Newbie Q - gitweb policy
Dominick Grift
domg472 at gmail.com
Sat Mar 21 09:55:55 UTC 2009
On Sat, 2009-03-21 at 02:26 +0000, Aaron Gray wrote:
> > On Fri, 2009-03-20 at 20:14 +0000, Aaron Gray wrote:
> >> I am trying to audit2allow on F10 to allow a cgi-bin perl script to run
> >> on
> >> Apache. Runs fine in permissive mode not in enforcing.
> >>
>
> I had to use 'setenforce 0', remove the grep, and then whittle down the code
> a bit.
>
> mkdir gitweb-policy;
> cd gitweb-policy;
> echo "policy_module(gitweb, 0.0.1)" > gitweb.te
> echo "apache_content_template(gitweb)" >> gitweb.te
> echo "/var/www/git/gitweb.cgi --
> gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0)" >gitweb.fc
>
> make -f /usr/share/selinux/devel/Makefile
> semodule -i gitweb.pp
> restorecon -R -v /var/www/git/gitweb.cgi
>
> setenforce 0;
>
> Do the http access !
>
>
> setenforce 1;
>
> ausearch -m avc -ts today | audit2allow -R >> gitweb.te;
>
> make -f /usr/share/selinux/devel/Makefile;
>
> semodule -i gitweb.pp
>
>
> Whittle the code down a bit to :-
> gitweb.te
> policy_module(gitweb, 0.0.1)
> apache_content_template(gitweb)
>
> require {
> type httpd_sys_script_t;
> }
>
> #============= httpd_sys_script_t ==============
> files_list_default(httpd_sys_script_t)
> files_read_default_files(httpd_sys_script_t)
Looks like something went wrong here.
for starters something is running in the httpd_sys_script_t domain and
not httpd_gitweb_script_t.
Second youre giving httpd_sys_script_t access to read files with type
default_t (not recommended)
http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/
Heres my git policy:
policy_module(git_daemon, 0.0.1)
########################################
#
# Git daemon declarations
#
attribute git_daemon_user_content_type;
attribute git_daemon_system_content_type;
type git_daemon_t;
type git_daemon_exec_t;
inetd_service_domain(git_daemon_t, git_daemon_exec_t)
role system_r types git_daemon_t;
application_executable_file(git_daemon_exec_t)
type git_daemon_system_content_t, git_daemon_system_content_type;
typeattribute git_daemon_system_content_t
git_daemon_system_content_type;
files_type(git_daemon_system_content_t)
## <desc>
## <p>
## Allow Git daemon to read home directories.
## </p>
## </desc>
gen_tunable(git_daemon_enable_homedirs, false)
## <desc>
## <p>
## Allow Git daemon to access nfs file systems.
## </p>
## </desc>
gen_tunable(git_daemon_use_nfs, false)
## <desc>
## <p>
## Allow Git daemon to access cifs file systems.
## </p>
## </desc>
gen_tunable(git_daemon_use_cifs, false)
########################################
#
# Git daemon policy
#
allow git_daemon_t self:fifo_file rw_fifo_file_perms;
allow git_daemon_t self:netlink_route_socket { write getattr read bind
create nlmsg_read };
allow git_daemon_t self:udp_socket { write read create connect
getattr };
allow git_daemon_t self:unix_dgram_socket { write create connect };
list_dirs_pattern(git_daemon_t, git_daemon_system_content_type,
git_daemon_system_content_type)
read_files_pattern(git_daemon_t, git_daemon_system_content_type,
git_daemon_system_content_type)
corecmd_exec_bin(git_daemon_t)
corenet_all_recvfrom_unlabeled(git_daemon_t)
corenet_all_recvfrom_netlabel(git_daemon_t)
files_read_etc_files(git_daemon_t)
files_search_usr(git_daemon_t)
fs_search_auto_mountpoints(git_daemon_t)
kernel_read_system_state(git_daemon_t)
libs_use_ld_so(git_daemon_t)
libs_use_shared_libs(git_daemon_t)
logging_send_syslog_msg(git_daemon_t)
miscfiles_read_localization(git_daemon_t)
miscfiles_read_public_files(git_daemon_t)
sysnet_read_config(git_daemon_t)
optional_policy(`
apache_content_template(gitweb)
apache_search_sys_content(httpd_gitweb_script_t)
files_getattr_tmp_dirs(httpd_gitweb_script_t)
git_daemon_read_system_content(httpd_gitweb_script_t)
')
optional_policy(`
nscd_read_pid(git_daemon_t)
')
tunable_policy(`git_daemon_enable_homedirs && use_nfs_home_dirs', `
fs_list_nfs(git_daemon_t)
fs_read_nfs_files(git_daemon_t)
')
tunable_policy(`git_daemon_use_nfs', `
fs_list_nfs(git_daemon_t)
fs_read_nfs_files(git_daemon_t)
')
tunable_policy(`git_daemon_enable_homedirs && use_samba_home_dirs', `
fs_list_cifs(git_daemon_t)
fs_read_cifs_files(git_daemon_t)
')
tunable_policy(`git_daemon_use_cifs', `
fs_list_cifs(git_daemon_t)
fs_read_cifs_files(git_daemon_t)
')
tunable_policy(`git_daemon_enable_homedirs', `
list_dirs_pattern(git_daemon_t, git_daemon_user_content_type,
git_daemon_user_content_type)
read_files_pattern(git_daemon_t, git_daemon_user_content_type,
git_daemon_user_content_type)
userdom_search_all_users_home_dirs(git_daemon_t)
')
#EOF
## <summary>SELinux policy for Git daemon.</summary>
## <desc>
## <p>
## Git daemon is a really simple server for Git
## repositories.
## </p>
## </desc>
#######################################
## <summary>
## The per role template for the Git daemon module.
## </summary>
## <desc>
## <p>
## This template creates derived domains which are used
## for Git daemon.
## </p>
## <p>
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
#
template(`git_daemon_per_role_template', `
gen_require(`
type git_daemon_exec_t;
attribute git_daemon_user_content_type;
')
########################################
#
# Git daemon public declarations.
#
type $1_git_daemon_t;
application_domain($1_git_daemon_t, git_daemon_exec_t)
role $3 types $1_git_daemon_t;
type $1_git_daemon_home_t, git_daemon_user_content_type;
userdom_user_home_content($1, $1_git_daemon_home_t)
typeattribute $1_git_daemon_home_t git_daemon_user_content_type;
########################################
#
# Git daemon public policy.
#
allow $1_git_daemon_t self:fifo_file rw_fifo_file_perms;
allow $1_git_daemon_t self:netlink_route_socket { write getattr read
bind create nlmsg_read };
allow $1_git_daemon_t self:tcp_socket { bind read write accept create
setopt listen };
allow $1_git_daemon_t self:udp_socket { create connect write read
getattr };
allow $1_git_daemon_t $2:process sigchld;
allow $2 $1_git_daemon_t:process { ptrace signal_perms };
git_daemon_read_user_content($1, $1_git_daemon_t)
manage_dirs_pattern($2, git_daemon_user_content_type,
git_daemon_user_content_type)
manage_files_pattern($2, git_daemon_user_content_type,
git_daemon_user_content_type)
exec_files_pattern($2, git_daemon_user_content_type,
git_daemon_user_content_type)
userdom_search_user_home_dirs($1, $1_git_daemon_t)
userdom_user_home_dir_filetrans($1, $1_git_daemon_t,
$1_git_daemon_home_t, { dir file })
relabel_dirs_pattern($2, git_daemon_user_content_type,
git_daemon_user_content_type)
relabel_files_pattern($2, git_daemon_user_content_type,
git_daemon_user_content_type)
domain_auto_trans($2, git_daemon_exec_t, $1_git_daemon_t)
ps_process_pattern($2, $1_git_daemon_t)
corecmd_exec_bin($1_git_daemon_t)
corenet_all_recvfrom_unlabeled($1_git_daemon_t)
corenet_all_recvfrom_netlabel($1_git_daemon_t)
corenet_tcp_sendrecv_all_if($1_git_daemon_t)
corenet_tcp_sendrecv_all_nodes($1_git_daemon_t)
corenet_tcp_bind_all_nodes($1_git_daemon_t)
corenet_tcp_bind_git_daemon_port($1_git_daemon_t)
files_read_etc_files($1_git_daemon_t)
files_search_home($1_git_daemon_t)
files_search_usr($1_git_daemon_t)
fs_search_auto_mountpoints($1_git_daemon_t)
kernel_read_system_state($1_git_daemon_t)
libs_use_ld_so($1_git_daemon_t)
libs_use_shared_libs($1_git_daemon_t)
logging_send_syslog_msg($1_git_daemon_t)
miscfiles_read_localization($1_git_daemon_t)
sysnet_read_config($1_git_daemon_t)
userdom_use_user_terminals($1, $1_git_daemon_t)
tunable_policy(`use_nfs_home_dirs', `
fs_list_nfs($1_git_daemon_t)
fs_read_nfs_files($1_git_daemon_t)
')
tunable_policy(`use_samba_home_dirs', `
fs_list_cifs($1_git_daemon_t)
fs_read_cifs_files($1_git_daemon_t)
')
optional_policy(`
nscd_read_pid($1_git_daemon_t)
')
optional_policy(`
nis_use_ypbind($1_git_daemon_t)
')
')
########################################
## <summary>
## Allow the specified domain to read
## Git daemon system content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`git_daemon_read_system_content', `
gen_require(`
attribute git_daemon_system_content_type;
')
files_search_var($1)
list_dirs_pattern($1, git_daemon_system_content_type,
git_daemon_system_content_type)
read_files_pattern($1, git_daemon_system_content_type,
git_daemon_system_content_type)
')
########################################
## <summary>
## Allow the specified domain to manage
## Git daemon system content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`git_daemon_manage_system_content', `
gen_require(`
attribute git_daemon_system_content_type;
')
files_search_var($1)
manage_dirs_pattern($1, git_daemon_system_content_type,
git_daemon_system_content_type)
manage_files_pattern($1, git_daemon_system_content_type,
git_daemon_system_content_type)
')
########################################
## <summary>
## Allow the specified domain to execute
## Git daemon system content files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`git_daemon_execute_system_content_files', `
gen_require(`
attribute git_daemon_system_content_type;
')
files_search_var($1)
exec_files_pattern($1, git_daemon_system_content_type,
git_daemon_system_content_type)
')
########################################
## <summary>
## Allow the specified domain to read
## Git daemon personal repositories.
## </summary>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`git_daemon_read_user_content', `
gen_require(`
attribute git_daemon_user_content_type;
')
allow $2 git_daemon_user_content_type:dir list_dir_perms;
allow $2 git_daemon_user_content_type:file read_file_perms;
userdom_search_user_home_dirs($1, $2)
')
########################################
## <summary>
## Allow the specified domain to manage
## Git daemon personal repositories.
## </summary>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`git_daemon_manage_user_content', `
gen_require(`
attribute git_daemon_user_content_type;
')
allow $2 git_daemon_user_content_type:dir manage_dir_perms;
allow $2 git_daemon_user_content_type:file manage_file_perms;
userdom_user_home_dir_filetrans($1, $2, git_daemon_user_content_type,
{ dir file })
userdom_search_user_home_dirs($1, $2)
')
########################################
## <summary>
## Allow the specified domain to relabel
## Git daemon personal repositories.
## </summary>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`git_daemon_relabel_user_content', `
gen_require(`
attribute git_daemon_user_content_type;
')
allow $2 git_daemon_user_content_type:dir relabel_dir_perms;
allow $2 git_daemon_user_content_type:file relabel_file_perms;
userdom_search_user_home_dirs($1, $2)
')
########################################
## <summary>
## Allow the specified domain to manage
## all Git daemon content.
## </summary>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`git_daemon_manage_all_content', `
git_daemon_manage_user_content($1, $2)
git_daemon_manage_system_content($2)
')
########################################
## <summary>
## Allow the specified domain to read
## all Git daemon content.
## </summary>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`git_daemon_read_all_content', `
git_daemon_read_user_content($1, $2)
git_daemon_read_system_content($2)
')
########################################
## <summary>
## Allow the specified domain to relabel
## all Git daemon content.
## </summary>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`git_daemon_relabel_all_content', `
git_daemon_relabel_user_content($1, $2)
git_daemon_relabel_system_content($2)
')
########################################
## <summary>
## Allow the specified domain to list
## Git daemon system content directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`git_daemon_list_system_content_dirs', `
gen_require(`
attribute git_daemon_system_content_type;
')
files_search_var($1)
list_dirs_pattern($1, git_daemon_system_content_type,
git_daemon_system_content_type)
')
########################################
## <summary>
## Allow the specified domain to search
## Git daemon system content directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`git_daemon_search_system_content_dirs', `
gen_require(`
attribute git_daemon_system_content_type;
')
files_search_var($1)
search_dirs_pattern($1, git_daemon_system_content_type,
git_daemon_system_content_type)
')
#######################################
## <summary>
## The template for creating a Git user domain.
## </summary>
## <desc>
## <p>
## This template creates a user domain, types, and
## rules for the user's pty.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
#
template(`git_daemon_git_user_template',`
gen_require(`
attribute unpriv_userdomain, userdomain;
class context contains;
')
##############################
#
# Git user public declarations.
#
attribute $1_file_type;
attribute $1_usertype;
type $1_t, userdomain, $1_usertype;
domain_type($1_t)
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
domain_user_exemption_target($1_t)
role $1_r types $1_t;
allow system_r $1_r;
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
##############################
#
# Git user public policy.
#
allow $1_usertype self:context contains;
allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
corecmd_exec_bin($1_usertype)
kernel_read_system_state($1_usertype)
files_read_etc_files($1_usertype)
files_search_home($1_usertype)
git_daemon_manage_system_content($1_usertype)
git_daemon_execute_system_content_files($1_usertype)
libs_use_ld_so($1_usertype)
libs_use_shared_libs($1_usertype)
miscfiles_read_localization($1_usertype)
ssh_rw_stream_sockets($1_usertype)
optional_policy(`
nscd_read_pid($1_usertype)
')
')
########################################
## <summary>
## All of the rules required to administrate an
## Git daemon environment
## </summary>
## <param name="userdomain_prefix">
## <summary>
## Prefix of the domain. Example, user would be
## the prefix for the user_t domain.
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the Git daemon domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`git_daemon_admin', `
gen_require(`
type git_daemon_t, git_daemon_exec_t, httpd_gitweb_script_exec_t;
')
allow $1 git_daemon_t:process { getattr ptrace signal_perms };
git_daemon_manage_all_content($1, $2)
git_daemon_relabel_all_content($1, $2)
miscfiles_manage_public_files($1)
kernel_search_proc($1)
allow $1 git_daemon_t:dir list_dir_perms;
read_files_pattern($1, git_daemon_t, git_daemon_t)
read_lnk_files_pattern($1, git_daemon_t, git_daemon_t)
manage_files_pattern($1, httpd_gitweb_script_exec_t,
httpd_gitweb_script_exec_t)
manage_files_pattern($1, git_daemon_exec_t, git_daemon_exec_t)
seutil_domtrans_setfiles($1)
')
#EOF
########################################
#
# Git daemon contexts
#
HOME_DIR/public_git(/.*)?
gen_context(system_u:object_r:ROLE_git_daemon_home_t, s0)
HOME_DIR/\.gitconfig --
gen_context(system_u:object_r:ROLE_git_daemon_home_t, s0)
/srv/git(/.*)?
gen_context(system_u:object_r:git_daemon_system_content_t, s0)
/usr/bin/git-daemon --
gen_context(system_u:object_r:git_daemon_exec_t, s0)
/var/www/git/gitweb\.cgi --
gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0)
#EOF
But it wont work unless its modified or integrated properly. Also it
might need some polishing.
> gitweb.fc
> /var/www/git/gitweb.cgi --
> gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0)
>
More information about the fedora-selinux-list
mailing list