policy_module(rocketgit,1.0.93) ######################################## # # Declarations # gen_require(` # really needed httpd_log_t? type httpd_t; type httpd_log_t; type system_mail_t; type unconfined_t; role unconfined_r; @@EXTRA_GEN_REQUIRE@@ ') # Without this I get: type=SELINUX_ERR msg=audit(1422396984.627:349803): \ # security_compute_sid: invalid context \ # unconfined_u:unconfined_r:rocketgit_t:s0-s0:c0.c1023 for \ # scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 \ # tcontext=system_u:object_r:rocketgit_exec_t:s0 tclass=process role unconfined_r types rocketgit_t; type rocketgit_t; domain_type(rocketgit_t) apache_content_template(rocketgit) # Allow crons to search in /var/lib - not clear why files_search_var_lib(rocketgit_t) # Allow rocketgit_t to manage .ssh/authorized_keys ssh_manage_home_files(rocketgit_t) type rocketgit_exec_t; domain_entry_file(rocketgit_t, rocketgit_exec_t) # When cron executes rocketgit_exec_t, we transition to rocketgit_t cron_system_entry(rocketgit_t, rocketgit_exec_t) # When running from inetd, transit to rocketgit_t. Seems that rocketgit_exec_t # is not enough. Why?! optional_policy(` inetd_tcp_service_domain(rocketgit_t, rocketgit_exec_t) ') # Force ssh to transition to rocketgit_t domain_auto_trans(unconfined_t, rocketgit_exec_t, rocketgit_t) # Allow events.php to manage /home/rocketgit/.ssh userdom_manage_user_home_content(rocketgit_t) # Allow PHP to read /proc/meminfo, probably other files # Seems a little bit too much. TODO kernel_read_system_state(rocketgit_t) dev_read_urand(rocketgit_t) # Allow rocketgit_t to execute flock. # Seems a little bit too much to allow all execution. TODO application_exec_all(rocketgit_t) # Allow rocketgit_t to use tcp sockets (webhooks) corenet_tcp_connect_all_ports(rocketgit_t) corenet_tcp_bind_all_ports(rocketgit_t) corenet_tcp_bind_all_nodes(rocketgit_t) ###allow rocketgit_t self:tcp_socket { connect getopt getattr create setopt listen accept }; ###allow rocketgit_t unreserved_port_t:tcp_socket { name_bind getopt setopt }; ###allow rocketgit_t node_t:tcp_socket node_bind; sysnet_dns_name_resolve(rocketgit_t) # Allow basic access to net sysnet_read_config(rocketgit_t) sysnet_dns_name_resolve(rocketgit_t) # Probably to list owner of files auth_read_passwd(rocketgit_t) # php files type rocketgit_usr_t; files_type(rocketgit_usr_t) read_files_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t) exec_files_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t) list_dirs_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t) read_files_pattern(httpd_t, rocketgit_usr_t, rocketgit_usr_t) # log files type rocketgit_log_t; files_type(rocketgit_log_t) manage_files_pattern(rocketgit_t, rocketgit_log_t, rocketgit_log_t) logging_log_filetrans(rocketgit_t, rocketgit_log_t, file) # below line tries to allow httpd to create err-* files in /var/log/rocketgit-web #filetrans_pattern(httpd_t,dirtype?,rocketgit_log_t, file) # allow rocketgit_t access to /var/log/rocketgit-web. Why? # Some of rights are needed because cron as apache is deleting log files in # /var/log/rocketgit-web. allow rocketgit_t httpd_log_t:dir { search write add_name remove_name getattr read open }; allow rocketgit_t httpd_log_t:file { getattr setattr create unlink open append }; # content (repos) type rocketgit_var_t; files_type(rocketgit_var_t) admin_pattern(rocketgit_t, rocketgit_var_t, rocketgit_var_t) filetrans_pattern(rocketgit_t, rocketgit_var_t, rocketgit_var_t, { file dir }) read_files_pattern(httpd_t, rocketgit_var_t, rocketgit_var_t) list_dirs_pattern(httpd_t, rocketgit_var_t, rocketgit_var_t) # sockets type rocketgit_socket_t; files_type(rocketgit_socket_t) manage_sock_files_pattern(rocketgit_t, rocketgit_socket_t, rocketgit_socket_t) filetrans_pattern(rocketgit_t, rocketgit_socket_t, rocketgit_socket_t, file) rw_sock_files_pattern(httpd_t, rocketgit_socket_t, rocketgit_socket_t) # Allow httpd to connect to _domain_ rocketgit_t for event.sock allow httpd_t rocketgit_t:unix_stream_socket connectto; # locks type rocketgit_lock_t; files_lock_file(rocketgit_lock_t) manage_files_pattern(rocketgit_t, rocketgit_lock_t, rocketgit_lock_t) #read_files_pattern(httpd_t, rocketgit_lock_t, rocketgit_lock_t) filetrans_pattern(rocketgit_t, rocketgit_lock_t, rocketgit_lock_t, file) # conf type rocketgit_conf_t; files_type(rocketgit_conf_t) read_files_pattern(rocketgit_t, rocketgit_conf_t, rocketgit_conf_t) filetrans_pattern(rocketgit_t, rocketgit_conf_t, rocketgit_conf_t, file) read_files_pattern(httpd_t, rocketgit_conf_t, rocketgit_conf_t) # Permit PHP to use nscd socket optional_policy(` nscd_socket_use(rocketgit_t) ') # Allow connection to database postgresql_tcp_connect(rocketgit_t) postgresql_stream_connect(rocketgit_t) # mail mta_send_mail(rocketgit_t) # self allow rocketgit_t self:unix_stream_socket { connectto }; allow rocketgit_t self:process { setsched }; # PHP needs getattr to /var/lib files_getattr_var_lib_dirs(rocketgit_t) # We leak log and lock fds, ignore for now - not clear if 'dontaudit' = allow! TODO dontaudit system_mail_t rocketgit_lock_t:file { read write }; dontaudit system_mail_t rocketgit_log_t:file append; dontaudit system_mail_t rocketgit_usr_t:file read; # Seems that the opcode cache (php-opcache) needs write access to /tmp allow rocketgit_t tmp_t:dir { write remove_name add_name }; allow rocketgit_t tmp_t:file { write open create unlink setattr }; # Locale miscfiles_read_localization(rocketgit_t) # Because cron.sh/apache: # type=AVC msg=audit(1461432301.793:1002): avc: denied { getattr } for pid=3503 comm="cron.sh" path="/var/www" dev="dm-0" ino=143915 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir apache_search_sys_content(rocketgit_t) # type=AVC msg=audit(1461494910.399:8020179): avc: denied { read } for pid=1667 comm="php" name="/" dev="tmpfs" ino=11809 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 files_list_tmp(rocketgit_t)