## GIT revision control system.
########################################
##
## Role access for Git session.
##
##
##
## Role allowed access.
##
##
##
##
## User domain for the role.
##
##
#
template(`git_session_role',`
gen_require(`
type git_session_t, gitd_exec_t;
')
########################################
#
# Declarations
#
role $1 types git_session_t;
########################################
#
# Policy
#
allow $2 git_session_t:process signal_perms;
ps_process_pattern($2, git_session_t)
tunable_policy(`deny_ptrace',`',`
allow $2 git_session_t:process ptrace;
')
tunable_policy(`git_session_users',`
domtrans_pattern($2, gitd_exec_t, git_session_t)
',`
can_exec($2, gitd_exec_t)
')
')
########################################
##
## Create a set of derived types for Git
## daemon shared repository content.
##
##
##
## The prefix to be used for deriving type names.
##
##
#
template(`git_content_template',`
gen_require(`
attribute git_system_content, git_content;
')
########################################
#
# Git daemon content shared declarations.
#
type git_$1_content_t, git_system_content, git_content;
files_type(git_$1_content_t)
')
########################################
##
## Create a set of derived types for Git
## daemon shared repository roles.
##
##
##
## The prefix to be used for deriving type names.
##
##
#
template(`git_role_template',`
gen_require(`
class context contains;
role system_r;
')
########################################
#
# Git daemon role shared declarations.
#
attribute $1_usertype;
type $1_t;
userdom_unpriv_usertype($1, $1_t)
domain_type($1_t)
role $1_r types $1_t;
allow system_r $1_r;
########################################
#
# Git daemon role shared policy.
#
allow $1_t self:context contains;
allow $1_t self:fifo_file rw_fifo_file_perms;
corecmd_exec_bin($1_t)
corecmd_bin_entry_type($1_t)
corecmd_shell_entry_type($1_t)
domain_interactive_fd($1_t)
domain_user_exemption_target($1_t)
kernel_read_system_state($1_t)
files_read_etc_files($1_t)
files_dontaudit_search_home($1_t)
git_rwx_generic_system_content($1_t)
ssh_rw_stream_sockets($1_t)
tunable_policy(`git_system_use_cifs',`
fs_exec_cifs_files($1_t)
fs_manage_cifs_dirs($1_t)
fs_manage_cifs_files($1_t)
')
tunable_policy(`git_system_use_nfs',`
fs_exec_nfs_files($1_t)
fs_manage_nfs_dirs($1_t)
fs_manage_nfs_files($1_t)
')
optional_policy(`
nscd_read_pid($1_t)
')
')
#######################################
##
## Allow specified domain access to the
## specified Git daemon content.
##
##
##
## Domain allowed access.
##
##
##
##
## Type of the object that access is allowed to.
##
##
#
interface(`git_content_delegation',`
gen_require(`
type $1, $2;
')
exec_files_pattern($1, $2, $2)
manage_dirs_pattern($1, $2, $2)
manage_files_pattern($1, $2, $2)
files_search_var_lib($1)
tunable_policy(`git_system_use_cifs',`
fs_exec_cifs_files($1)
fs_manage_cifs_dirs($1)
fs_manage_cifs_files($1)
')
tunable_policy(`git_system_use_nfs',`
fs_exec_nfs_files($1)
fs_manage_nfs_dirs($1)
fs_manage_nfs_files($1)
')
')
########################################
##
## Allow the specified domain to manage
## and execute all Git daemon content.
##
##
##
## Domain allowed access.
##
##
#
interface(`git_rwx_all_content',`
gen_require(`
attribute git_content;
')
exec_files_pattern($1, git_content, git_content)
manage_dirs_pattern($1, git_content, git_content)
manage_files_pattern($1, git_content, git_content)
userdom_search_user_home_dirs($1)
files_search_var_lib($1)
tunable_policy(`git_system_use_cifs',`
fs_exec_cifs_files($1)
fs_manage_cifs_dirs($1)
fs_manage_cifs_files($1)
')
tunable_policy(`git_system_use_nfs',`
fs_exec_nfs_files($1)
fs_manage_nfs_dirs($1)
fs_manage_nfs_files($1)
')
')
########################################
##
## Allow the specified domain to manage
## and execute all Git daemon system content.
##
##
##
## Domain allowed access.
##
##
#
interface(`git_rwx_all_system_content',`
gen_require(`
attribute git_system_content;
')
exec_files_pattern($1, git_system_content, git_system_content)
manage_dirs_pattern($1, git_system_content, git_system_content)
manage_files_pattern($1, git_system_content, git_system_content)
files_search_var_lib($1)
tunable_policy(`git_system_use_cifs',`
fs_exec_cifs_files($1)
fs_manage_cifs_dirs($1)
fs_manage_cifs_files($1)
')
tunable_policy(`git_system_use_nfs',`
fs_exec_nfs_files($1)
fs_manage_nfs_dirs($1)
fs_manage_nfs_files($1)
')
')
########################################
##
## Allow the specified domain to manage
## and execute Git daemon generic system content.
##
##
##
## Domain allowed access.
##
##
#
interface(`git_rwx_generic_system_content',`
gen_require(`
type git_sys_content_t;
')
exec_files_pattern($1, git_sys_content_t, git_sys_content_t)
manage_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
manage_files_pattern($1, git_sys_content_t, git_sys_content_t)
files_search_var_lib($1)
tunable_policy(`git_system_use_cifs',`
fs_exec_cifs_files($1)
fs_manage_cifs_dirs($1)
fs_manage_cifs_files($1)
')
tunable_policy(`git_system_use_nfs',`
fs_exec_nfs_files($1)
fs_manage_nfs_dirs($1)
fs_manage_nfs_files($1)
')
')
########################################
##
## Allow the specified domain to read
## all Git daemon content files.
##
##
##
## Domain allowed access.
##
##
#
interface(`git_read_all_content_files',`
gen_require(`
attribute git_content;
')
list_dirs_pattern($1, git_content, git_content)
read_files_pattern($1, git_content, git_content)
userdom_search_user_home_dirs($1)
files_search_var_lib($1)
tunable_policy(`git_system_use_cifs',`
fs_list_cifs($1)
fs_read_cifs_files($1)
')
tunable_policy(`git_system_use_nfs',`
fs_list_nfs($1)
fs_read_nfs_files($1)
')
')
########################################
##
## Allow the specified domain to read
## Git daemon session content files.
##
##
##
## Domain allowed access.
##
##
#
interface(`git_read_session_content_files',`
gen_require(`
type git_user_content_t;
')
list_dirs_pattern($1, git_user_content_t, git_user_content_t)
read_files_pattern($1, git_user_content_t, git_user_content_t)
userdom_search_user_home_dirs($1)
')
#######################################
##
## Dontaudit the specified domain to read
## Git daemon session content files.
##
##
##
## Domain to not audit.
##
##
#
interface(`git_dontaudit_read_session_content_files',`
gen_require(`
type git_user_content_t;
')
dontaudit $1 git_user_content_t:file read_file_perms;
')
########################################
##
## Allow the specified domain to read
## all Git daemon system content files.
##
##
##
## Domain allowed access.
##
##
#
interface(`git_read_all_system_content_files',`
gen_require(`
attribute git_system_content;
')
list_dirs_pattern($1, git_system_content, git_system_content)
read_files_pattern($1, git_system_content, git_system_content)
files_search_var_lib($1)
tunable_policy(`git_system_use_cifs',`
fs_list_cifs($1)
fs_read_cifs_files($1)
')
tunable_policy(`git_system_use_nfs',`
fs_list_nfs($1)
fs_read_nfs_files($1)
')
')
########################################
##
## Allow the specified domain to read
## Git daemon generic system content files.
##
##
##
## Domain allowed access.
##
##
#
interface(`git_read_generic_system_content_files',`
gen_require(`
type git_sys_content_t;
')
list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
read_files_pattern($1, git_sys_content_t, git_sys_content_t)
files_search_var_lib($1)
tunable_policy(`git_system_use_cifs',`
fs_list_cifs($1)
fs_read_cifs_files($1)
')
tunable_policy(`git_system_use_nfs',`
fs_list_nfs($1)
fs_read_nfs_files($1)
')
')
########################################
##
## Allow the specified domain to relabel
## all Git daemon content.
##
##
##
## Domain allowed access.
##
##
#
interface(`git_relabel_all_content',`
gen_require(`
attribute git_content;
')
relabel_dirs_pattern($1, git_content, git_content)
relabel_files_pattern($1, git_content, git_content)
userdom_search_user_home_dirs($1)
files_search_var_lib($1)
')
########################################
##
## Allow the specified domain to relabel
## all Git daemon system content.
##
##
##
## Domain allowed access.
##
##
#
interface(`git_relabel_all_system_content',`
gen_require(`
attribute git_system_content;
')
relabel_dirs_pattern($1, git_system_content, git_system_content)
relabel_files_pattern($1, git_system_content, git_system_content)
files_search_var_lib($1)
')
########################################
##
## Allow the specified domain to relabel
## Git daemon generic system content.
##
##
##
## Domain allowed access.
##
##
#
interface(`git_relabel_generic_system_content',`
gen_require(`
type git_sys_content_t;
')
relabel_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
relabel_files_pattern($1, git_sys_content_t, git_sys_content_t)
files_search_var_lib($1)
')
########################################
##
## Allow the specified domain to relabel
## Git daemon session content.
##
##
##
## Domain allowed access.
##
##
#
interface(`git_relabel_session_content',`
gen_require(`
type git_user_content_t;
')
relabel_dirs_pattern($1, git_user_content_t, git_user_content_t)
relabel_files_pattern($1, git_user_content_t, git_user_content_t)
userdom_search_user_home_dirs($1)
')
########################################
##
## Create Git user content with a
## named file transition.
##
##
##
## Domain allowed access.
##
##
#
interface(`git_filetrans_user_content',`
gen_require(`
type git_user_content_t;
')
userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
')