- Fix git
This commit is contained in:
Daniel J Walsh
parent
3b54668c40
commit
fd56540d50
288
policy-F13.patch
288
policy-F13.patch
@ -5867,7 +5867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.7/policy/modules/kernel/corenetwork.te.in
|
||||
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-01-11 09:40:36.000000000 -0500
|
||||
+++ serefpolicy-3.7.7/policy/modules/kernel/corenetwork.te.in 2010-01-11 14:18:47.000000000 -0500
|
||||
+++ serefpolicy-3.7.7/policy/modules/kernel/corenetwork.te.in 2010-01-15 09:09:38.000000000 -0500
|
||||
@@ -65,6 +65,7 @@
|
||||
type server_packet_t, packet_type, server_packet_type;
|
||||
|
||||
@ -5891,8 +5891,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
||||
network_port(dccm, tcp,5679,s0, udp,5679,s0)
|
||||
-network_port(dhcpc, udp,68,s0)
|
||||
-network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
|
||||
+network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,547,s0, tcp, 547,s0)
|
||||
+network_port(dhcpd, udp,67,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
|
||||
+network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
|
||||
+network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
|
||||
network_port(dict, tcp,2628,s0)
|
||||
network_port(distccd, tcp,3632,s0)
|
||||
network_port(dns, udp,53,s0, tcp,53,s0)
|
||||
@ -11572,7 +11572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.7/policy/modules/services/apache.te
|
||||
--- nsaserefpolicy/policy/modules/services/apache.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.7.7/policy/modules/services/apache.te 2010-01-11 09:53:58.000000000 -0500
|
||||
+++ serefpolicy-3.7.7/policy/modules/services/apache.te 2010-01-15 14:47:16.000000000 -0500
|
||||
@@ -19,6 +19,8 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -11764,7 +11764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
|
||||
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
|
||||
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
|
||||
+files_var_filetrans(httpd_t, httpd_cache_t, dir)
|
||||
+files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
|
||||
|
||||
# Allow the httpd_t to read the web servers config files
|
||||
allow httpd_t httpd_config_t:dir list_dir_perms;
|
||||
@ -16488,26 +16488,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.7/policy/modules/services/git.fc
|
||||
--- nsaserefpolicy/policy/modules/services/git.fc 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.7.7/policy/modules/services/git.fc 2010-01-14 15:37:45.000000000 -0500
|
||||
+++ serefpolicy-3.7.7/policy/modules/services/git.fc 2010-01-15 16:56:35.000000000 -0500
|
||||
@@ -1,3 +1,12 @@
|
||||
-/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
|
||||
-/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
|
||||
-/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
|
||||
+HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:gitd_session_content_t, s0)
|
||||
+HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:gitd_session_content_t, s0)
|
||||
+HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t, s0)
|
||||
+HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t, s0)
|
||||
+
|
||||
+/srv/git(/.*)? gen_context(system_u:object_r:gitd_system_content_t, s0)
|
||||
+/srv/git(/.*)? gen_context(system_u:object_r:git_system_content_t, s0)
|
||||
+
|
||||
+/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t, s0)
|
||||
+
|
||||
+/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
|
||||
+/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
|
||||
+
|
||||
+/var/lib/git(/.*)? gen_context(system_u:object_r:gitd_system_content_t, s0)
|
||||
+/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t, s0)
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.7/policy/modules/services/git.if
|
||||
--- nsaserefpolicy/policy/modules/services/git.if 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.7.7/policy/modules/services/git.if 2010-01-14 16:07:07.000000000 -0500
|
||||
+++ serefpolicy-3.7.7/policy/modules/services/git.if 2010-01-15 16:56:37.000000000 -0500
|
||||
@@ -1 +1,535 @@
|
||||
-## <summary>GIT revision control system</summary>
|
||||
+## <summary>Git - Fast Version Control System.</summary>
|
||||
@ -16537,7 +16537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
|
||||
+#
|
||||
+interface(`git_session_role',`
|
||||
+ gen_require(`
|
||||
+ type gitd_session_t, gitd_exec_t;
|
||||
+ type git_session_t, gitd_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ ########################################
|
||||
@ -16545,17 +16545,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
|
||||
+ # Git daemon session shared declarations.
|
||||
+ #
|
||||
+
|
||||
+ role $1 types gitd_session_t;
|
||||
+ role $1 types git_session_t;
|
||||
+
|
||||
+ ########################################
|
||||
+ #
|
||||
+ # Git daemon session shared policy.
|
||||
+ #
|
||||
+
|
||||
+ domtrans_pattern($2, gitd_exec_t, gitd_session_t)
|
||||
+ domtrans_pattern($2, gitd_exec_t, git_session_t)
|
||||
+
|
||||
+ allow $2 gitd_session_t:process { ptrace signal_perms };
|
||||
+ ps_process_pattern($2, gitd_session_t)
|
||||
+ allow $2 git_session_t:process { ptrace signal_perms };
|
||||
+ ps_process_pattern($2, git_session_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
@ -16572,8 +16572,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
|
||||
+template(`git_content_template',`
|
||||
+
|
||||
+ gen_require(`
|
||||
+ attribute gitd_system_content;
|
||||
+ attribute gitd_content;
|
||||
+ attribute git_system_content;
|
||||
+ attribute git_content;
|
||||
+ ')
|
||||
+
|
||||
+ ########################################
|
||||
@ -16581,8 +16581,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
|
||||
+ # Git daemon content shared declarations.
|
||||
+ #
|
||||
+
|
||||
+ type gitd_$1_content_t, gitd_system_content, gitd_content;
|
||||
+ files_type(gitd_$1_content_t)
|
||||
+ type git_$1_content_t, git_system_content, git_content;
|
||||
+ files_type(git_$1_content_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
@ -16643,13 +16643,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
|
||||
+
|
||||
+ ssh_rw_stream_sockets($1_t)
|
||||
+
|
||||
+ tunable_policy(`gitd_system_use_cifs',`
|
||||
+ tunable_policy(`git_system_use_cifs',`
|
||||
+ fs_exec_cifs_files($1_t)
|
||||
+ fs_manage_cifs_dirs($1_t)
|
||||
+ fs_manage_cifs_files($1_t)
|
||||
+ ')
|
||||
+
|
||||
+ tunable_policy(`gitd_system_use_nfs',`
|
||||
+ tunable_policy(`git_system_use_nfs',`
|
||||
+ fs_exec_nfs_files($1_t)
|
||||
+ fs_manage_nfs_dirs($1_t)
|
||||
+ fs_manage_nfs_files($1_t)
|
||||
@ -16686,13 +16686,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
|
||||
+ manage_files_pattern($1, $2, $2)
|
||||
+ files_search_var($1)
|
||||
+
|
||||
+ tunable_policy(`gitd_system_use_cifs',`
|
||||
+ tunable_policy(`git_system_use_cifs',`
|
||||
+ fs_exec_cifs_files($1)
|
||||
+ fs_manage_cifs_dirs($1)
|
||||
+ fs_manage_cifs_files($1)
|
||||
+ ')
|
||||
+
|
||||
+ tunable_policy(`gitd_system_use_nfs',`
|
||||
+ tunable_policy(`git_system_use_nfs',`
|
||||
+ fs_exec_nfs_files($1)
|
||||
+ fs_manage_nfs_dirs($1)
|
||||
+ fs_manage_nfs_files($1)
|
||||
@ -16713,12 +16713,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
|
||||
+#
|
||||
+interface(`git_rwx_all_content',`
|
||||
+ gen_require(`
|
||||
+ attribute gitd_content;
|
||||
+ attribute git_content;
|
||||
+ ')
|
||||
+
|
||||
+ exec_files_pattern($1, gitd_content, gitd_content)
|
||||
+ manage_dirs_pattern($1, gitd_content, gitd_content)
|
||||
+ manage_files_pattern($1, gitd_content, gitd_content)
|
||||
+ exec_files_pattern($1, git_content, git_content)
|
||||
+ manage_dirs_pattern($1, git_content, git_content)
|
||||
+ manage_files_pattern($1, git_content, git_content)
|
||||
+ userdom_search_user_home_dirs($1)
|
||||
+ files_search_var($1)
|
||||
+
|
||||
@ -16734,13 +16734,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
|
||||
+ fs_manage_cifs_files($1)
|
||||
+ ')
|
||||
+
|
||||
+ tunable_policy(`gitd_system_use_cifs',`
|
||||
+ tunable_policy(`git_system_use_cifs',`
|
||||
+ fs_exec_cifs_files($1)
|
||||
+ fs_manage_cifs_dirs($1)
|
||||
+ fs_manage_cifs_files($1)
|
||||
+ ')
|
||||
+
|
||||
+ tunable_policy(`gitd_system_use_nfs',`
|
||||
+ tunable_policy(`git_system_use_nfs',`
|
||||
+ fs_exec_nfs_files($1)
|
||||
+ fs_manage_nfs_dirs($1)
|
||||
+ fs_manage_nfs_files($1)
|
||||
@ -16761,21 +16761,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
|
||||
+#
|
||||
+interface(`git_rwx_all_system_content',`
|
||||
+ gen_require(`
|
||||
+ attribute gitd_system_content;
|
||||
+ attribute git_system_content;
|
||||
+ ')
|
||||
+
|
||||
+ exec_files_pattern($1, gitd_system_content, gitd_system_content)
|
||||
+ manage_dirs_pattern($1, gitd_system_content, gitd_system_content)
|
||||
+ manage_files_pattern($1, gitd_system_content, gitd_system_content)
|
||||
+ exec_files_pattern($1, git_system_content, git_system_content)
|
||||
+ manage_dirs_pattern($1, git_system_content, git_system_content)
|
||||
+ manage_files_pattern($1, git_system_content, git_system_content)
|
||||
+ files_search_var($1)
|
||||
+
|
||||
+ tunable_policy(`gitd_system_use_cifs',`
|
||||
+ tunable_policy(`git_system_use_cifs',`
|
||||
+ fs_exec_cifs_files($1)
|
||||
+ fs_manage_cifs_dirs($1)
|
||||
+ fs_manage_cifs_files($1)
|
||||
+ ')
|
||||
+
|
||||
+ tunable_policy(`gitd_system_use_nfs',`
|
||||
+ tunable_policy(`git_system_use_nfs',`
|
||||
+ fs_exec_nfs_files($1)
|
||||
+ fs_manage_nfs_dirs($1)
|
||||
+ fs_manage_nfs_files($1)
|
||||
@ -16796,21 +16796,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
|
||||
+#
|
||||
+interface(`git_rwx_generic_system_content',`
|
||||
+ gen_require(`
|
||||
+ type gitd_system_content_t;
|
||||
+ type git_system_content_t;
|
||||
+ ')
|
||||
+
|
||||
+ exec_files_pattern($1, gitd_system_content_t, gitd_system_content_t)
|
||||
+ manage_dirs_pattern($1, gitd_system_content_t, gitd_system_content_t)
|
||||
+ manage_files_pattern($1, gitd_system_content_t, gitd_system_content_t)
|
||||
+ exec_files_pattern($1, git_system_content_t, git_system_content_t)
|
||||
+ manage_dirs_pattern($1, git_system_content_t, git_system_content_t)
|
||||
+ manage_files_pattern($1, git_system_content_t, git_system_content_t)
|
||||
+ files_search_var($1)
|
||||
+
|
||||
+ tunable_policy(`gitd_system_use_cifs',`
|
||||
+ tunable_policy(`git_system_use_cifs',`
|
||||
+ fs_exec_cifs_files($1)
|
||||
+ fs_manage_cifs_dirs($1)
|
||||
+ fs_manage_cifs_files($1)
|
||||
+ ')
|
||||
+
|
||||
+ tunable_policy(`gitd_system_use_nfs',`
|
||||
+ tunable_policy(`git_system_use_nfs',`
|
||||
+ fs_exec_nfs_files($1)
|
||||
+ fs_manage_nfs_dirs($1)
|
||||
+ fs_manage_nfs_files($1)
|
||||
@ -16831,11 +16831,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
|
||||
+#
|
||||
+interface(`git_read_all_content_files',`
|
||||
+ gen_require(`
|
||||
+ attribute gitd_content;
|
||||
+ attribute git_content;
|
||||
+ ')
|
||||
+
|
||||
+ list_dirs_pattern($1, gitd_content, gitd_content)
|
||||
+ read_files_pattern($1, gitd_content, gitd_content)
|
||||
+ list_dirs_pattern($1, git_content, git_content)
|
||||
+ read_files_pattern($1, git_content, git_content)
|
||||
+ userdom_search_user_home_dirs($1)
|
||||
+ files_search_var($1)
|
||||
+
|
||||
@ -16849,12 +16849,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
|
||||
+ fs_read_cifs_files($1)
|
||||
+ ')
|
||||
+
|
||||
+ tunable_policy(`gitd_system_use_cifs',`
|
||||
+ tunable_policy(`git_system_use_cifs',`
|
||||
+ fs_list_cifs($1)
|
||||
+ fs_read_cifs_files($1)
|
||||
+ ')
|
||||
+
|
||||
+ tunable_policy(`gitd_system_use_nfs',`
|
||||
+ tunable_policy(`git_system_use_nfs',`
|
||||
+ fs_list_nfs($1)
|
||||
+ fs_read_nfs_files($1)
|
||||
+ ')
|
||||
@ -16874,11 +16874,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
|
||||
+#
|
||||
+interface(`git_read_session_content_files',`
|
||||
+ gen_require(`
|
||||
+ type gitd_session_content_t;
|
||||
+ type git_session_content_t;
|
||||
+ ')
|
||||
+
|
||||
+ list_dirs_pattern($1, gitd_session_content_t, gitd_session_content_t)
|
||||
+ read_files_pattern($1, gitd_session_content_t, gitd_session_content_t)
|
||||
+ list_dirs_pattern($1, git_session_content_t, git_session_content_t)
|
||||
+ read_files_pattern($1, git_session_content_t, git_session_content_t)
|
||||
+ userdom_search_user_home_dirs($1)
|
||||
+
|
||||
+ tunable_policy(`use_nfs_home_dirs',`
|
||||
@ -16906,19 +16906,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
|
||||
+#
|
||||
+interface(`git_read_all_system_content_files',`
|
||||
+ gen_require(`
|
||||
+ attribute gitd_system_content;
|
||||
+ attribute git_system_content;
|
||||
+ ')
|
||||
+
|
||||
+ list_dirs_pattern($1, gitd_system_content, gitd_system_content)
|
||||
+ read_files_pattern($1, gitd_system_content, gitd_system_content)
|
||||
+ list_dirs_pattern($1, git_system_content, git_system_content)
|
||||
+ read_files_pattern($1, git_system_content, git_system_content)
|
||||
+ files_search_var($1)
|
||||
+
|
||||
+ tunable_policy(`gitd_system_use_cifs',`
|
||||
+ tunable_policy(`git_system_use_cifs',`
|
||||
+ fs_list_cifs($1)
|
||||
+ fs_read_cifs_files($1)
|
||||
+ ')
|
||||
+
|
||||
+ tunable_policy(`gitd_system_use_nfs',`
|
||||
+ tunable_policy(`git_system_use_nfs',`
|
||||
+ fs_list_nfs($1)
|
||||
+ fs_read_nfs_files($1)
|
||||
+ ')
|
||||
@ -16938,19 +16938,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
|
||||
+#
|
||||
+interface(`git_read_generic_system_content_files',`
|
||||
+ gen_require(`
|
||||
+ type gitd_system_content_t;
|
||||
+ type git_system_content_t;
|
||||
+ ')
|
||||
+
|
||||
+ list_dirs_pattern($1, gitd_system_content_t, gitd_system_content_t)
|
||||
+ read_files_pattern($1, gitd_system_content_t, gitd_system_content_t)
|
||||
+ list_dirs_pattern($1, git_system_content_t, git_system_content_t)
|
||||
+ read_files_pattern($1, git_system_content_t, git_system_content_t)
|
||||
+ files_search_var($1)
|
||||
+
|
||||
+ tunable_policy(`gitd_system_use_cifs',`
|
||||
+ tunable_policy(`git_system_use_cifs',`
|
||||
+ fs_list_cifs($1)
|
||||
+ fs_read_cifs_files($1)
|
||||
+ ')
|
||||
+
|
||||
+ tunable_policy(`gitd_system_use_nfs',`
|
||||
+ tunable_policy(`git_system_use_nfs',`
|
||||
+ fs_list_nfs($1)
|
||||
+ fs_read_nfs_files($1)
|
||||
+ ')
|
||||
@ -16970,11 +16970,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
|
||||
+#
|
||||
+interface(`git_relabel_all_content',`
|
||||
+ gen_require(`
|
||||
+ attribute gitd_content;
|
||||
+ attribute git_content;
|
||||
+ ')
|
||||
+
|
||||
+ relabel_dirs_pattern($1, gitd_content, gitd_content)
|
||||
+ relabel_files_pattern($1, gitd_content, gitd_content)
|
||||
+ relabel_dirs_pattern($1, git_content, git_content)
|
||||
+ relabel_files_pattern($1, git_content, git_content)
|
||||
+ userdom_search_user_home_dirs($1)
|
||||
+ files_search_var($1)
|
||||
+')
|
||||
@ -16993,11 +16993,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
|
||||
+#
|
||||
+interface(`git_relabel_all_system_content',`
|
||||
+ gen_require(`
|
||||
+ attribute gitd_system_content;
|
||||
+ attribute git_system_content;
|
||||
+ ')
|
||||
+
|
||||
+ relabel_dirs_pattern($1, gitd_system_content, gitd_system_content)
|
||||
+ relabel_files_pattern($1, gitd_system_content, gitd_system_content)
|
||||
+ relabel_dirs_pattern($1, git_system_content, git_system_content)
|
||||
+ relabel_files_pattern($1, git_system_content, git_system_content)
|
||||
+ files_search_var($1)
|
||||
+')
|
||||
+
|
||||
@ -17015,11 +17015,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
|
||||
+#
|
||||
+interface(`git_relabel_generic_system_content',`
|
||||
+ gen_require(`
|
||||
+ type gitd_system_content_t;
|
||||
+ type git_system_content_t;
|
||||
+ ')
|
||||
+
|
||||
+ relabel_dirs_pattern($1, gitd_system_content_t, gitd_system_content_t)
|
||||
+ relabel_files_pattern($1, gitd_system_content_t, gitd_system_content_t)
|
||||
+ relabel_dirs_pattern($1, git_system_content_t, git_system_content_t)
|
||||
+ relabel_files_pattern($1, git_system_content_t, git_system_content_t)
|
||||
+ files_search_var($1)
|
||||
+')
|
||||
+
|
||||
@ -17037,51 +17037,51 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
|
||||
+#
|
||||
+interface(`git_relabel_session_content',`
|
||||
+ gen_require(`
|
||||
+ type gitd_session_content_t;
|
||||
+ type git_session_content_t;
|
||||
+ ')
|
||||
+
|
||||
+ relabel_dirs_pattern($1, gitd_session_content_t, gitd_session_content_t)
|
||||
+ relabel_files_pattern($1, gitd_session_content_t, gitd_session_content_t)
|
||||
+ relabel_dirs_pattern($1, git_session_content_t, git_session_content_t)
|
||||
+ relabel_files_pattern($1, git_session_content_t, git_session_content_t)
|
||||
+ userdom_search_user_home_dirs($1)
|
||||
+')
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.7/policy/modules/services/git.te
|
||||
--- nsaserefpolicy/policy/modules/services/git.te 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.7.7/policy/modules/services/git.te 2010-01-14 16:12:14.000000000 -0500
|
||||
+++ serefpolicy-3.7.7/policy/modules/services/git.te 2010-01-15 17:11:34.000000000 -0500
|
||||
@@ -1,9 +1,181 @@
|
||||
|
||||
-policy_module(git, 1.0)
|
||||
+policy_module(gitd, 1.0.3)
|
||||
+policy_module(git, 1.0.3)
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow Git daemon system to search home directories.
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(gitd_system_enable_homedirs, false)
|
||||
+gen_tunable(git_system_enable_homedirs, false)
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow Git daemon system to access cifs file systems.
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(gitd_system_use_cifs, false)
|
||||
+gen_tunable(git_system_use_cifs, false)
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow Git daemon system to access nfs file systems.
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(gitd_system_use_nfs, false)
|
||||
+gen_tunable(git_system_use_nfs, false)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Git daemon global private declarations.
|
||||
+#
|
||||
+
|
||||
+attribute gitd_domains;
|
||||
+attribute gitd_system_content;
|
||||
+attribute gitd_content;
|
||||
+attribute git_domains;
|
||||
+attribute git_system_content;
|
||||
+attribute git_content;
|
||||
+
|
||||
+type gitd_exec_t;
|
||||
+
|
||||
@ -17090,13 +17090,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
|
||||
+# Git daemon system private declarations.
|
||||
+#
|
||||
+
|
||||
+type gitd_system_t, gitd_domains;
|
||||
+inetd_service_domain(gitd_system_t, gitd_exec_t)
|
||||
+role system_r types gitd_system_t;
|
||||
+type git_system_t, git_domains;
|
||||
+inetd_service_domain(git_system_t, gitd_exec_t)
|
||||
+role system_r types git_system_t;
|
||||
+
|
||||
+type gitd_system_content_t, gitd_system_content, gitd_content;
|
||||
+files_type(gitd_system_content_t)
|
||||
+typealias gitd_system_content_t alias git_data_t;
|
||||
+type git_system_content_t, git_system_content, git_content;
|
||||
+files_type(git_system_content_t)
|
||||
+typealias git_system_content_t alias git_data_t;
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
@ -17109,84 +17109,84 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
|
||||
+## tcp sockets to all unreserved ports.
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(gitd_session_bind_all_unreserved_ports, false)
|
||||
+gen_tunable(git_session_bind_all_unreserved_ports, false)
|
||||
+
|
||||
+type gitd_session_t, gitd_domains;
|
||||
+application_domain(gitd_session_t, gitd_exec_t)
|
||||
+ubac_constrained(gitd_session_t)
|
||||
+type git_session_t, git_domains;
|
||||
+application_domain(git_session_t, gitd_exec_t)
|
||||
+ubac_constrained(git_session_t)
|
||||
+
|
||||
+type gitd_session_content_t, gitd_content;
|
||||
+userdom_user_home_content(gitd_session_content_t)
|
||||
+type git_session_content_t, git_content;
|
||||
+userdom_user_home_content(git_session_content_t)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Git daemon global private policy.
|
||||
+#
|
||||
+
|
||||
+allow gitd_domains self:fifo_file rw_fifo_file_perms;
|
||||
+allow gitd_domains self:netlink_route_socket create_netlink_socket_perms;
|
||||
+allow gitd_domains self:tcp_socket { create_socket_perms listen };
|
||||
+allow gitd_domains self:udp_socket create_socket_perms;
|
||||
+allow gitd_domains self:unix_dgram_socket create_socket_perms;
|
||||
+allow git_domains self:fifo_file rw_fifo_file_perms;
|
||||
+allow git_domains self:netlink_route_socket create_netlink_socket_perms;
|
||||
+allow git_domains self:tcp_socket { create_socket_perms listen };
|
||||
+allow git_domains self:udp_socket create_socket_perms;
|
||||
+allow git_domains self:unix_dgram_socket create_socket_perms;
|
||||
+
|
||||
+corenet_all_recvfrom_netlabel(gitd_domains)
|
||||
+corenet_all_recvfrom_unlabeled(gitd_domains)
|
||||
+corenet_all_recvfrom_netlabel(git_domains)
|
||||
+corenet_all_recvfrom_unlabeled(git_domains)
|
||||
+
|
||||
+corenet_tcp_bind_generic_node(gitd_domains)
|
||||
+corenet_tcp_bind_generic_node(git_domains)
|
||||
+
|
||||
+corenet_tcp_sendrecv_generic_if(gitd_domains)
|
||||
+corenet_tcp_sendrecv_generic_node(gitd_domains)
|
||||
+corenet_tcp_sendrecv_generic_port(gitd_domains)
|
||||
+corenet_tcp_sendrecv_generic_if(git_domains)
|
||||
+corenet_tcp_sendrecv_generic_node(git_domains)
|
||||
+corenet_tcp_sendrecv_generic_port(git_domains)
|
||||
+
|
||||
+corenet_tcp_bind_git_port(gitd_domains)
|
||||
+corenet_sendrecv_git_server_packets(gitd_domains)
|
||||
+corenet_tcp_bind_git_port(git_domains)
|
||||
+corenet_sendrecv_git_server_packets(git_domains)
|
||||
+
|
||||
+corecmd_exec_bin(gitd_domains)
|
||||
+corecmd_exec_bin(git_domains)
|
||||
+
|
||||
+files_read_etc_files(gitd_domains)
|
||||
+files_read_usr_files(gitd_domains)
|
||||
+files_read_etc_files(git_domains)
|
||||
+files_read_usr_files(git_domains)
|
||||
+
|
||||
+fs_search_auto_mountpoints(gitd_domains)
|
||||
+fs_search_auto_mountpoints(git_domains)
|
||||
+
|
||||
+kernel_read_system_state(gitd_domains)
|
||||
+kernel_read_system_state(git_domains)
|
||||
+
|
||||
+auth_use_nsswitch(gitd_domains)
|
||||
+auth_use_nsswitch(git_domains)
|
||||
+
|
||||
+logging_send_syslog_msg(gitd_domains)
|
||||
+logging_send_syslog_msg(git_domains)
|
||||
+
|
||||
+miscfiles_read_localization(gitd_domains)
|
||||
+miscfiles_read_localization(git_domains)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Git daemon system repository private policy.
|
||||
+#
|
||||
+
|
||||
+list_dirs_pattern(gitd_system_t, gitd_content, gitd_content)
|
||||
+read_files_pattern(gitd_system_t, gitd_content, gitd_content)
|
||||
+files_search_var(gitd_system_t)
|
||||
+list_dirs_pattern(git_system_t, git_content, git_content)
|
||||
+read_files_pattern(git_system_t, git_content, git_content)
|
||||
+files_search_var(git_system_t)
|
||||
+
|
||||
+tunable_policy(`gitd_system_enable_homedirs', `
|
||||
+ userdom_search_user_home_dirs(gitd_system_t)
|
||||
+tunable_policy(`git_system_enable_homedirs', `
|
||||
+ userdom_search_user_home_dirs(git_system_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`gitd_system_enable_homedirs && use_nfs_home_dirs', `
|
||||
+ fs_list_nfs(gitd_system_t)
|
||||
+ fs_read_nfs_files(gitd_system_t)
|
||||
+tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', `
|
||||
+ fs_list_nfs(git_system_t)
|
||||
+ fs_read_nfs_files(git_system_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`gitd_system_enable_homedirs && use_samba_home_dirs', `
|
||||
+ fs_list_cifs(gitd_system_t)
|
||||
+ fs_read_cifs_files(gitd_system_t)
|
||||
+tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', `
|
||||
+ fs_list_cifs(git_system_t)
|
||||
+ fs_read_cifs_files(git_system_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`gitd_system_use_cifs', `
|
||||
+ fs_list_cifs(gitd_system_t)
|
||||
+ fs_read_cifs_files(gitd_system_t)
|
||||
+tunable_policy(`git_system_use_cifs', `
|
||||
+ fs_list_cifs(git_system_t)
|
||||
+ fs_read_cifs_files(git_system_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`gitd_system_use_nfs', `
|
||||
+ fs_list_nfs(gitd_system_t)
|
||||
+ fs_read_nfs_files(gitd_system_t)
|
||||
+tunable_policy(`git_system_use_nfs', `
|
||||
+ fs_list_nfs(git_system_t)
|
||||
+ fs_read_nfs_files(git_system_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
@ -17194,24 +17194,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
|
||||
+# Git daemon session repository private policy.
|
||||
+#
|
||||
+
|
||||
+list_dirs_pattern(gitd_session_t, gitd_session_content_t, gitd_session_content_t)
|
||||
+read_files_pattern(gitd_session_t, gitd_session_content_t, gitd_session_content_t)
|
||||
+userdom_search_user_home_dirs(gitd_session_t)
|
||||
+list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
|
||||
+read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
|
||||
+userdom_search_user_home_dirs(git_session_t)
|
||||
+
|
||||
+userdom_use_user_terminals(gitd_session_t)
|
||||
+userdom_use_user_terminals(git_session_t)
|
||||
+
|
||||
+tunable_policy(`gitd_session_bind_all_unreserved_ports', `
|
||||
+ corenet_tcp_bind_all_unreserved_ports(gitd_session_t)
|
||||
+tunable_policy(`git_session_bind_all_unreserved_ports', `
|
||||
+ corenet_tcp_bind_all_unreserved_ports(git_session_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`use_nfs_home_dirs', `
|
||||
+ fs_list_nfs(gitd_session_t)
|
||||
+ fs_read_nfs_files(gitd_session_t)
|
||||
+ fs_list_nfs(git_session_t)
|
||||
+ fs_read_nfs_files(git_session_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`use_samba_home_dirs', `
|
||||
+ fs_list_cifs(gitd_session_t)
|
||||
+ fs_read_cifs_files(gitd_session_t)
|
||||
+ fs_list_cifs(git_session_t)
|
||||
+ fs_read_cifs_files(git_session_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
@ -17231,8 +17231,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
|
||||
#
|
||||
|
||||
-apache_content_template(git)
|
||||
+git_role_template(git_shell)
|
||||
+gen_user(git_shell_u, user, git_shell_r, s0, s0)
|
||||
+#git_role_template(git_shell)
|
||||
+#gen_user(git_shell_u, user, git_shell_r, s0, s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.7/policy/modules/services/gpsd.te
|
||||
--- nsaserefpolicy/policy/modules/services/gpsd.te 2010-01-07 14:53:53.000000000 -0500
|
||||
+++ serefpolicy-3.7.7/policy/modules/services/gpsd.te 2010-01-11 09:53:58.000000000 -0500
|
||||
@ -25697,7 +25697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
|
||||
## <param name="domain">
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.7/policy/modules/services/sssd.te
|
||||
--- nsaserefpolicy/policy/modules/services/sssd.te 2010-01-07 14:53:53.000000000 -0500
|
||||
+++ serefpolicy-3.7.7/policy/modules/services/sssd.te 2010-01-11 09:53:58.000000000 -0500
|
||||
+++ serefpolicy-3.7.7/policy/modules/services/sssd.te 2010-01-15 17:18:18.000000000 -0500
|
||||
@@ -26,8 +26,8 @@
|
||||
#
|
||||
# sssd local policy
|
||||
@ -25723,7 +25723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
|
||||
|
||||
miscfiles_read_localization(sssd_t)
|
||||
|
||||
+userdom_manage_tmp_role(system_t, sssd_t)
|
||||
+userdom_manage_tmp_role(system_r, sssd_t)
|
||||
+
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(sssd_t)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user