policy_module(git, 1.0.3) ## ##

## Allow Git daemon system to search home directories. ##

##
gen_tunable(git_system_enable_homedirs, false) ## ##

## Allow Git daemon system to access cifs file systems. ##

##
gen_tunable(git_system_use_cifs, false) ## ##

## Allow Git daemon system to access nfs file systems. ##

##
gen_tunable(git_system_use_nfs, false) ######################################## # # Git daemon global private declarations. # attribute git_domains; attribute git_system_content; attribute git_content; type gitd_exec_t; ######################################## # # Git daemon system private declarations. # type git_system_t, git_domains; inetd_service_domain(git_system_t, gitd_exec_t) role system_r types git_system_t; type git_system_content_t, git_system_content, git_content; files_type(git_system_content_t) typealias git_system_content_t alias git_data_t; ######################################## # # Git daemon session private declarations. # ## ##

## Allow Git daemon session to bind ## tcp sockets to all unreserved ports. ##

##
gen_tunable(git_session_bind_all_unreserved_ports, false) type git_session_t, git_domains; application_domain(git_session_t, gitd_exec_t) ubac_constrained(git_session_t) type git_session_content_t, git_content; userdom_user_home_content(git_session_content_t) ######################################## # # Git daemon global private policy. # allow git_domains self:fifo_file rw_fifo_file_perms; allow git_domains self:netlink_route_socket create_netlink_socket_perms; allow git_domains self:tcp_socket create_socket_perms; allow git_domains self:udp_socket create_socket_perms; allow git_domains self:unix_dgram_socket create_socket_perms; corenet_all_recvfrom_netlabel(git_domains) corenet_all_recvfrom_unlabeled(git_domains) corenet_tcp_bind_generic_node(git_domains) corenet_tcp_sendrecv_generic_if(git_domains) corenet_tcp_sendrecv_generic_node(git_domains) corenet_tcp_sendrecv_generic_port(git_domains) corenet_tcp_bind_git_port(git_domains) corenet_sendrecv_git_server_packets(git_domains) corecmd_exec_bin(git_domains) files_read_etc_files(git_domains) files_read_usr_files(git_domains) fs_search_auto_mountpoints(git_domains) kernel_read_system_state(git_domains) auth_use_nsswitch(git_domains) logging_send_syslog_msg(git_domains) miscfiles_read_localization(git_domains) sysnet_read_config(git_domains) optional_policy(` automount_dontaudit_getattr_tmp_dirs(git_domains) ') optional_policy(` nis_use_ypbind(git_domains) ') ######################################## # # Git daemon system repository private policy. # list_dirs_pattern(git_system_t, git_content, git_content) read_files_pattern(git_system_t, git_content, git_content) files_search_var_lib(git_system_t) tunable_policy(`git_system_enable_homedirs', ` userdom_search_user_home_dirs(git_system_t) ') tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', ` fs_list_nfs(git_system_t) fs_read_nfs_files(git_system_t) ') tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', ` fs_list_cifs(git_system_t) fs_read_cifs_files(git_system_t) ') tunable_policy(`git_system_use_cifs', ` fs_list_cifs(git_system_t) fs_read_cifs_files(git_system_t) ') tunable_policy(`git_system_use_nfs', ` fs_list_nfs(git_system_t) fs_read_nfs_files(git_system_t) ') ######################################## # # Git daemon session repository private policy. # allow git_session_t self:tcp_socket { accept listen }; list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t) read_files_pattern(git_session_t, git_session_content_t, git_session_content_t) userdom_search_user_home_dirs(git_session_t) userdom_use_user_terminals(git_session_t) tunable_policy(`git_session_bind_all_unreserved_ports', ` corenet_tcp_bind_all_unreserved_ports(git_session_t) corenet_sendrecv_generic_server_packets(git_session_t) ') tunable_policy(`use_nfs_home_dirs', ` fs_list_nfs(git_session_t) fs_read_nfs_files(git_session_t) ') tunable_policy(`use_samba_home_dirs', ` fs_list_cifs(git_session_t) fs_read_cifs_files(git_session_t) ') ######################################## # # cgi git Declarations # optional_policy(` apache_content_template(git) git_read_all_content_files(httpd_git_script_t) files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) ') ######################################## # # Git-shell private policy. # git_role_template(git_shell) gen_user(git_shell_u, user, git_shell_r, s0, s0)