selinux-policy/policy/modules/services/git.if
Dominick Grift 6bb4d401ee Replace type and attributes statements by comma delimiters where possible.
Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.
2010-09-17 14:32:47 +02:00

524 lines
11 KiB
Plaintext

## <summary>Fast Version Control System.</summary>
## <desc>
## <p>
## A really simple TCP git daemon that normally listens on
## port DEFAULT_GIT_PORT aka 9418. It waits for a
## connection asking for a service, and will serve that
## service if it is enabled.
## </p>
## </desc>
#######################################
## <summary>
## Role access for Git daemon session.
## </summary>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role.
## </summary>
## </param>
#
interface(`git_session_role',`
gen_require(`
type git_session_t, gitd_exec_t, git_session_content_t;
')
########################################
#
# Git daemon session shared declarations.
#
role $1 types git_session_t;
########################################
#
# Git daemon session shared policy.
#
domtrans_pattern($2, gitd_exec_t, git_session_t)
allow $2 git_session_t:process { ptrace signal_perms };
ps_process_pattern($2, git_session_t)
')
########################################
## <summary>
## Create a set of derived types for Git
## daemon shared repository content.
## </summary>
## <param name="prefix">
## <summary>
## The prefix to be used for deriving type names.
## </summary>
## </param>
#
template(`git_content_template',`
gen_require(`
attribute git_system_content, git_content;
')
########################################
#
# Git daemon content shared declarations.
#
type git_$1_content_t, git_system_content, git_content;
files_type(git_$1_content_t)
')
########################################
## <summary>
## Create a set of derived types for Git
## daemon shared repository roles.
## </summary>
## <param name="prefix">
## <summary>
## The prefix to be used for deriving type names.
## </summary>
## </param>
#
template(`git_role_template',`
gen_require(`
class context contains;
role system_r;
')
########################################
#
# Git daemon role shared declarations.
#
attribute $1_usertype;
type $1_t;
userdom_unpriv_usertype($1, $1_t)
domain_type($1_t)
role $1_r types $1_t;
allow system_r $1_r;
########################################
#
# Git daemon role shared policy.
#
allow $1_t self:context contains;
allow $1_t self:fifo_file rw_fifo_file_perms;
corecmd_exec_bin($1_t)
corecmd_bin_entry_type($1_t)
corecmd_shell_entry_type($1_t)
domain_interactive_fd($1_t)
domain_user_exemption_target($1_t)
kernel_read_system_state($1_t)
files_read_etc_files($1_t)
files_dontaudit_search_home($1_t)
miscfiles_read_localization($1_t)
git_rwx_generic_system_content($1_t)
ssh_rw_stream_sockets($1_t)
tunable_policy(`git_system_use_cifs',`
fs_exec_cifs_files($1_t)
fs_manage_cifs_dirs($1_t)
fs_manage_cifs_files($1_t)
')
tunable_policy(`git_system_use_nfs',`
fs_exec_nfs_files($1_t)
fs_manage_nfs_dirs($1_t)
fs_manage_nfs_files($1_t)
')
optional_policy(`
nscd_read_pid($1_t)
')
')
#######################################
## <summary>
## Allow specified domain access to the
## specified Git daemon content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="object">
## <summary>
## Type of the object that access is allowed to.
## </summary>
## </param>
#
interface(`git_content_delegation',`
gen_require(`
type $1, $2;
')
exec_files_pattern($1, $2, $2)
manage_dirs_pattern($1, $2, $2)
manage_files_pattern($1, $2, $2)
files_search_var_lib($1)
tunable_policy(`git_system_use_cifs',`
fs_exec_cifs_files($1)
fs_manage_cifs_dirs($1)
fs_manage_cifs_files($1)
')
tunable_policy(`git_system_use_nfs',`
fs_exec_nfs_files($1)
fs_manage_nfs_dirs($1)
fs_manage_nfs_files($1)
')
')
########################################
## <summary>
## Allow the specified domain to manage
## and execute all Git daemon content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`git_rwx_all_content',`
gen_require(`
attribute git_content;
')
exec_files_pattern($1, git_content, git_content)
manage_dirs_pattern($1, git_content, git_content)
manage_files_pattern($1, git_content, git_content)
userdom_search_user_home_dirs($1)
files_search_var_lib($1)
tunable_policy(`use_nfs_home_dirs',`
fs_exec_nfs_files($1)
fs_manage_nfs_dirs($1)
fs_manage_nfs_files($1)
')
tunable_policy(`use_samba_home_dirs',`
fs_exec_cifs_files($1)
fs_manage_cifs_dirs($1)
fs_manage_cifs_files($1)
')
tunable_policy(`git_system_use_cifs',`
fs_exec_cifs_files($1)
fs_manage_cifs_dirs($1)
fs_manage_cifs_files($1)
')
tunable_policy(`git_system_use_nfs',`
fs_exec_nfs_files($1)
fs_manage_nfs_dirs($1)
fs_manage_nfs_files($1)
')
')
########################################
## <summary>
## Allow the specified domain to manage
## and execute all Git daemon system content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`git_rwx_all_system_content',`
gen_require(`
attribute git_system_content;
')
exec_files_pattern($1, git_system_content, git_system_content)
manage_dirs_pattern($1, git_system_content, git_system_content)
manage_files_pattern($1, git_system_content, git_system_content)
files_search_var_lib($1)
tunable_policy(`git_system_use_cifs',`
fs_exec_cifs_files($1)
fs_manage_cifs_dirs($1)
fs_manage_cifs_files($1)
')
tunable_policy(`git_system_use_nfs',`
fs_exec_nfs_files($1)
fs_manage_nfs_dirs($1)
fs_manage_nfs_files($1)
')
')
########################################
## <summary>
## Allow the specified domain to manage
## and execute Git daemon generic system content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`git_rwx_generic_system_content',`
gen_require(`
type git_system_content_t;
')
exec_files_pattern($1, git_system_content_t, git_system_content_t)
manage_dirs_pattern($1, git_system_content_t, git_system_content_t)
manage_files_pattern($1, git_system_content_t, git_system_content_t)
files_search_var_lib($1)
tunable_policy(`git_system_use_cifs',`
fs_exec_cifs_files($1)
fs_manage_cifs_dirs($1)
fs_manage_cifs_files($1)
')
tunable_policy(`git_system_use_nfs',`
fs_exec_nfs_files($1)
fs_manage_nfs_dirs($1)
fs_manage_nfs_files($1)
')
')
########################################
## <summary>
## Allow the specified domain to read
## all Git daemon content files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`git_read_all_content_files',`
gen_require(`
attribute git_content;
')
list_dirs_pattern($1, git_content, git_content)
read_files_pattern($1, git_content, git_content)
userdom_search_user_home_dirs($1)
files_search_var_lib($1)
tunable_policy(`use_nfs_home_dirs',`
fs_list_nfs($1)
fs_read_nfs_files($1)
')
tunable_policy(`use_samba_home_dirs',`
fs_list_cifs($1)
fs_read_cifs_files($1)
')
tunable_policy(`git_system_use_cifs',`
fs_list_cifs($1)
fs_read_cifs_files($1)
')
tunable_policy(`git_system_use_nfs',`
fs_list_nfs($1)
fs_read_nfs_files($1)
')
')
########################################
## <summary>
## Allow the specified domain to read
## Git daemon session content files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`git_read_session_content_files',`
gen_require(`
type git_session_content_t;
')
list_dirs_pattern($1, git_session_content_t, git_session_content_t)
read_files_pattern($1, git_session_content_t, git_session_content_t)
userdom_search_user_home_dirs($1)
tunable_policy(`use_nfs_home_dirs',`
fs_list_nfs($1)
fs_read_nfs_files($1)
')
tunable_policy(`use_samba_home_dirs',`
fs_list_cifs($1)
fs_read_cifs_files($1)
')
')
########################################
## <summary>
## Allow the specified domain to read
## all Git daemon system content files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`git_read_all_system_content_files',`
gen_require(`
attribute git_system_content;
')
list_dirs_pattern($1, git_system_content, git_system_content)
read_files_pattern($1, git_system_content, git_system_content)
files_search_var_lib($1)
tunable_policy(`git_system_use_cifs',`
fs_list_cifs($1)
fs_read_cifs_files($1)
')
tunable_policy(`git_system_use_nfs',`
fs_list_nfs($1)
fs_read_nfs_files($1)
')
')
########################################
## <summary>
## Allow the specified domain to read
## Git daemon generic system content files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`git_read_generic_system_content_files',`
gen_require(`
type git_system_content_t;
')
list_dirs_pattern($1, git_system_content_t, git_system_content_t)
read_files_pattern($1, git_system_content_t, git_system_content_t)
files_search_var_lib($1)
tunable_policy(`git_system_use_cifs',`
fs_list_cifs($1)
fs_read_cifs_files($1)
')
tunable_policy(`git_system_use_nfs',`
fs_list_nfs($1)
fs_read_nfs_files($1)
')
')
########################################
## <summary>
## Allow the specified domain to relabel
## all Git daemon content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`git_relabel_all_content',`
gen_require(`
attribute git_content;
')
relabel_dirs_pattern($1, git_content, git_content)
relabel_files_pattern($1, git_content, git_content)
userdom_search_user_home_dirs($1)
files_search_var_lib($1)
')
########################################
## <summary>
## Allow the specified domain to relabel
## all Git daemon system content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`git_relabel_all_system_content',`
gen_require(`
attribute git_system_content;
')
relabel_dirs_pattern($1, git_system_content, git_system_content)
relabel_files_pattern($1, git_system_content, git_system_content)
files_search_var_lib($1)
')
########################################
## <summary>
## Allow the specified domain to relabel
## Git daemon generic system content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`git_relabel_generic_system_content',`
gen_require(`
type git_system_content_t;
')
relabel_dirs_pattern($1, git_system_content_t, git_system_content_t)
relabel_files_pattern($1, git_system_content_t, git_system_content_t)
files_search_var_lib($1)
')
########################################
## <summary>
## Allow the specified domain to relabel
## Git daemon session content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`git_relabel_session_content',`
gen_require(`
type git_session_content_t;
')
relabel_dirs_pattern($1, git_session_content_t, git_session_content_t)
relabel_files_pattern($1, git_session_content_t, git_session_content_t)
userdom_search_user_home_dirs($1)
')