xaizek / rocketgit (License: AGPLv3+) (since 2018-12-09)
Light and fast Git hosting solution suitable to serve both as a hub or as a personal code storage with its tickets, pull requests, API and much more.
Clone URLs: https://code.reversed.top/user/xaizek/rocketgit ssh://rocketgit@code.reversed.top/user/xaizek/rocketgit
v0.0 v0.1 v0.10 v0.11 v0.12 v0.13 v0.14 v0.15 v0.17 v0.18 v0.19 v0.2 v0.20 v0.21 v0.22 v0.23 v0.24 v0.25 v0.27 v0.28 v0.29 v0.31 v0.32 v0.33 v0.34 v0.35 v0.36 v0.38 v0.39 v0.40 v0.41 v0.42 v0.43 v0.44 v0.45 v0.46 v0.47 v0.48 v0.49 v0.50 v0.51 v0.52 v0.53 v0.54 v0.55 v0.56 v0.57 v0.58 v0.60 v0.61 v0.62 v0.63 v0.64 v0.65 v0.66 v0.67 v0.68 v0.69 v0.70 local master
<root> / selinux / rocketgit.te.tmpl (f492a9cc37b958983f6efaba36997c2d9e883e92) (9,621B) (mode 100644) [raw]
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 
policy_module(rocketgit,1.0.156)

gen_require(`
	type httpd_t;
	type httpd_exec_t;
	type unconfined_t;
	role unconfined_r;
	type fs_t;
	type sshd_t;
	class capability dac_read_search;
	class file map;

	@@EXTRA_GEN_REQUIRE@@
')

# Without this I get: type=SELINUX_ERR msg=audit(1422396984.627:349803): \
# security_compute_sid:  invalid context \
# unconfined_u:unconfined_r:rocketgit_t:s0-s0:c0.c1023 for \
# scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 \
# tcontext=system_u:object_r:rocketgit_exec_t:s0 tclass=process
role unconfined_r types rocketgit_t;

type rocketgit_t;
domain_type(rocketgit_t)

# Allow crons to search in /var/lib - not clear why
files_search_var_lib(rocketgit_t)

# Allow rocketgit_t to manage .ssh/authorized_keys
ssh_manage_home_files(rocketgit_t)

type rocketgit_exec_t;
domain_entry_file(rocketgit_t, rocketgit_exec_t)

# When cron executes rocketgit_exec_t, we transition to rocketgit_t
cron_system_entry(rocketgit_t, rocketgit_exec_t)

# When running from inetd, transit to rocketgit_t. Seems that rocketgit_exec_t
# is not enough. Why?!
optional_policy(`
	inetd_tcp_service_domain(rocketgit_t, rocketgit_exec_t)
')

# Force ssh to transition to rocketgit_t
domain_auto_trans(unconfined_t, rocketgit_exec_t, rocketgit_t)
domain_auto_trans(sshd_t, rocketgit_exec_t, rocketgit_t)
# Allow rocketgit_t to send sigchld to sshd, else:
# type=AVC msg=audit(1478322111.327:1158923): avc:  denied  { sigchld } for  pid=24506 comm="sshd" scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=0
# Not sure if this is the best way.
allow rocketgit_t sshd_t:process sigchld;

# Allow events.php to manage /home/rocketgit/.ssh
userdom_manage_user_home_content(rocketgit_t)

# Allow PHP to read /proc/meminfo, probably other files
# Seems a little bit too much. TODO
kernel_read_system_state(rocketgit_t)

dev_read_urand(rocketgit_t)

# Allow rocketgit_t to execute flock.
# Seems a little bit too much to allow all execution. TODO
application_exec_all(rocketgit_t)

# Allow rocketgit_t to use tcp sockets (webhooks)
corenet_tcp_connect_all_ports(rocketgit_t)
corenet_tcp_bind_all_ports(rocketgit_t)
corenet_tcp_bind_all_nodes(rocketgit_t)
###allow rocketgit_t self:tcp_socket { connect getopt getattr create setopt listen accept };
###allow rocketgit_t unreserved_port_t:tcp_socket { name_bind getopt setopt };
###allow rocketgit_t node_t:tcp_socket node_bind;
sysnet_dns_name_resolve(rocketgit_t)


# Allow contacting systemd
# type=AVC msg=audit(1485816659.452:676453): avc:  denied  { sendto } for  pid=26711 comm="php-fpm" path="/run/systemd/notify" scontext=system_u:system_r:rocketgit_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
###kernel_dgram_send(rocketgit_t)

# Allow php-fpm to write its pid
###init_write_pid_socket(rocketgit_t)

# Allow basic access to net
sysnet_read_config(rocketgit_t)
sysnet_dns_name_resolve(rocketgit_t)

# Probably to list owner of files
auth_read_passwd(rocketgit_t)


# php files
type rocketgit_usr_t;
files_type(rocketgit_usr_t)
read_files_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t)
exec_files_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t)
list_dirs_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t)


# log files
type rocketgit_log_t;
files_type(rocketgit_log_t)
manage_files_pattern(rocketgit_t, rocketgit_log_t, rocketgit_log_t)
logging_log_filetrans(rocketgit_t, rocketgit_log_t, file)


# content (repos)
type rocketgit_var_t;
files_type(rocketgit_var_t)
admin_pattern(rocketgit_t, rocketgit_var_t, rocketgit_var_t)
filetrans_pattern(rocketgit_t, rocketgit_var_t, rocketgit_var_t, { file dir })
# type=AVC msg=audit(1572467033.466:1637): avc:  denied  { map } for  pid=2648 comm="git" path="/var/lib/rocketgit/repos/by_id/00/00/00/01/00000001/repos/by_id/1.git.tmp/config" dev="sda3" ino=8437796 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rocketgit_var_t:s0 tclass=file permissive=1
allow rocketgit_t rocketgit_var_t:file map;


# sockets
type rocketgit_socket_t;
files_type(rocketgit_socket_t)
manage_sock_files_pattern(rocketgit_t, rocketgit_socket_t, rocketgit_socket_t)
filetrans_pattern(rocketgit_t, rocketgit_socket_t, rocketgit_socket_t, file)


# locks
type rocketgit_lock_t;
files_lock_file(rocketgit_lock_t)
manage_files_pattern(rocketgit_t, rocketgit_lock_t, rocketgit_lock_t)
filetrans_pattern(rocketgit_t, rocketgit_lock_t, rocketgit_lock_t, file)


# conf
type rocketgit_conf_t;
files_type(rocketgit_conf_t)
read_files_pattern(rocketgit_t, rocketgit_conf_t, rocketgit_conf_t)
filetrans_pattern(rocketgit_t, rocketgit_conf_t, rocketgit_conf_t, file)
# Nov 27 21:58:01 r1 audit[7494]: AVC avc:  denied  { map } for  pid=7494 comm="php" path="/etc/rocketgit/config.php" dev="dm-3" ino=919635 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rocketgit_conf_t:s0 tclass=file permissive=1
allow rocketgit_t rocketgit_conf_t:file map;


# Permit PHP to use nscd socket
optional_policy(`
	nscd_socket_use(rocketgit_t)
')

# Allow connection to database
postgresql_tcp_connect(rocketgit_t)
postgresql_stream_connect(rocketgit_t)

# mail
mta_send_mail(rocketgit_t)

# self
allow rocketgit_t self:unix_stream_socket { connectto };
allow rocketgit_t self:process { setsched };

# PHP needs getattr to /var/lib
files_getattr_var_lib_dirs(rocketgit_t)

# We leak log and lock fds, ignore for now - not clear if 'dontaudit' = allow! TODO
dontaudit system_mail_t rocketgit_lock_t:file { read write };
dontaudit system_mail_t rocketgit_log_t:file append;
dontaudit system_mail_t rocketgit_usr_t:file read;

# Seems that the opcode cache (php-opcache) needs write access to /tmp
allow rocketgit_t tmp_t:dir { write remove_name add_name };
allow rocketgit_t tmp_t:file { write open create unlink setattr };

# rg_authorize
# type=AVC msg=audit(1572449949.165:1342): avc:  denied  { dac_override } for  pid=2362 comm="rg_authorize" capability=1  scontext=unconfined_u:unconfined_r:rocketgit_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:rocketgit_t:s0-s0:c0.c1023 tclass=capability permissive=0
allow rocketgit_t self:capability dac_read_search;
userdom_use_inherited_user_ptys(rocketgit_t)
# type=AVC msg=audit(1572456007.875:3536): avc:  denied  { getattr } for  pid=4623 comm="rg_authorize" path="/dev/pts/0" dev="devpts" ino=3 scontext=unconfined_u:unconfined_r:rocketgit_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=1
userdom_getattr_user_terminals(rocketgit_t)

# Locale
miscfiles_read_localization(rocketgit_t)

# type=AVC msg=audit(1461494910.399:8020179): avc:  denied  { read } for  pid=1667 comm="php" name="/" dev="tmpfs" ino=11809 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
files_list_tmp(rocketgit_t)

# Hugetlbfs (for opcache):
fs_rw_hugetlbfs_files(rocketgit_t)
fs_exec_hugetlbfs_files(rocketgit_t)

# worker.sh needs some rights
type rocketgit_worker_t;
domain_type(rocketgit_worker_t)
optional_policy(`
	unconfined_domain(rocketgit_worker_t)
')
role unconfined_r types rocketgit_worker_t;
type rocketgit_worker_exec_t;
domain_entry_file(rocketgit_worker_t, rocketgit_worker_exec_t)
# When cron executes rocketgit_worker_t, we transition to rocketgit_worker_t
cron_system_entry(rocketgit_worker_t, rocketgit_worker_exec_t)
#allow rocketgit_t fs_t:filesystem { getattr mount unmount };
#allow rocketgit_t rocketgit_var_t:dir mounton;
#allow rocketgit_t self:capability { setgid setuid };
#dev_list_sysfs(rocketgit_t)
#dev_read_sysfs(rocketgit_t)
#dev_read_rand(rocketgit_t)
#dev_rw_loop_control(rocketgit_t)
#kernel_setsched(rocketgit_t)
#kernel_read_network_state(rocketgit_t)
#virt_admin(rocketgit_t, unconfined_r)
#mount_rw_pid_files(rocketgit_t)
#storage_manage_fixed_disk(rocketgit_t)
#files_manage_isid_type_dirs(rocketgit_t)
#files_manage_isid_type_files(rocketgit_t)
#files_manage_isid_type_symlinks(rocketgit_t)
#userdom_read_admin_home_files(rocketgit_t)
#miscfiles_read_hwdata(rocketgit_t)

# Unit file
type rocketgit_unit_file_t;
systemd_unit_file(rocketgit_unit_file_t)


# php-fpm stuff
# allow writing to log files
allow httpd_t rocketgit_log_t:file { append create getattr open setattr };
allow httpd_t rocketgit_log_t:dir { add_name write };
# allow using the cache.sock etc.
allow httpd_t rocketgit_socket_t:sock_file write;
# allow reading /etc/rocketgit/php-fpm.conf
allow httpd_t rocketgit_conf_t:file { getattr open read map };
# allow dealing with repos
allow httpd_t rocketgit_var_t:dir { add_name create read remove_name rmdir write };
# map is for pack
allow httpd_t rocketgit_var_t:file { map append create getattr link open read rename setattr unlink write };
allow httpd_t rocketgit_var_t:lnk_file { getattr read };
# allow git-receive-pack to execute hooks
# type=AVC msg=audit(1592285165.827:12812292): avc:  denied  { map } for  pid=3354870 comm="pre-receive" path="/usr/share/rocketgit/hooks/pre-receive" dev="dm-0" ino=1443447 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rocketgit_exec_t:s0 tclass=file permissive=1
allow httpd_t rocketgit_exec_t:file { getattr ioctl open read map };
# allow reading /usr/share/rocketgit/{inc,root} files
allow httpd_t rocketgit_usr_t:file { getattr open read map };
# allow connecting to rocketgit_t domain
allow httpd_t rocketgit_t:unix_stream_socket connectto;


# Do not polute the logs!
dontaudit rocketgit_t self:process { execmem };


# builder
allow rocketgit_t self:tcp_socket { accept listen };
Hints
Before first commit, do not forget to setup your git environment:
git config --global user.name "your_name_here"
git config --global user.email "your@email_here"

Clone this repository using HTTP(S):
git clone https://code.reversed.top/user/xaizek/rocketgit

Clone this repository using ssh (do not forget to upload a key first):
git clone ssh://rocketgit@code.reversed.top/user/xaizek/rocketgit

You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a pull request:
... clone the repository ...
... make some changes and some commits ...
git push origin master