Main RocketGit repo
/selinux/rocketgit.te.tmpl (8be8e90b0126f1f5c96ca09be1c3cb993539ca3e) (9320 bytes) (mode 100644) (type blob)
policy_module(rocketgit,1.0.156)
gen_require(`
type httpd_t;
type httpd_exec_t;
type unconfined_t;
role unconfined_r;
type fs_t;
type sshd_t;
class capability dac_read_search;
@@EXTRA_GEN_REQUIRE@@
')
# Without this I get: type=SELINUX_ERR msg=audit(1422396984.627:349803): \
# security_compute_sid: invalid context \
# unconfined_u:unconfined_r:rocketgit_t:s0-s0:c0.c1023 for \
# scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 \
# tcontext=system_u:object_r:rocketgit_exec_t:s0 tclass=process
role unconfined_r types rocketgit_t;
type rocketgit_t;
domain_type(rocketgit_t)
# Allow crons to search in /var/lib - not clear why
files_search_var_lib(rocketgit_t)
# Allow rocketgit_t to manage .ssh/authorized_keys
ssh_manage_home_files(rocketgit_t)
type rocketgit_exec_t;
domain_entry_file(rocketgit_t, rocketgit_exec_t)
# When cron executes rocketgit_exec_t, we transition to rocketgit_t
cron_system_entry(rocketgit_t, rocketgit_exec_t)
# When running from inetd, transit to rocketgit_t. Seems that rocketgit_exec_t
# is not enough. Why?!
optional_policy(`
inetd_tcp_service_domain(rocketgit_t, rocketgit_exec_t)
')
# Force ssh to transition to rocketgit_t
domain_auto_trans(unconfined_t, rocketgit_exec_t, rocketgit_t)
domain_auto_trans(sshd_t, rocketgit_exec_t, rocketgit_t)
# Allow rocketgit_t to send sigchld to sshd, else:
# type=AVC msg=audit(1478322111.327:1158923): avc: denied { sigchld } for pid=24506 comm="sshd" scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=0
# Not sure if this is the best way.
allow rocketgit_t sshd_t:process sigchld;
# Allow events.php to manage /home/rocketgit/.ssh
userdom_manage_user_home_content(rocketgit_t)
# Allow PHP to read /proc/meminfo, probably other files
# Seems a little bit too much. TODO
kernel_read_system_state(rocketgit_t)
dev_read_urand(rocketgit_t)
# Allow rocketgit_t to execute flock.
# Seems a little bit too much to allow all execution. TODO
application_exec_all(rocketgit_t)
# Allow rocketgit_t to use tcp sockets (webhooks)
corenet_tcp_connect_all_ports(rocketgit_t)
corenet_tcp_bind_all_ports(rocketgit_t)
corenet_tcp_bind_all_nodes(rocketgit_t)
###allow rocketgit_t self:tcp_socket { connect getopt getattr create setopt listen accept };
###allow rocketgit_t unreserved_port_t:tcp_socket { name_bind getopt setopt };
###allow rocketgit_t node_t:tcp_socket node_bind;
sysnet_dns_name_resolve(rocketgit_t)
# Allow contacting systemd
# type=AVC msg=audit(1485816659.452:676453): avc: denied { sendto } for pid=26711 comm="php-fpm" path="/run/systemd/notify" scontext=system_u:system_r:rocketgit_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
###kernel_dgram_send(rocketgit_t)
# Allow php-fpm to write its pid
###init_write_pid_socket(rocketgit_t)
# Allow basic access to net
sysnet_read_config(rocketgit_t)
sysnet_dns_name_resolve(rocketgit_t)
# Probably to list owner of files
auth_read_passwd(rocketgit_t)
# php files
type rocketgit_usr_t;
files_type(rocketgit_usr_t)
read_files_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t)
exec_files_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t)
list_dirs_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t)
# log files
type rocketgit_log_t;
files_type(rocketgit_log_t)
manage_files_pattern(rocketgit_t, rocketgit_log_t, rocketgit_log_t)
logging_log_filetrans(rocketgit_t, rocketgit_log_t, file)
# content (repos)
type rocketgit_var_t;
files_type(rocketgit_var_t)
admin_pattern(rocketgit_t, rocketgit_var_t, rocketgit_var_t)
filetrans_pattern(rocketgit_t, rocketgit_var_t, rocketgit_var_t, { file dir })
# type=AVC msg=audit(1572467033.466:1637): avc: denied { map } for pid=2648 comm="git" path="/var/lib/rocketgit/repos/by_id/00/00/00/01/00000001/repos/by_id/1.git.tmp/config" dev="sda3" ino=8437796 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rocketgit_var_t:s0 tclass=file permissive=1
allow rocketgit_t rocketgit_var_t:file map;
# sockets
type rocketgit_socket_t;
files_type(rocketgit_socket_t)
manage_sock_files_pattern(rocketgit_t, rocketgit_socket_t, rocketgit_socket_t)
filetrans_pattern(rocketgit_t, rocketgit_socket_t, rocketgit_socket_t, file)
# locks
type rocketgit_lock_t;
files_lock_file(rocketgit_lock_t)
manage_files_pattern(rocketgit_t, rocketgit_lock_t, rocketgit_lock_t)
filetrans_pattern(rocketgit_t, rocketgit_lock_t, rocketgit_lock_t, file)
# conf
type rocketgit_conf_t;
files_type(rocketgit_conf_t)
read_files_pattern(rocketgit_t, rocketgit_conf_t, rocketgit_conf_t)
filetrans_pattern(rocketgit_t, rocketgit_conf_t, rocketgit_conf_t, file)
# Nov 27 21:58:01 r1 audit[7494]: AVC avc: denied { map } for pid=7494 comm="php" path="/etc/rocketgit/config.php" dev="dm-3" ino=919635 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rocketgit_conf_t:s0 tclass=file permissive=1
allow rocketgit_t rocketgit_conf_t:file map;
# Permit PHP to use nscd socket
optional_policy(`
nscd_socket_use(rocketgit_t)
')
# Allow connection to database
postgresql_tcp_connect(rocketgit_t)
postgresql_stream_connect(rocketgit_t)
# mail
mta_send_mail(rocketgit_t)
# self
allow rocketgit_t self:unix_stream_socket { connectto };
allow rocketgit_t self:process { setsched };
# PHP needs getattr to /var/lib
files_getattr_var_lib_dirs(rocketgit_t)
# We leak log and lock fds, ignore for now - not clear if 'dontaudit' = allow! TODO
dontaudit system_mail_t rocketgit_lock_t:file { read write };
dontaudit system_mail_t rocketgit_log_t:file append;
dontaudit system_mail_t rocketgit_usr_t:file read;
# Seems that the opcode cache (php-opcache) needs write access to /tmp
allow rocketgit_t tmp_t:dir { write remove_name add_name };
allow rocketgit_t tmp_t:file { write open create unlink setattr };
# rg_authorize
# type=AVC msg=audit(1572449949.165:1342): avc: denied { dac_override } for pid=2362 comm="rg_authorize" capability=1 scontext=unconfined_u:unconfined_r:rocketgit_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:rocketgit_t:s0-s0:c0.c1023 tclass=capability permissive=0
allow rocketgit_t self:capability dac_read_search;
userdom_use_inherited_user_ptys(rocketgit_t)
# type=AVC msg=audit(1572456007.875:3536): avc: denied { getattr } for pid=4623 comm="rg_authorize" path="/dev/pts/0" dev="devpts" ino=3 scontext=unconfined_u:unconfined_r:rocketgit_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=1
userdom_getattr_user_terminals(rocketgit_t)
# Locale
miscfiles_read_localization(rocketgit_t)
# type=AVC msg=audit(1461494910.399:8020179): avc: denied { read } for pid=1667 comm="php" name="/" dev="tmpfs" ino=11809 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
files_list_tmp(rocketgit_t)
# Hugetlbfs (for opcache):
fs_rw_hugetlbfs_files(rocketgit_t)
fs_exec_hugetlbfs_files(rocketgit_t)
# worker.sh needs some rights
type rocketgit_worker_t;
domain_type(rocketgit_worker_t)
optional_policy(`
unconfined_domain(rocketgit_worker_t)
')
role unconfined_r types rocketgit_worker_t;
type rocketgit_worker_exec_t;
domain_entry_file(rocketgit_worker_t, rocketgit_worker_exec_t)
# When cron executes rocketgit_worker_t, we transition to rocketgit_worker_t
cron_system_entry(rocketgit_worker_t, rocketgit_worker_exec_t)
#allow rocketgit_t fs_t:filesystem { getattr mount unmount };
#allow rocketgit_t rocketgit_var_t:dir mounton;
#allow rocketgit_t self:capability { setgid setuid };
#dev_list_sysfs(rocketgit_t)
#dev_read_sysfs(rocketgit_t)
#dev_read_rand(rocketgit_t)
#dev_rw_loop_control(rocketgit_t)
#kernel_setsched(rocketgit_t)
#kernel_read_network_state(rocketgit_t)
#virt_admin(rocketgit_t, unconfined_r)
#mount_rw_pid_files(rocketgit_t)
#storage_manage_fixed_disk(rocketgit_t)
#files_manage_isid_type_dirs(rocketgit_t)
#files_manage_isid_type_files(rocketgit_t)
#files_manage_isid_type_symlinks(rocketgit_t)
#userdom_read_admin_home_files(rocketgit_t)
#miscfiles_read_hwdata(rocketgit_t)
# Unit file
type rocketgit_unit_file_t;
systemd_unit_file(rocketgit_unit_file_t)
# php-fpm stuff
# allow writing to log files
allow httpd_t rocketgit_log_t:file { append create getattr open setattr };
allow httpd_t rocketgit_log_t:dir { add_name write };
# allow using the cache.sock etc.
allow httpd_t rocketgit_socket_t:sock_file write;
# allow reading /etc/rocketgit/php-fpm.conf
allow httpd_t rocketgit_conf_t:file { getattr open read map };
# allow dealing with repos
allow httpd_t rocketgit_var_t:dir { add_name create read remove_name rmdir write };
# map is for pack
allow httpd_t rocketgit_var_t:file { map append create getattr link open read rename setattr unlink write };
allow httpd_t rocketgit_var_t:lnk_file { getattr read };
# allow git-receive-pack to execute hooks
allow httpd_t rocketgit_exec_t:file { getattr ioctl open read map };
# allow reading /usr/share/rocketgit/{inc,root} files
allow httpd_t rocketgit_usr_t:file { getattr open read map };
# allow connecting to rocketgit_t domain
allow httpd_t rocketgit_t:unix_stream_socket connectto;
# Do not polute the logs!
dontaudit rocketgit_t self:process { execmem };
# builder
allow rocketgit_t self:tcp_socket { accept listen };
| Mode | Type | Size | Ref | File |
|---|---|---|---|---|
| 100644 | blob | 9 | f3c7a7c5da68804a1bdf391127ba34aed33c3cca | .exclude |
| 100644 | blob | 102 | eaeb7d777062c60a55cdd4b5734902cdf6e1790c | .gitignore |
| 100644 | blob | 375 | 1f425bcd2049c526744d449511094fc045ceac74 | AUTHORS |
| 100644 | blob | 1132 | dd65951315f3de6d52d52a82fca59889d1d95187 | Certs.txt |
| 100644 | blob | 1216 | f573255f3b73ee73fb6aecc9d18f0cd39523dc5e | History.txt |
| 100644 | blob | 34520 | dba13ed2ddf783ee8118c6a581dbf75305f816a3 | LICENSE |
| 100644 | blob | 3459 | 43acfdf7782efd942600feb20705c7e759a8e75c | Makefile.in |
| 100644 | blob | 5857 | 6f0f5d6e29789530300834fe98f02b06bbe4652c | README |
| 100644 | blob | 143061 | ea8fe661e27271f679aa03b4e7909608e6b53181 | TODO |
| 100644 | blob | 1294 | f22911eb777f0695fcf81ad686eac133eb11fcc4 | TODO-plans |
| 100644 | blob | 203 | a2863c67c3da44126b61a15a6f09738c25e0fbe0 | TODO.perf |
| 100644 | blob | 967 | 56bbaa7c937381fb10a2907b6bbe056ef8cc824a | TODO.vm |
| 040000 | tree | - | 21928e906ad2907a55c2e81c2a8b0502b586b8a0 | artwork |
| 100644 | blob | 5127 | 70adb464d6ace64eab16acb47541b9d3d7fd1ab1 | compare.csv |
| 100755 | blob | 30 | 92c4bc48245c00408cd7e1fd89bc1a03058f4ce4 | configure |
| 040000 | tree | - | 69114e8648f8e0e7173c76e30ca6bbfcece7df31 | debian |
| 040000 | tree | - | 516a8ca51fe5d0e1556ffcaf55c88d60562e2c99 | docker |
| 040000 | tree | - | f67d3605efbd6422a8acdd953578991139266391 | docs |
| 100755 | blob | 16720 | 52405deef0d3708e7553022e1e9db73faa28d05c | duilder |
| 100644 | blob | 536 | d90ae5145b0295b2b637f23b26a204eadfc4c90c | duilder.conf |
| 040000 | tree | - | a93fa044150834d55f39e84c261e7f8079538b55 | hooks |
| 040000 | tree | - | 9da404ff39e1db36258421d46ceb2ccb2d473364 | inc |
| 040000 | tree | - | 8846fe97d001cc6b76ac3f02ad412d67e27afccc | misc |
| 100644 | blob | 4251 | 97ab1b786d84c608af82fb987f6044cdab7406cf | rocketgit.spec.in |
| 040000 | tree | - | d8d4be22754f334a6902f3170e899c1525b89f2e | root |
| 040000 | tree | - | 18b6d7a86b3e8b38b2ecbbf0da58234966b74f94 | samples |
| 040000 | tree | - | ab58a7a950343037119551f9408430cdb5422c74 | scripts |
| 040000 | tree | - | ecb1da91f5ae28f3f33eca9e5d076c3f9be92f49 | selinux |
| 100755 | blob | 256 | 462ccd108c431f54e380cdac2329129875a318b5 | spell_check.sh |
| 040000 | tree | - | cb54e074b3ca35943edfcda9dd9cfcd281bcd9e7 | techdocs |
| 040000 | tree | - | eda84419fc5578e2dadf57447d0612bdf40fe2e8 | tests |
| 040000 | tree | - | bc0ac4ce1d9e6c858f09fa0c615f1c9f55609b6f | tools |
Hints:
Before first commit, do not forget to setup your git environment:
Clone this repository using HTTP(S):
Clone this repository using ssh (do not forget to upload a key first):
Clone this repository using git:
You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a merge request:
Before first commit, do not forget to setup your git environment:
git config --global user.name "your_name_here"
git config --global user.email "your@email_here"
git config --global user.email "your@email_here"
Clone this repository using HTTP(S):
git clone https://rocketgit.com/user/catalinux/rocketgit
Clone this repository using ssh (do not forget to upload a key first):
git clone ssh://rocketgit@ssh.rocketgit.com/user/catalinux/rocketgit
Clone this repository using git:
git clone git://git.rocketgit.com/user/catalinux/rocketgit
You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a merge request:
... clone the repository ...
... make some changes and some commits ...
git push origin main
... make some changes and some commits ...
git push origin main
RocketGit
Rocket your launch!
Rocket your launch!