/selinux/rocketgit.te.tmpl (87bec496b744af3a096f90885f3ed918a76cf7ed) (9197 bytes) (mode 100644) (type blob)

policy_module(rocketgit,1.0.112)

########################################
#
# Declarations
#

gen_require(`
	# really needed httpd_log_t?
	type httpd_t;
	type httpd_log_t;
	type httpd_unit_file_t;
	type system_mail_t;
	type unconfined_t;
	role unconfined_r;
	type fs_t;
	# next are for worker.sh
	#class dir mounton;
	#class filesystem { getattr mount unmount };
	#class capability { setgid setuid sys_admin };

	@@EXTRA_GEN_REQUIRE@@
')

# Without this I get: type=SELINUX_ERR msg=audit(1422396984.627:349803): \
# security_compute_sid:  invalid context \
# unconfined_u:unconfined_r:rocketgit_t:s0-s0:c0.c1023 for \
# scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 \
# tcontext=system_u:object_r:rocketgit_exec_t:s0 tclass=process
role unconfined_r types rocketgit_t;

type rocketgit_t;
domain_type(rocketgit_t)

apache_content_template(rocketgit)
# Allow crons to search in /var/lib - not clear why
files_search_var_lib(rocketgit_t)

# Allow rocketgit_t to manage .ssh/authorized_keys
ssh_manage_home_files(rocketgit_t)

# Allow apache to write authrorized_keys[.tmp] file(s)
allow httpd_t user_home_dir_t:file { create getattr open rename setattr write };
userdom_manage_user_home_dirs(httpd_t)

type rocketgit_exec_t;
domain_entry_file(rocketgit_t, rocketgit_exec_t)

# When cron executes rocketgit_exec_t, we transition to rocketgit_t
cron_system_entry(rocketgit_t, rocketgit_exec_t)

# When running from inetd, transit to rocketgit_t. Seems that rocketgit_exec_t
# is not enough. Why?!
optional_policy(`
	inetd_tcp_service_domain(rocketgit_t, rocketgit_exec_t)
')

# Force ssh to transition to rocketgit_t
domain_auto_trans(unconfined_t, rocketgit_exec_t, rocketgit_t)

# Allow events.php to manage /home/rocketgit/.ssh
userdom_manage_user_home_content(rocketgit_t)

# Allow PHP to read /proc/meminfo, probably other files
# Seems a little bit too much. TODO
kernel_read_system_state(rocketgit_t)

dev_read_urand(rocketgit_t)

# Allow rocketgit_t to execute flock.
# Seems a little bit too much to allow all execution. TODO
application_exec_all(rocketgit_t)

# Allow rocketgit_t to use tcp sockets (webhooks)
corenet_tcp_connect_all_ports(rocketgit_t)
corenet_tcp_bind_all_ports(rocketgit_t)
corenet_tcp_bind_all_nodes(rocketgit_t)
###allow rocketgit_t self:tcp_socket { connect getopt getattr create setopt listen accept };
###allow rocketgit_t unreserved_port_t:tcp_socket { name_bind getopt setopt };
###allow rocketgit_t node_t:tcp_socket node_bind;
sysnet_dns_name_resolve(rocketgit_t)

# builder.php:
#type=AVC msg=audit(1467841975.578:232307): avc:  denied  { listen } for  pid=21318 comm="php" lport=65000 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tclass=tcp_socket permissive=1
#type=AVC msg=audit(1467841975.808:232308): avc:  denied  { dac_override } for  pid=21319 comm="php" capability=1  scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tclass=capability permissive=1
#type=AVC msg=audit(1467841975.809:232309): avc:  denied  { fowner } for  pid=21319 comm="php" capability=3  scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tclass=capability permissive=1
#type=AVC msg=audit(1467841975.809:232310): avc:  denied  { fsetid } for  pid=21319 comm="php" capability=4  scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tclass=capability permissive=1
#type=AVC msg=audit(1467841975.949:232311): avc:  denied  { accept } for  pid=21318 comm="php" lport=65000 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tclass=tcp_socket permissive=1
allow rocketgit_t self:capability { dac_override fowner fsetid };
allow rocketgit_t self:tcp_socket { accept listen };

# Allow basic access to net
sysnet_read_config(rocketgit_t)
sysnet_dns_name_resolve(rocketgit_t)

# Probably to list owner of files
auth_read_passwd(rocketgit_t)


# php files
type rocketgit_usr_t;
files_type(rocketgit_usr_t)
read_files_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t)
exec_files_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t)
list_dirs_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t)
read_files_pattern(httpd_t, rocketgit_usr_t, rocketgit_usr_t)


# log files
type rocketgit_log_t;
files_type(rocketgit_log_t)
manage_files_pattern(rocketgit_t, rocketgit_log_t, rocketgit_log_t)
# Allow httpd(php-fpm) to create log files - note that it will run as
# 'rocketgit' user.
manage_files_pattern(httpd_t, rocketgit_log_t, rocketgit_log_t)
logging_log_filetrans(rocketgit_t, rocketgit_log_t, file)
# below line tries to allow httpd to create err-* files in /var/log/rocketgit-web
#filetrans_pattern(httpd_t,dirtype?,rocketgit_log_t, file)
# allow rocketgit_t access to /var/log/rocketgit-web. Why?
# Some of rights are needed because cron as apache is deleting log files in
# /var/log/rocketgit-web.
allow rocketgit_t httpd_log_t:dir { search write add_name remove_name getattr read open };
allow rocketgit_t httpd_log_t:file { getattr setattr create unlink open append };


# content (repos)
type rocketgit_var_t;
files_type(rocketgit_var_t)
admin_pattern(rocketgit_t, rocketgit_var_t, rocketgit_var_t)
filetrans_pattern(rocketgit_t, rocketgit_var_t, rocketgit_var_t, { file dir })
read_files_pattern(httpd_t, rocketgit_var_t, rocketgit_var_t)
list_dirs_pattern(httpd_t, rocketgit_var_t, rocketgit_var_t)


# sockets
type rocketgit_socket_t;
files_type(rocketgit_socket_t)
manage_sock_files_pattern(rocketgit_t, rocketgit_socket_t, rocketgit_socket_t)
filetrans_pattern(rocketgit_t, rocketgit_socket_t, rocketgit_socket_t, file)
rw_sock_files_pattern(httpd_t, rocketgit_socket_t, rocketgit_socket_t)
# Allow httpd to connect to _domain_ rocketgit_t for event.sock
allow httpd_t rocketgit_t:unix_stream_socket connectto;


# locks
type rocketgit_lock_t;
files_lock_file(rocketgit_lock_t)
manage_files_pattern(rocketgit_t, rocketgit_lock_t, rocketgit_lock_t)
filetrans_pattern(rocketgit_t, rocketgit_lock_t, rocketgit_lock_t, file)
# we need php-fpm to be able to take locks
manage_files_pattern(httpd_t, rocketgit_lock_t, rocketgit_lock_t)
filetrans_pattern(httpd_t, rocketgit_lock_t, rocketgit_lock_t, file)


# conf
type rocketgit_conf_t;
files_type(rocketgit_conf_t)
read_files_pattern(rocketgit_t, rocketgit_conf_t, rocketgit_conf_t)
filetrans_pattern(rocketgit_t, rocketgit_conf_t, rocketgit_conf_t, file)
read_files_pattern(httpd_t, rocketgit_conf_t, rocketgit_conf_t)


# Permit PHP to use nscd socket
optional_policy(`
	nscd_socket_use(rocketgit_t)
')

# Allow connection to database
postgresql_tcp_connect(rocketgit_t)
postgresql_stream_connect(rocketgit_t)

# mail
mta_send_mail(rocketgit_t)

# self
allow rocketgit_t self:unix_stream_socket { connectto };
allow rocketgit_t self:process { setsched };

# PHP needs getattr to /var/lib
files_getattr_var_lib_dirs(rocketgit_t)

# We leak log and lock fds, ignore for now - not clear if 'dontaudit' = allow! TODO
dontaudit system_mail_t rocketgit_lock_t:file { read write };
dontaudit system_mail_t rocketgit_log_t:file append;
dontaudit system_mail_t rocketgit_usr_t:file read;

# Seems that the opcode cache (php-opcache) needs write access to /tmp
allow rocketgit_t tmp_t:dir { write remove_name add_name };
allow rocketgit_t tmp_t:file { write open create unlink setattr };

# Locale
miscfiles_read_localization(rocketgit_t)

# Because cron.sh/apache:
# type=AVC msg=audit(1461432301.793:1002): avc:  denied  { getattr } for  pid=3503 comm="cron.sh" path="/var/www" dev="dm-0" ino=143915 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
apache_search_sys_content(rocketgit_t)

# type=AVC msg=audit(1461494910.399:8020179): avc:  denied  { read } for  pid=1667 comm="php" name="/" dev="tmpfs" ino=11809 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
files_list_tmp(rocketgit_t)

# worker.sh needs some rights
type rocketgit_worker_t;
domain_type(rocketgit_worker_t)
optional_policy(`
	unconfined_domain(rocketgit_worker_t)
')
role unconfined_r types rocketgit_worker_t;
type rocketgit_worker_exec_t;
domain_entry_file(rocketgit_worker_t, rocketgit_worker_exec_t)
# When cron executes rocketgit_worker_t, we transition to rocketgit_worker_t
cron_system_entry(rocketgit_worker_t, rocketgit_worker_exec_t)
#allow rocketgit_t fs_t:filesystem { getattr mount unmount };
#allow rocketgit_t rocketgit_var_t:dir mounton;
#allow rocketgit_t self:capability { setgid setuid };
#dev_list_sysfs(rocketgit_t)
#dev_read_sysfs(rocketgit_t)
#dev_read_rand(rocketgit_t)
#dev_rw_loop_control(rocketgit_t)
#kernel_setsched(rocketgit_t)
#kernel_read_network_state(rocketgit_t)
#virt_admin(rocketgit_t, unconfined_r)
#mount_rw_pid_files(rocketgit_t)
#storage_manage_fixed_disk(rocketgit_t)
#files_manage_isid_type_dirs(rocketgit_t)
#files_manage_isid_type_files(rocketgit_t)
#files_manage_isid_type_symlinks(rocketgit_t)
#userdom_read_admin_home_files(rocketgit_t)
#miscfiles_read_hwdata(rocketgit_t)


Mode Type Size Ref File
100644 blob 9 f3c7a7c5da68804a1bdf391127ba34aed33c3cca .exclude
100644 blob 102 eaeb7d777062c60a55cdd4b5734902cdf6e1790c .gitignore
100644 blob 289 fabbff669e768c05d6cfab4d9aeb651bf623e174 AUTHORS
100644 blob 1132 dd65951315f3de6d52d52a82fca59889d1d95187 Certs.txt
100644 blob 1339 6ef73b238cddfb5bd83fe344a186e48f12e9da2c Compare.txt
100644 blob 549 41c3bdbba8ec2523fe24b84bdd46777fc13e8345 History.txt
100644 blob 34520 dba13ed2ddf783ee8118c6a581dbf75305f816a3 LICENSE
100644 blob 2695 994656805a9db0ea31cf9be1e5776182efbefecc Makefile.in
100644 blob 4788 eb8fa578df718b058ebbde968998718c669984cd README
100644 blob 100438 17de6db8f4fc99c18991fb346451c50d91c8bdff TODO
100644 blob 1294 f22911eb777f0695fcf81ad686eac133eb11fcc4 TODO-plans
100644 blob 203 a2863c67c3da44126b61a15a6f09738c25e0fbe0 TODO.perf
100644 blob 373 ca2fd2e49069f5d13d557928e0bf53135782530f TODO.vm
040000 tree - 21928e906ad2907a55c2e81c2a8b0502b586b8a0 artwork
100755 blob 30 92c4bc48245c00408cd7e1fd89bc1a03058f4ce4 configure
040000 tree - 788c57f7b8b4a17ab4e6903b044addae9617da09 debian
040000 tree - 681465a8d96259004db092e8aab5111ad18900f1 docker
040000 tree - f67d3605efbd6422a8acdd953578991139266391 docs
100755 blob 16711 924262b2f8dbf3bbe02358e7f404175732e970d1 duilder
100644 blob 536 db9185faa969a77379e8d949b1943b95c92f2600 duilder.conf
040000 tree - b0cc8cc0386eddf4373339a7860e46e8f74e0202 hooks
040000 tree - 3d0ce82f618b8a7ea674b0bbbb375da6f45bd1fd inc
100644 blob 3881 074e596bfc98db0f5ea8368ba9839659629bb814 rocketgit.spec.in
040000 tree - 6f68bfbc2af627d7a3648f76d0e5f47e1556fb24 root
040000 tree - 0b30d44f0d4070faed4d8976a8db5366e0287218 samples
040000 tree - a400a14155cebfc40cf6323af694b5135ec57b6e scripts
040000 tree - 162702b941f66ce024967308ea694eae46506304 selinux
100755 blob 256 462ccd108c431f54e380cdac2329129875a318b5 spell_check.sh
040000 tree - cb54e074b3ca35943edfcda9dd9cfcd281bcd9e7 techdocs
040000 tree - 5e4e7da913966f00733b01a18e7e4972a44e91b1 tests
040000 tree - d39824f9d9ba0f8b2f00f4a101f5cd5aeebc2f83 tools
Hints:
Before first commit, do not forget to setup your git environment:
git config --global user.name "your_name_here"
git config --global user.email "your@email_here"

Clone this repository using HTTP(S):
git clone https://rocketgit.com/user/catalinux/rocketgit

Clone this repository using ssh (do not forget to upload a key first):
git clone ssh://rocketgit@ssh.rocketgit.com/user/catalinux/rocketgit

Clone this repository using git:
git clone git://git.rocketgit.com/user/catalinux/rocketgit

You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a merge request:
... clone the repository ...
... make some changes and some commits ...
git push origin main