1 |
commit: 515972fb2ea44f2c331f09bd61991e46976f1064 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Tue Oct 2 10:48:22 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Oct 2 18:08:05 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=515972fb |
7 |
|
8 |
Changes to the gitosis policy module |
9 |
|
10 |
Ported from Fedora with changes |
11 |
Use role attributes |
12 |
|
13 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
14 |
|
15 |
--- |
16 |
policy/modules/contrib/gitosis.fc | 10 ++++------ |
17 |
policy/modules/contrib/gitosis.if | 17 +++++++++-------- |
18 |
policy/modules/contrib/gitosis.te | 30 +++++++++++++++++++++++++++--- |
19 |
3 files changed, 40 insertions(+), 17 deletions(-) |
20 |
|
21 |
diff --git a/policy/modules/contrib/gitosis.fc b/policy/modules/contrib/gitosis.fc |
22 |
index 93f5a72..a0d5662 100644 |
23 |
--- a/policy/modules/contrib/gitosis.fc |
24 |
+++ b/policy/modules/contrib/gitosis.fc |
25 |
@@ -1,9 +1,7 @@ |
26 |
-ifdef(`distro_debian',` |
27 |
-/srv/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) |
28 |
-') |
29 |
+/srv/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) |
30 |
|
31 |
-/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0) |
32 |
-/usr/bin/gl-auth-command -- gen_context(system_u:object_r:gitosis_exec_t,s0) |
33 |
+/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0) |
34 |
+/usr/bin/gl-auth-command -- gen_context(system_u:object_r:gitosis_exec_t,s0) |
35 |
|
36 |
-/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) |
37 |
+/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) |
38 |
/var/lib/gitolite(3)?(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) |
39 |
|
40 |
diff --git a/policy/modules/contrib/gitosis.if b/policy/modules/contrib/gitosis.if |
41 |
index e898b91..f8ca38c 100644 |
42 |
--- a/policy/modules/contrib/gitosis.if |
43 |
+++ b/policy/modules/contrib/gitosis.if |
44 |
@@ -15,17 +15,19 @@ interface(`gitosis_domtrans',` |
45 |
type gitosis_t, gitosis_exec_t; |
46 |
') |
47 |
|
48 |
+ corecmd_search_bin($1) |
49 |
domtrans_pattern($1, gitosis_exec_t, gitosis_t) |
50 |
') |
51 |
|
52 |
####################################### |
53 |
## <summary> |
54 |
-## Execute gitosis-serve in the gitosis domain, and |
55 |
-## allow the specified role the gitosis domain. |
56 |
+## Execute gitosis-serve in the |
57 |
+## gitosis domain, and allow the |
58 |
+## specified role the gitosis domain. |
59 |
## </summary> |
60 |
## <param name="domain"> |
61 |
## <summary> |
62 |
-## Domain allowed access |
63 |
+## Domain allowed to transition. |
64 |
## </summary> |
65 |
## </param> |
66 |
## <param name="role"> |
67 |
@@ -36,17 +38,16 @@ interface(`gitosis_domtrans',` |
68 |
# |
69 |
interface(`gitosis_run',` |
70 |
gen_require(` |
71 |
- type gitosis_t; |
72 |
+ attribute_role gitosis_roles; |
73 |
') |
74 |
|
75 |
gitosis_domtrans($1) |
76 |
- role $2 types gitosis_t; |
77 |
+ roleattribute $2 gitosis_roles; |
78 |
') |
79 |
|
80 |
####################################### |
81 |
## <summary> |
82 |
-## Allow the specified domain to read |
83 |
-## gitosis lib files. |
84 |
+## Read gitosis lib files. |
85 |
## </summary> |
86 |
## <param name="domain"> |
87 |
## <summary> |
88 |
@@ -67,7 +68,7 @@ interface(`gitosis_read_lib_files',` |
89 |
|
90 |
###################################### |
91 |
## <summary> |
92 |
-## Allow the specified domain to manage |
93 |
+## Create, read, write, and delete |
94 |
## gitosis lib files. |
95 |
## </summary> |
96 |
## <param name="domain"> |
97 |
|
98 |
diff --git a/policy/modules/contrib/gitosis.te b/policy/modules/contrib/gitosis.te |
99 |
index 5c99236..3194b76 100644 |
100 |
--- a/policy/modules/contrib/gitosis.te |
101 |
+++ b/policy/modules/contrib/gitosis.te |
102 |
@@ -1,21 +1,31 @@ |
103 |
-policy_module(gitosis, 1.3.1) |
104 |
+policy_module(gitosis, 1.3.2) |
105 |
|
106 |
######################################## |
107 |
# |
108 |
# Declarations |
109 |
# |
110 |
|
111 |
+## <desc> |
112 |
+## <p> |
113 |
+## Determine whether Gitosis can send mail. |
114 |
+## </p> |
115 |
+## </desc> |
116 |
+gen_tunable(gitosis_can_sendmail, false) |
117 |
+ |
118 |
+attribute_role gitosis_roles; |
119 |
+roleattribute system_r gitosis_roles; |
120 |
+ |
121 |
type gitosis_t; |
122 |
type gitosis_exec_t; |
123 |
application_domain(gitosis_t, gitosis_exec_t) |
124 |
-role system_r types gitosis_t; |
125 |
+role gitosis_roles types gitosis_t; |
126 |
|
127 |
type gitosis_var_lib_t; |
128 |
files_type(gitosis_var_lib_t) |
129 |
|
130 |
######################################## |
131 |
# |
132 |
-# gitosis local policy |
133 |
+# Local policy |
134 |
# |
135 |
|
136 |
allow gitosis_t self:fifo_file rw_fifo_file_perms; |
137 |
@@ -27,6 +37,16 @@ manage_dirs_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t) |
138 |
|
139 |
kernel_read_system_state(gitosis_t) |
140 |
|
141 |
+corenet_all_recvfrom_unlabeled(gitosis_t) |
142 |
+corenet_all_recvfrom_netlabel(gitosis_t) |
143 |
+corenet_tcp_sendrecv_generic_if(gitosis_t) |
144 |
+corenet_tcp_sendrecv_generic_node(gitosis_t) |
145 |
+corenet_tcp_bind_generic_node(gitosis_t) |
146 |
+ |
147 |
+corenet_sendrecv_ssh_server_packets(gitosis_t) |
148 |
+corenet_tcp_bind_ssh_port(gitosis_t) |
149 |
+corenet_tcp_sendrecv_ssh_port(gitosis_t) |
150 |
+ |
151 |
corecmd_exec_bin(gitosis_t) |
152 |
corecmd_exec_shell(gitosis_t) |
153 |
|
154 |
@@ -39,3 +59,7 @@ files_search_var_lib(gitosis_t) |
155 |
miscfiles_read_localization(gitosis_t) |
156 |
|
157 |
sysnet_read_config(gitosis_t) |
158 |
+ |
159 |
+tunable_policy(`gitosis_can_sendmail',` |
160 |
+ mta_send_mail(gitosis_t) |
161 |
+') |