Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/contrib/git.te
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/contrib/git.te')
-rw-r--r--policy/modules/contrib/git.te266
1 files changed, 0 insertions, 266 deletions
diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te
deleted file mode 100644
index 93b03011..00000000
--- a/policy/modules/contrib/git.te
+++ /dev/null
@@ -1,266 +0,0 @@
-policy_module(git, 1.2.3)
-
-########################################
-#
-# Declarations
-#
-
-## <desc>
-## <p>
-## Determine whether Git CGI
-## can search home directories.
-## </p>
-## </desc>
-gen_tunable(git_cgi_enable_homedirs, false)
-
-## <desc>
-## <p>
-## Determine whether Git CGI
-## can access cifs file systems.
-## </p>
-## </desc>
-gen_tunable(git_cgi_use_cifs, false)
-
-## <desc>
-## <p>
-## Determine whether Git CGI
-## can access nfs file systems.
-## </p>
-## </desc>
-gen_tunable(git_cgi_use_nfs, false)
-
-## <desc>
-## <p>
-## Determine whether Git session daemon
-## can bind TCP sockets to all
-## unreserved ports.
-## </p>
-## </desc>
-gen_tunable(git_session_bind_all_unreserved_ports, false)
-
-## <desc>
-## <p>
-## Determine whether calling user domains
-## can execute Git daemon in the
-## git_session_t domain.
-## </p>
-## </desc>
-gen_tunable(git_session_users, false)
-
-## <desc>
-## <p>
-## Determine whether Git session daemons
-## can send syslog messages.
-## </p>
-## </desc>
-gen_tunable(git_session_send_syslog_msg, false)
-
-## <desc>
-## <p>
-## Determine whether Git system daemon
-## can search home directories.
-## </p>
-## </desc>
-gen_tunable(git_system_enable_homedirs, false)
-
-## <desc>
-## <p>
-## Determine whether Git system daemon
-## can access cifs file systems.
-## </p>
-## </desc>
-gen_tunable(git_system_use_cifs, false)
-
-## <desc>
-## <p>
-## Determine whether Git system daemon
-## can access nfs file systems.
-## </p>
-## </desc>
-gen_tunable(git_system_use_nfs, false)
-
-attribute git_daemon;
-attribute_role git_session_roles;
-
-apache_content_template(git)
-
-type git_system_t, git_daemon;
-type gitd_exec_t;
-inetd_service_domain(git_system_t, gitd_exec_t)
-
-type git_session_t, git_daemon;
-userdom_user_application_domain(git_session_t, gitd_exec_t)
-role git_session_roles types git_session_t;
-
-type git_sys_content_t;
-files_type(git_sys_content_t)
-
-type git_user_content_t;
-userdom_user_home_content(git_user_content_t)
-
-########################################
-#
-# Session policy
-#
-
-allow git_session_t self:tcp_socket { accept listen };
-
-list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
-read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
-userdom_search_user_home_dirs(git_session_t)
-
-corenet_all_recvfrom_netlabel(git_session_t)
-corenet_all_recvfrom_unlabeled(git_session_t)
-corenet_tcp_bind_generic_node(git_session_t)
-corenet_tcp_sendrecv_generic_if(git_session_t)
-corenet_tcp_sendrecv_generic_node(git_session_t)
-
-corenet_sendrecv_git_server_packets(git_session_t)
-corenet_tcp_bind_git_port(git_session_t)
-corenet_tcp_sendrecv_git_port(git_session_t)
-
-auth_use_nsswitch(git_session_t)
-
-userdom_use_user_terminals(git_session_t)
-
-tunable_policy(`git_session_bind_all_unreserved_ports',`
- corenet_sendrecv_all_server_packets(git_session_t)
- corenet_tcp_bind_all_unreserved_ports(git_session_t)
- corenet_tcp_sendrecv_all_ports(git_session_t)
-')
-
-tunable_policy(`git_session_send_syslog_msg',`
- logging_send_syslog_msg(git_session_t)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_getattr_nfs(git_session_t)
- fs_list_nfs(git_session_t)
- fs_read_nfs_files(git_session_t)
-',`
- fs_dontaudit_read_nfs_files(git_session_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_getattr_cifs(git_session_t)
- fs_list_cifs(git_session_t)
- fs_read_cifs_files(git_session_t)
-',`
- fs_dontaudit_read_cifs_files(git_session_t)
-')
-
-########################################
-#
-# System policy
-#
-
-list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
-read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
-
-files_search_var_lib(git_system_t)
-
-auth_use_nsswitch(git_system_t)
-
-logging_send_syslog_msg(git_system_t)
-
-tunable_policy(`git_system_enable_homedirs',`
- userdom_search_user_home_dirs(git_system_t)
-')
-
-tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
- fs_getattr_nfs(git_system_t)
- fs_list_nfs(git_system_t)
- fs_read_nfs_files(git_system_t)
-',`
- fs_dontaudit_read_nfs_files(git_system_t)
-')
-
-tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
- fs_getattr_cifs(git_system_t)
- fs_list_cifs(git_system_t)
- fs_read_cifs_files(git_system_t)
-',`
- fs_dontaudit_read_cifs_files(git_system_t)
-')
-
-tunable_policy(`git_system_use_cifs',`
- fs_getattr_cifs(git_system_t)
- fs_list_cifs(git_system_t)
- fs_read_cifs_files(git_system_t)
-',`
- fs_dontaudit_read_cifs_files(git_system_t)
-')
-
-tunable_policy(`git_system_use_nfs',`
- fs_getattr_nfs(git_system_t)
- fs_list_nfs(git_system_t)
- fs_read_nfs_files(git_system_t)
-',`
- fs_dontaudit_read_nfs_files(git_system_t)
-')
-
-########################################
-#
-# CGI policy
-#
-
-list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
-read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
-files_search_var_lib(httpd_git_script_t)
-
-files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
-
-auth_use_nsswitch(httpd_git_script_t)
-
-tunable_policy(`git_cgi_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_git_script_t)
-')
-
-tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',`
- fs_getattr_nfs(httpd_git_script_t)
- fs_list_nfs(httpd_git_script_t)
- fs_read_nfs_files(httpd_git_script_t)
-',`
- fs_dontaudit_read_nfs_files(httpd_git_script_t)
-')
-
-tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',`
- fs_getattr_cifs(httpd_git_script_t)
- fs_list_cifs(httpd_git_script_t)
- fs_read_cifs_files(httpd_git_script_t)
-',`
- fs_dontaudit_read_cifs_files(httpd_git_script_t)
-')
-
-tunable_policy(`git_cgi_use_cifs',`
- fs_getattr_cifs(httpd_git_script_t)
- fs_list_cifs(httpd_git_script_t)
- fs_read_cifs_files(httpd_git_script_t)
-',`
- fs_dontaudit_read_cifs_files(httpd_git_script_t)
-')
-
-tunable_policy(`git_cgi_use_nfs',`
- fs_getattr_nfs(httpd_git_script_t)
- fs_list_nfs(httpd_git_script_t)
- fs_read_nfs_files(httpd_git_script_t)
-',`
- fs_dontaudit_read_nfs_files(httpd_git_script_t)
-')
-
-########################################
-#
-# Git global policy
-#
-
-allow git_daemon self:fifo_file rw_fifo_file_perms;
-
-kernel_read_system_state(git_daemon)
-
-corecmd_exec_bin(git_daemon)
-
-files_read_usr_files(git_daemon)
-
-fs_search_auto_mountpoints(git_daemon)
-
-miscfiles_read_localization(git_daemon)