diff --git a/sec-policy/selinux-gitea/Manifest b/sec-policy/selinux-gitea/Manifest new file mode 100644 index 0000000..788009a --- /dev/null +++ b/sec-policy/selinux-gitea/Manifest @@ -0,0 +1,6 @@ +AUX gitea.fc 1111 BLAKE2B 9a994a212aaf8272d0ce8f8b59b48152737c9b4a2d3a6e3a52f60cc4d9ac7049187ec4f8f1feb5ed0469d1ed1dfda744c56a14eb7455a9de04a0ba7e41fc0005 SHA512 c4511f6d42b214741ac8981d457784b9707928cc42845685063f4a7d5fc46b4cdf08616cc9ddef123f3d853bf3becb08ce22f0397c9340459ae421d9ac20046e +AUX gitea.if 5937 BLAKE2B 4534f09b6bdd5acbae675b2d75082a95ba1f3c5af6b1552f85552f892b2f170d8227a8fe7ae3fde9a4fe03130a0a05f839e05ff4b78d5f1fbbf80a20eb57b877 SHA512 732cb6b7de002561b673db25dd8034934b4d452ff6df1cd187051cf2f67de2d951ba4971557645b513bc39fdc7f7006d230edeaa525a9d4a7ffb226551eac66d +AUX gitea.te 9636 BLAKE2B 976cf0df97326fae8c0ade0a99d73977b861987cd6e3e80d76120ed6ce2fc52c2483439e85a7c0a20189180a73dfe97942bd202ba00b8b3a62bba7ff68ce3b07 SHA512 d096b06c88a55b1ab73b114db4c3435b1717fdf5aaf7973467e79cc65c7ba88bd96e1271c9c2a036f561eaffda86e4a8bceb081f6d45a733f6dcf78b48f7f378 +DIST patchbundle-selinux-base-policy-2.20190201-r1.tar.bz2 426390 BLAKE2B 33e05e03e1e087f0bf460930f074108af5fa05688f7681ba3545530d21174be7d29e9035a7bc37e9acdbe3468680891f9865ad83188eb0f8fb9b9012252d6a1e SHA512 f2855a340f4ae7ba6c4cf0ec9445de7ca20f9fc0f11783992340ca2f073bbbf2d4999190f46f3910213dd1555e9578b3609284af6a7712b401053216c004ff7e +DIST refpolicy-2.20190201.tar.bz2 552750 BLAKE2B d3cbdf5c5f8480cd36173d8cfbd2f55a6ad4a9f2176883dcc19eece6059114ca8700d07f8bd318d0430da253bb9e4e6a6e03f7a7db8a7964c95b00452aaab040 SHA512 c6568b679ad1a7c5c566b55291e86ce3784ee609c0091e5d465d41055724d950180780c7eedb3413351101b9182db51c7bce1816db1a9a17b3257861363efc6e +EBUILD selinux-gitea-2.20190201-r1.ebuild 382 BLAKE2B af68863bf0e98adec89f7e5dea41dd4d81ea274a0c9f0fbd07f2c4c05ea59b4dbb8ff710862a45948810436b873b3410fa0c3b85a97b41731e7c5ac845a4cfc8 SHA512 b3e22f425b3b14b7667aa0bca51a4270b3b44c3acb7977725e6ab9c813892ba4f2af9a9d9dfe3788ce1c01e95dbacbf3d12a26a24c26d43db530b2c71c8724b7 diff --git a/sec-policy/selinux-gitea/files/gitea.fc b/sec-policy/selinux-gitea/files/gitea.fc new file mode 100644 index 0000000..1a73f37 --- /dev/null +++ b/sec-policy/selinux-gitea/files/gitea.fc @@ -0,0 +1,25 @@ +/usr/bin/gitea -- gen_context(system_u:object_r:gitea_exec_t,s0) + +/etc/gitea(/.*)? gen_context(system_u:object_r:gitea_conf_t,s0) + +/var/lib/gitea(/.*)? gen_context(system_u:object_r:gitea_var_lib_t,s0) + +/var/lib/gitea/.gitconfig -- gen_context(system_u:object_r:gitea_repo_t,s0) + +/var/lib/gitea/conf(/.*)? gen_context(system_u:object_r:gitea_conf_t,s0) + +/var/lib/gitea/gitea-repositories gen_context(system_u:object_r:gitea_repo_home_t,s0) + +/var/lib/gitea/gitea-repositories/[^/]* gen_context(system_u:object_r:gitea_repo_owner_t,s0) + +/var/lib/gitea/gitea-repositories/.*/.*\.git(/.*)? gen_context(system_u:object_r:gitea_repo_t,s0) + +/var/lib/gitea/gitea-repositories/.*/.*\.git/objects(/.*)? gen_context(system_u:object_r:gitea_repo_obj_t,s0) + +/var/lib/gitea/gitea-repositories/.*/.*\.git/hooks(/.*)? gen_context(system_u:object_r:gitea_repo_script_exec_t,s0) + +/var/log/gitea(/.*)? gen_context(system_u:object_r:gitea_log_t,s0) + +/var/run/gitea(/.*)? gen_context(system_u:object_r:gitea_var_run_t,s0) + +/var/run/gitea.pid -- gen_context(system_u:object_r:gitea_var_run_t,s0) diff --git a/sec-policy/selinux-gitea/files/gitea.if b/sec-policy/selinux-gitea/files/gitea.if new file mode 100644 index 0000000..3c6a2dd --- /dev/null +++ b/sec-policy/selinux-gitea/files/gitea.if @@ -0,0 +1,308 @@ + +## policy for gitea + +######################################## +## +## Role access for gitea +## +## +## +## Role allowed access +## +## +## +## +## User domain for the role +## +## +# +interface(`gitea_role', ` + gen_require(` + attribute_role gitea_roles; + type gitea_t, gitea_exec_t; + ') + + roleattribute $1 gitea_roles; + + domtrans_pattern($2, gitea_exec_t, gitea_t) +') + +######################################## +## +## Execute gitea_exec_t in the gitea domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`gitea_domtrans',` + gen_require(` + type gitea_t, gitea_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, gitea_exec_t, gitea_t) +') + +###################################### +## +## Execute gitea in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`gitea_exec',` + gen_require(` + type gitea_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, gitea_exec_t) +') + +######################################## +## +## Read gitea's tmp files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`gitea_read_tmp',` + gen_require(` + type gitea_tmp_t; + ') + + files_search_tmp($1) + read_files_pattern($1, gitea_tmp_t, gitea_tmp_t) +') + +######################################## +## +## Read gitea's log files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`gitea_read_log',` + gen_require(` + type gitea_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, gitea_log_t, gitea_log_t) +') + +######################################## +## +## Append to gitea log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gitea_append_log',` + gen_require(` + type gitea_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, gitea_log_t, gitea_log_t) +') + +######################################## +## +## Manage gitea repo files +## +## +## +## Domain allowed access. +## +## +# +interface(`gitea_manage_repo',` + gen_require(` + type gitea_repo_t; + ') + + manage_dirs_pattern($1, gitea_repo_t, gitea_repo_t) + manage_files_pattern($1, gitea_repo_t, gitea_repo_t) + manage_lnk_files_pattern($1, gitea_repo_t, gitea_repo_t) +') + +######################################## +## +## Manage gitea log files +## +## +## +## Domain allowed access. +## +## +# +interface(`gitea_manage_log',` + gen_require(` + type gitea_log_t; + ') + + logging_search_logs($1) + manage_dirs_pattern($1, gitea_log_t, gitea_log_t) + manage_files_pattern($1, gitea_log_t, gitea_log_t) + manage_lnk_files_pattern($1, gitea_log_t, gitea_log_t) +') + +######################################## +## +## Search gitea lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`gitea_search_lib',` + gen_require(` + type gitea_var_lib_t; + ') + + allow $1 gitea_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Read gitea lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gitea_read_lib_files',` + gen_require(` + type gitea_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, gitea_var_lib_t, gitea_var_lib_t) +') + +######################################## +## +## Manage gitea lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gitea_manage_lib_files',` + gen_require(` + type gitea_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, gitea_var_lib_t, gitea_var_lib_t) +') + +######################################## +## +## Manage gitea lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`gitea_manage_lib_dirs',` + gen_require(` + type gitea_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, gitea_var_lib_t, gitea_var_lib_t) +') + +######################################## +## +## Read gitea PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gitea_read_pid_files',` + gen_require(` + type gitea_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, gitea_var_run_t, gitea_var_run_t) +') + + +######################################## +## +## All of the rules required to administrate +## an gitea environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`gitea_admin',` + gen_require(` + type gitea_t; + type gitea_log_t; + type gitea_var_lib_t; + type gitea_var_run_t; + ') + + allow $1 gitea_t:process { signal_perms }; + ps_process_pattern($1, gitea_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 gitea_t:process ptrace; + ') + + logging_search_logs($1) + admin_pattern($1, gitea_log_t) + + files_search_var_lib($1) + admin_pattern($1, gitea_var_lib_t) + + files_search_pids($1) + admin_pattern($1, gitea_var_run_t) + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') diff --git a/sec-policy/selinux-gitea/files/gitea.te b/sec-policy/selinux-gitea/files/gitea.te new file mode 100644 index 0000000..e276215 --- /dev/null +++ b/sec-policy/selinux-gitea/files/gitea.te @@ -0,0 +1,322 @@ +policy_module(gitea, 1.0.0) + +######################################## +# +# Declarations +# + +## +##

+## Allows gitea to write to home directories. +##

+##
+gen_tunable(gitea_enable_homedirs, false) + +## +##

+## Enable gitea built-in SSH server. +##

+##
+gen_tunable(gitea_enable_ssh_server, false) + +type gitea_exec_t; +corecmd_executable_file(gitea_exec_t) + +type gitea_t; +init_daemon_domain(gitea_t, gitea_exec_t) +userdom_user_application_domain(gitea_t, gitea_exec_t) + +attribute_role gitea_roles; +role gitea_roles types gitea_t; + +type gitea_bin_t; +domain_type(gitea_bin_t) +corecmd_bin_entry_type(gitea_bin_t) +role gitea_roles types gitea_bin_t; +role system_r types gitea_bin_t; + +type gitea_conf_t; +files_config_file(gitea_conf_t) + +type gitea_log_t; +logging_log_file(gitea_log_t) + +type gitea_repo_home_t; +files_type(gitea_repo_home_t) + +type gitea_repo_owner_t; +files_type(gitea_repo_owner_t) + +type gitea_repo_t; +files_type(gitea_repo_t) + +type gitea_var_lib_t; +files_type(gitea_var_lib_t) + +type gitea_repo_obj_t; +files_type(gitea_repo_obj_t) + +type gitea_repo_script_exec_t; +corecmd_executable_file(gitea_repo_script_exec_t) + +type gitea_repo_script_t; +application_domain(gitea_repo_script_t, gitea_repo_script_exec_t) +role gitea_roles types gitea_repo_script_t; +role system_r types gitea_repo_script_t; + +type gitea_var_run_t; +init_daemon_pid_file(gitea_var_run_t, dir, "gitea") +init_daemon_pid_file(gitea_var_run_t, file, "gitea.pid") + +type gitea_tmp_t; +files_tmp_file(gitea_tmp_t) + +######################################## +# +# gitea_t local policy +# +allow gitea_t self:fifo_file rw_fifo_file_perms; +allow gitea_t self:capability dac_read_search; +allow gitea_t self:process getsched; +allow gitea_t self:tcp_socket { accept listen }; + +allow gitea_t gitea_bin_t:process { noatsecure rlimitinh siginh sigkill }; +allow gitea_t gitea_bin_t:fifo_file write; +allow gitea_t gitea_bin_t:fd use; + +corecmd_bin_domtrans(gitea_t, gitea_bin_t) + +#corenet_tcp_connect_git_port(gitea_t) +#corenet_sendrecv_git_client_packets(gitea_t) + +corenet_all_recvfrom_unlabeled(gitea_t) +corenet_all_recvfrom_netlabel(gitea_t) +corenet_tcp_sendrecv_generic_if(gitea_t) +corenet_raw_sendrecv_generic_if(gitea_t) +corenet_tcp_sendrecv_generic_node(gitea_t) +corenet_raw_sendrecv_generic_node(gitea_t) +corenet_tcp_bind_generic_node(gitea_t) + +corenet_sendrecv_ntop_server_packets(gitea_t) +corenet_tcp_bind_ntop_port(gitea_t) +corenet_sendrecv_ntop_client_packets(gitea_t) +corenet_tcp_connect_ntop_port(gitea_t) +corenet_tcp_sendrecv_ntop_port(gitea_t) + +search_dirs_pattern(gitea_t, gitea_conf_t, gitea_conf_t) +manage_files_pattern(gitea_t, gitea_conf_t, gitea_conf_t) + +gitea_manage_log(gitea_t) + +allow gitea_t gitea_var_lib_t:file map; +manage_dirs_pattern(gitea_t, gitea_var_lib_t, gitea_var_lib_t) +manage_files_pattern(gitea_t, gitea_var_lib_t, gitea_var_lib_t) +manage_lnk_files_pattern(gitea_t, gitea_var_lib_t, gitea_var_lib_t) + +filetrans_pattern(gitea_t, gitea_var_lib_t, gitea_repo_home_t, dir, "gitea-repositories") +manage_dirs_pattern(gitea_t, gitea_repo_home_t, gitea_repo_home_t) +manage_files_pattern(gitea_t, gitea_repo_home_t, gitea_repo_home_t) +manage_lnk_files_pattern(gitea_t, gitea_repo_home_t, gitea_repo_home_t) + +filetrans_pattern(gitea_t, gitea_repo_home_t, gitea_repo_owner_t, dir) +manage_dirs_pattern(gitea_t, gitea_repo_owner_t, gitea_repo_owner_t) +manage_files_pattern(gitea_t, gitea_repo_owner_t, gitea_repo_owner_t) +manage_lnk_files_pattern(gitea_t, gitea_repo_owner_t, gitea_repo_owner_t) + +filetrans_pattern(gitea_t, gitea_repo_owner_t, gitea_repo_t, dir) +files_tmp_filetrans(gitea_t, gitea_repo_t, dir) +gitea_manage_repo(gitea_t) + +delete_files_pattern(gitea_t, gitea_repo_obj_t, gitea_repo_obj_t) +allow gitea_t gitea_repo_obj_t:dir { list_dir_perms delete_dir_perms }; + +manage_dirs_pattern(gitea_t, gitea_repo_script_exec_t, gitea_repo_script_exec_t) +manage_files_pattern(gitea_t, gitea_repo_script_exec_t, gitea_repo_script_exec_t) + +files_tmp_filetrans(gitea_t, gitea_tmp_t, file) +manage_dirs_pattern(gitea_t, gitea_tmp_t, gitea_tmp_t) +manage_files_pattern(gitea_t, gitea_tmp_t, gitea_tmp_t) + +manage_dirs_pattern(gitea_t, gitea_var_run_t, gitea_var_run_t) +manage_files_pattern(gitea_t, gitea_var_run_t, gitea_var_run_t) +manage_lnk_files_pattern(gitea_t, gitea_var_run_t, gitea_var_run_t) +files_pid_filetrans(gitea_t, gitea_var_run_t, dir, "gitea") + +domain_use_interactive_fds(gitea_t) + +files_read_etc_files(gitea_t) +files_read_usr_files(gitea_t) + +auth_use_nsswitch(gitea_t) + +logging_send_audit_msgs(gitea_t) + +miscfiles_read_generic_certs(gitea_t) +miscfiles_read_localization(gitea_t) + +sysnet_dns_name_resolve(gitea_t) + +tunable_policy(`gitea_enable_ssh_server',` + allow gitea_t gitea_exec_t:file execute_no_trans; +') + +tunable_policy(`gitea_enable_homedirs',` + userdom_read_user_home_content_files(gitea_t) +') + +optional_policy(` + ssh_domtrans_keygen(gitea_t) + + tunable_policy(`gitea_enable_ssh_server',` + corenet_tcp_bind_ssh_port(gitea_t) + corenet_sendrecv_ssh_server_packets(gitea_t) + ') + + tunable_policy(`!gitea_enable_ssh_server',` + ssh_manage_home_files(gitea_t) + ssh_rw_pipes(gitea_t) + ') +') + +optional_policy(` + postgresql_unpriv_client(gitea_t) + postgresql_stream_connect(gitea_t) + postgresql_tcp_connect(gitea_t) +') + +optional_policy(` + mysql_stream_connect(gitea_t) + mysql_read_config(gitea_t) + mysql_tcp_connect(gitea_t) +') + +optional_policy(` + corenet_sendrecv_smtp_client_packets(gitea_t) + corenet_tcp_connect_smtp_port(gitea_t) + corenet_tcp_sendrecv_smtp_port(gitea_t) + + mta_send_mail(gitea_t) + mta_signal_system_mail(gitea_t) +') + +######################################## +# +# gitea_bin_t local policy +# +allow gitea_bin_t self:fifo_file { ioctl read write getattr }; +allow gitea_bin_t self:process getsched; +allow gitea_bin_t self:tcp_socket { connect create getattr getopt read setopt write }; +allow gitea_bin_t self:udp_socket { bind connect create getattr read write }; +allow gitea_bin_t gitea_t:fd use; +allow gitea_bin_t gitea_t:fifo_file { read write ioctl getattr }; + +corenet_udp_bind_generic_node(gitea_bin_t) +corenet_tcp_bind_generic_node(gitea_bin_t) + +allow gitea_bin_t gitea_repo_home_t:dir list_dir_perms; +allow gitea_bin_t gitea_repo_owner_t:dir list_dir_perms; + +corenet_tcp_connect_http_port(gitea_bin_t) + +corecmd_exec_bin(gitea_bin_t) +corecmd_exec_shell(gitea_bin_t) +domtrans_pattern(gitea_bin_t, gitea_repo_script_exec_t, gitea_repo_script_t) + +files_search_tmp(gitea_bin_t) + +files_read_usr_files(gitea_bin_t) + +gitea_search_lib(gitea_bin_t) + +filetrans_pattern(gitea_bin_t, gitea_var_lib_t, gitea_repo_t, file, ".gitconfig.lock") +filetrans_pattern(gitea_bin_t, gitea_repo_owner_t, gitea_repo_t, dir) +create_dirs_pattern(gitea_bin_t, gitea_repo_owner_t, gitea_repo_t) + +filetrans_pattern(gitea_bin_t, gitea_repo_t, gitea_repo_obj_t, dir, "objects") +allow gitea_bin_t gitea_repo_obj_t:file map; +manage_dirs_pattern(gitea_bin_t, gitea_repo_obj_t, gitea_repo_obj_t) +manage_files_pattern(gitea_bin_t, gitea_repo_obj_t, gitea_repo_obj_t) +manage_lnk_files_pattern(gitea_bin_t, gitea_repo_obj_t, gitea_repo_obj_t) + +filetrans_pattern(gitea_bin_t, gitea_repo_t, gitea_repo_script_exec_t, dir, "hooks") +create_dirs_pattern(gitea_bin_t, gitea_repo_t, gitea_repo_script_exec_t) +manage_files_pattern(gitea_bin_t, gitea_repo_script_exec_t, gitea_repo_script_exec_t) + +allow gitea_bin_t gitea_repo_t:file map; +gitea_manage_repo(gitea_bin_t) + +gitea_append_log(gitea_bin_t) + +miscfiles_read_generic_certs(gitea_bin_t) +miscfiles_read_localization(gitea_bin_t) + +domain_use_interactive_fds(gitea_bin_t) + +sysnet_dns_name_resolve(gitea_bin_t) + +tunable_policy(`gitea_enable_homedirs',` + userdom_manage_user_home_content_dirs(gitea_bin_t) + userdom_manage_user_home_content_files(gitea_bin_t) + userdom_read_user_home_content_files(gitea_bin_t) + #xdg_read_config_files(gitea_bin_t) +') + +optional_policy(` + tunable_policy(`!gitea_enable_ssh_server',` + ssh_rw_pipes(gitea_bin_t) + ') +') + +######################################## +# +# gitea_repo_script_t local policy +# +allow gitea_repo_script_t self:fifo_file { getattr ioctl read write }; +allow gitea_repo_script_t gitea_repo_script_exec_t:file { read_file_perms execute execute_no_trans }; + +corecmd_exec_shell(gitea_repo_script_t) +corecmd_exec_bin(gitea_repo_script_t) +gitea_domtrans(gitea_repo_script_t) + +files_search_tmp(gitea_repo_script_t) + +manage_dirs_pattern(gitea_repo_script_t, gitea_repo_t, gitea_repo_t) +manage_files_pattern(gitea_repo_script_t, gitea_repo_t, gitea_repo_t) +manage_lnk_files_pattern(gitea_repo_script_t, gitea_repo_t, gitea_repo_t) + +manage_dirs_pattern(gitea_repo_script_t, gitea_repo_script_exec_t, gitea_repo_script_exec_t) # Review +manage_files_pattern(gitea_repo_script_t, gitea_repo_script_exec_t, gitea_repo_script_exec_t) # Review + +gitea_append_log(gitea_repo_script_t) + + +tunable_policy(`gitea_enable_homedirs',` + #files_search_home(gitea_bin_t) + userdom_manage_user_home_content_dirs(gitea_bin_t) + userdom_manage_user_home_content_files(gitea_bin_t) + userdom_read_user_home_content_files(gitea_bin_t) + #xdg_read_config_files(gitea_bin_t) + #userdom_manage_user_home_content_dirs(gitea_t) + userdom_read_user_home_content_files(gitea_t) +') + +optional_policy(` + gen_require(` + type user_t; + role user_r; + ') + + gitea_role(user_r, user_t) + gitea_search_lib(user_t) +') + +optional_policy(` + gen_require(` + type ssh_keygen_t, user_home_dir_t, sshd_t; + ') + + gitea_read_tmp(ssh_keygen_t); + gitea_search_lib(sshd_t) + #read_files_pattern(sshd_t, gitea_var_lib_t, gitea_var_lib_t) +') + diff --git a/sec-policy/selinux-gitea/selinux-gitea-2.20190201-r1.ebuild b/sec-policy/selinux-gitea/selinux-gitea-2.20190201-r1.ebuild new file mode 100644 index 0000000..2a20bff --- /dev/null +++ b/sec-policy/selinux-gitea/selinux-gitea-2.20190201-r1.ebuild @@ -0,0 +1,20 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ +EAPI="5" + +IUSE="" +MODS="gitea" +POLICY_FILES="gitea.te gitea.fc gitea.if" + +inherit selinux-policy-2 + +DESCRIPTION="SELinux policy for gitea" + +RDEPEND="sec-policy/selinux-base-policy" + +if [[ $PV == 9999* ]] ; then + KEYWORDS="" +else + KEYWORDS="amd64 x86" +fi