_daemon_system_content_files($1_usertype) >+ ') >+ >+ optional_policy(` >+ ssh_rw_stream_sockets($1_usertype) >+ ') >+') >diff --git a/policy/modules/services/git_daemon.te b/policy/modules/services/git_daemon.te >new file mode 100644 >index 0000000..ca2822e >--- /dev/null >+++ b/policy/modules/services/git_daemon.te >@@ -0,0 +1,110 @@ >+ >+policy_module(git_daemon, 0.0.1) >+ >+######################################## >+# >+# Git daemon private declarations. >+# >+type git_daemon_t; >+type git_daemon_exec_t; >+inetd_service_domain(git_daemon_t, git_daemon_exec_t) >+role system_r types git_daemon_t; >+ >+application_executable_file(git_daemon_exec_t) >+ >+type git_daemon_system_content_t; >+files_type(git_daemon_system_content_t) >+ >+type git_daemon_user_content_t; >+files_poly_member(git_daemon_user_content_t) >+userdom_user_home_content(user, git_daemon_user_content_t) >+ >+## <desc> >+## <p> >+## Allow Git daemon to read home directories >+## </p> >+## </desc> >+gen_tunable(git_daemon_enable_homedirs, false) >+ >+## <desc> >+## <p> >+## Allow Git daemon to access nfs file systems >+## </p> >+## </desc> >+gen_tunable(git_daemon_use_nfs, false) >+ >+## <desc> >+## <p> >+## Allow Git daemon to access cifs file systems >+## </p> >+## </desc> >+gen_tunable(git_daemon_use_cifs, false) >+ >+ >+######################################## >+# >+# Git daemon private policy. >+# >+allow git_daemon_t self:fifo_file rw_fifo_file_perms; >+allow git_daemon_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; >+allow git_daemon_t self:udp_socket { write read create connect getattr }; >+allow git_daemon_t self:unix_dgram_socket { write create connect }; >+ >+list_dirs_pattern(git_daemon_t, git_daemon_system_content_t, git_daemon_system_content_t) >+read_files_pattern(git_daemon_t, git_daemon_system_content_t, git_daemon_system_content_t) >+ >+corecmd_exec_bin(git_daemon_t) >+corecmd_search_bin(git_daemon_t) >+ >+corenet_all_recvfrom_unlabeled(git_daemon_t) >+corenet_all_recvfrom_netlabel(git_daemon_t) >+ >+files_read_etc_files(git_daemon_t) >+ >+files_search_usr(git_daemon_t) >+ >+kernel_read_system_state(git_daemon_t) >+ >+libs_use_ld_so(git_daemon_t) >+libs_use_shared_libs(git_daemon_t) >+ >+logging_send_syslog_msg(git_daemon_t) >+ >+miscfiles_read_localization(git_daemon_t) >+ >+nscd_read_pid(git_daemon_t) >+ >+sysnet_read_config(git_daemon_t) >+ >+optional_policy(` >+ apache_content_template(gitweb) >+ apache_search_sys_content(httpd_gitweb_script_t) >+ files_getattr_tmp_dirs(httpd_gitweb_script_t) >+ git_daemon_read_git_daemon_system_content(httpd_gitweb_script_t) >+') >+ >+tunable_policy(`git_daemon_enable_homedirs && use_nfs_home_dirs', ` >+ fs_list_nfs(git_daemon_t) >+ fs_read_nfs_files(git_daemon_t) >+') >+ >+tunable_policy(`git_daemon_use_nfs', ` >+ fs_list_nfs(git_daemon_t) >+ fs_read_nfs_files(git_daemon_t) >+') >+ >+tunable_policy(`git_daemon_enable_homedirs && use_samba_home_dirs', ` >+ fs_list_cifs(git_daemon_t) >+ fs_read_cifs_files(git_daemon_t) >+') >+ >+tunable_policy(`git_daemon_use_cifs', ` >+ fs_list_cifs(git_daemon_t) >+ fs_read_cifs_files(git_daemon_t) >+') >+ >+tunable_policy(`git_daemon_enable_homedirs', ` >+ list_dirs_pattern(git_daemon_t, git_daemon_user_content_t, git_daemon_user_content_t) >+ read_files_pattern(git_daemon_t, git_daemon_user_content_t, git_daemon_user_content_t) >+ userdom_search_user_home_dirs(user, git_daemon_t) >+') >diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if >index 64da5d6..f756e7d 100644 >--- a/policy/modules/system/userdomain.if >+++ b/policy/modules/system/userdomain.if >@@ -1214,6 +1214,12 @@ template(`userdom_unpriv_user_template', ` > games_rw_data($1_usertype) > ') > >+ ifdef(`distro_redhat', ` >+ optional_policy(` >+ git_daemon_per_role_template($1, $1_t, $1_r) >+ ') >+ ') >+ > optional_policy(` > mount_run($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) > ') >@@ -6612,4 +6618,3 @@ interface(`userdom_relabel_all_home_files',` > files_search_home($1) > relabel_files_pattern($1, user_home_type, user_home_type) > ') >-
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=313344">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 457223
:
312988
|
312989
|
312990
|
313027
|
313028
|
313029
|
313030
|
313031
|
313032
|
313033
|
313034
|
313035
|
313195
| 313344