selinux-refpolicy/policy/modules/services/git.if

## <summary>GIT revision control system.</summary>

########################################
## <summary>
##	Role access for Git session.
## </summary>
## <param name="role_prefix">
##	<summary>
##	The prefix of the user role (e.g., user
##	is the prefix for user_r).
##	</summary>
## </param>
## <param name="user_domain">
##	<summary>
##	User domain for the role.
##	</summary>
## </param>
## <param name="user_exec_domain">
##	<summary>
##	User exec domain for execute and transition access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access
##	</summary>
## </param>
#
template(`git_role',`
	gen_require(`
		attribute_role git_session_roles;
		type git_session_t, gitd_exec_t, git_user_content_t;
	')

	########################################
	#
	# Declarations
	#

	roleattribute $4 git_session_roles;

	########################################
	#
	# Policy
	#

	allow $2 git_user_content_t:dir { manage_dir_perms relabel_dir_perms };
	allow $2 git_user_content_t:file { exec_file_perms manage_file_perms relabel_file_perms };
	userdom_user_home_dir_filetrans($2, git_user_content_t, dir, "public_git")

	allow $3 git_session_t:process { ptrace signal_perms };
	ps_process_pattern($3, git_session_t)

	tunable_policy(`git_session_users',`
		domtrans_pattern($3, gitd_exec_t, git_session_t)
	',`
		can_exec($3, gitd_exec_t)
	')

	optional_policy(`
		systemd_user_app_status($1, git_session_t)
	')
')

########################################
## <summary>
##	Role access for Git client.
## </summary>
## <param name="role_prefix">
##	<summary>
##	The prefix of the user role (e.g., user
##	is the prefix for user_r).
##	</summary>
## </param>
## <param name="user_domain">
##	<summary>
##	User domain for the role.
##	</summary>
## </param>
## <param name="user_exec_domain">
##	<summary>
##	User exec domain for execute and transition access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access
##	</summary>
## </param>
#
template(`git_client_role_template',`
	gen_require(`
		attribute git_client_domain;
		type git_exec_t, git_home_t, git_home_hook_t;
	')

	########################################
	#
	# Declarations
	#

	type $1_git_t, git_client_domain;
	userdom_user_application_domain($1_git_t, git_exec_t)
	role $4 types $1_git_t;

	########################################
	#
	# Policy
	#
	
	domtrans_pattern($3, git_exec_t, $1_git_t)

	allow $2 git_home_t:dir { manage_dir_perms relabel_dir_perms };
	allow $2 git_home_t:file { manage_file_perms relabel_file_perms };
	userdom_user_home_dir_filetrans($2, git_home_t, dir, ".git")

	allow $2 git_home_hook_t:dir { manage_dir_perms relabel_dir_perms };
	allow $2 git_home_hook_t:file { exec_file_perms manage_file_perms relabel_file_perms };
	filetrans_pattern($2, git_home_t, git_home_hook_t, dir, "hooks")

	allow $3 $1_git_t:process { ptrace signal_perms };
	ps_process_pattern($3, $1_git_t)

	auth_use_nsswitch($1_git_t)

	# allow userdomains to exec git hooks
	exec_files_pattern($3, git_home_hook_t, git_home_hook_t)
	# transition back to the user domain when executing git hooks
	domtrans_pattern($1_git_t, git_home_t, $2)

	# transition to ssh client domain when performing ssh operations
	optional_policy(`
		ssh_client_domtrans($1_git_t)
	')

	optional_policy(`
		systemd_user_app_status($1, $1_git_t)
	')
')

########################################
## <summary>
##	Read generic system content files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`git_read_generic_sys_content_files',`
	gen_require(`
		type git_sys_content_t;
	')

	list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
	read_files_pattern($1, git_sys_content_t, git_sys_content_t)

	files_search_var_lib($1)

	tunable_policy(`git_system_use_cifs',`
		fs_getattr_cifs($1)
		fs_list_cifs($1)
		fs_read_cifs_files($1)
	')

	tunable_policy(`git_system_use_nfs',`
		fs_getattr_nfs($1)
		fs_list_nfs($1)
		fs_read_nfs_files($1)
	')
')
Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00			`## <summary>GIT revision control system.</summary>`

			`########################################`
			`## <summary>`
			`## Role access for Git session.`
			`## </summary>`
git, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-08-08 14:51:19 +00:00			`## <param name="role_prefix">`
Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00			`## <summary>`
git, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-08-08 14:51:19 +00:00			`## The prefix of the user role (e.g., user`
			`## is the prefix for user_r).`
Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00			`## </summary>`
			`## </param>`
git, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-08-08 14:51:19 +00:00			`## <param name="user_domain">`
Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00			`## <summary>`
			`## User domain for the role.`
			`## </summary>`
			`## </param>`
git, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-08-08 14:51:19 +00:00			`## <param name="user_exec_domain">`
			`## <summary>`
			`## User exec domain for execute and transition access.`
			`## </summary>`
			`## </param>`
			`## <param name="role">`
			`## <summary>`
			`## Role allowed access`
			`## </summary>`
			`## </param>`
Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00			`#`
git, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-08-08 14:51:19 +00:00			template(`git_role',`
Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00			gen_require(`
			`attribute_role git_session_roles;`
			`type git_session_t, gitd_exec_t, git_user_content_t;`
			`')`

			`########################################`
			`#`
			`# Declarations`
			`#`

git, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-08-08 14:51:19 +00:00			`roleattribute $4 git_session_roles;`
Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00
			`########################################`
			`#`
			`# Policy`
			`#`

			`allow $2 git_user_content_t:dir { manage_dir_perms relabel_dir_perms };`
			`allow $2 git_user_content_t:file { exec_file_perms manage_file_perms relabel_file_perms };`
			`userdom_user_home_dir_filetrans($2, git_user_content_t, dir, "public_git")`

git, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-08-08 14:51:19 +00:00			`allow $3 git_session_t:process { ptrace signal_perms };`
			`ps_process_pattern($3, git_session_t)`
Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00
			tunable_policy(`git_session_users',`
git, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-08-08 14:51:19 +00:00			`domtrans_pattern($3, gitd_exec_t, git_session_t)`
Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00			',`
git, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-08-08 14:51:19 +00:00			`can_exec($3, gitd_exec_t)`
			`')`

			optional_policy(`
			`systemd_user_app_status($1, git_session_t)`
Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00			`')`
			`')`

git, roles: add policy for git client Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-09-11 16:17:29 +00:00			`########################################`
			`## <summary>`
			`## Role access for Git client.`
			`## </summary>`
			`## <param name="role_prefix">`
			`## <summary>`
			`## The prefix of the user role (e.g., user`
			`## is the prefix for user_r).`
			`## </summary>`
			`## </param>`
git, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-08-08 14:51:19 +00:00			`## <param name="user_domain">`
git, roles: add policy for git client Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-09-11 16:17:29 +00:00			`## <summary>`
git, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-08-08 14:51:19 +00:00			`## User domain for the role.`
git, roles: add policy for git client Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-09-11 16:17:29 +00:00			`## </summary>`
			`## </param>`
git, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-08-08 14:51:19 +00:00			`## <param name="user_exec_domain">`
git, roles: add policy for git client Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-09-11 16:17:29 +00:00			`## <summary>`
git, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-08-08 14:51:19 +00:00			`## User exec domain for execute and transition access.`
			`## </summary>`
			`## </param>`
			`## <param name="role">`
			`## <summary>`
			`## Role allowed access`
git, roles: add policy for git client Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-09-11 16:17:29 +00:00			`## </summary>`
			`## </param>`
			`#`
			template(`git_client_role_template',`
			gen_require(`
			`attribute git_client_domain;`
			`type git_exec_t, git_home_t, git_home_hook_t;`
			`')`

			`########################################`
			`#`
			`# Declarations`
			`#`

			`type $1_git_t, git_client_domain;`
			`userdom_user_application_domain($1_git_t, git_exec_t)`
git, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-08-08 14:51:19 +00:00			`role $4 types $1_git_t;`
git, roles: add policy for git client Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-09-11 16:17:29 +00:00
			`########################################`
			`#`
			`# Policy`
			`#`

			`domtrans_pattern($3, git_exec_t, $1_git_t)`

git, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-08-08 14:51:19 +00:00			`allow $2 git_home_t:dir { manage_dir_perms relabel_dir_perms };`
			`allow $2 git_home_t:file { manage_file_perms relabel_file_perms };`
			`userdom_user_home_dir_filetrans($2, git_home_t, dir, ".git")`
git, roles: add policy for git client Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-09-11 16:17:29 +00:00
git, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-08-08 14:51:19 +00:00			`allow $2 git_home_hook_t:dir { manage_dir_perms relabel_dir_perms };`
			`allow $2 git_home_hook_t:file { exec_file_perms manage_file_perms relabel_file_perms };`
			`filetrans_pattern($2, git_home_t, git_home_hook_t, dir, "hooks")`
git, roles: add policy for git client Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-09-11 16:17:29 +00:00
			`allow $3 $1_git_t:process { ptrace signal_perms };`
			`ps_process_pattern($3, $1_git_t)`

			`auth_use_nsswitch($1_git_t)`

			`# allow userdomains to exec git hooks`
git: fix typo in git hook exec access Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-11-08 16:59:03 +00:00			`exec_files_pattern($3, git_home_hook_t, git_home_hook_t)`
git, roles: add policy for git client Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-09-11 16:17:29 +00:00			`# transition back to the user domain when executing git hooks`
git, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-08-08 14:51:19 +00:00			`domtrans_pattern($1_git_t, git_home_t, $2)`
git, roles: add policy for git client Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-09-11 16:17:29 +00:00
			`# transition to ssh client domain when performing ssh operations`
			optional_policy(`
			`ssh_client_domtrans($1_git_t)`
			`')`
git, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-08-08 14:51:19 +00:00
			optional_policy(`
			`systemd_user_app_status($1, $1_git_t)`
			`')`
git, roles: add policy for git client Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-09-11 16:17:29 +00:00			`')`

Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00			`########################################`
			`## <summary>`
			`## Read generic system content files.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`git_read_generic_sys_content_files',`
			gen_require(`
			`type git_sys_content_t;`
			`')`

			`list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)`
			`read_files_pattern($1, git_sys_content_t, git_sys_content_t)`

			`files_search_var_lib($1)`

			tunable_policy(`git_system_use_cifs',`
			`fs_getattr_cifs($1)`
			`fs_list_cifs($1)`
			`fs_read_cifs_files($1)`
			`')`

			tunable_policy(`git_system_use_nfs',`
			`fs_getattr_nfs($1)`
			`fs_list_nfs($1)`
			`fs_read_nfs_files($1)`
			`')`
			`')`