donderdag 14 januari 2010

Test Git daemon policy.

Clone my latest selinux-modules git repository:

git clone git://84.245.6.206/selinux-modules.git
cd selinux-modules && make -f /usr/share/selinux/devel/Makefile gitd.pp
semodule -d git; semodule -i gitd.pp
cp gitd.if /usr/share/selinux/devel/include/services/gitd.if

To test the Git session server you should build a custom module calling the gitd_session_role template for your role:

echo "policy_module(mygittest, 1.0.0)" > mygittest.te;
echo "optional_policy(\`" >> mygittest.te;
echo "gen_require(\`" >> mygittest.te;
echo "# Assuming you want to test as unconfined_t" >> mygittest.te;
echo "type unconfined_t;" >> mygittest.te;
echo "role unconfined_r;" >> mygittest.te;
echo "')" >> mygittest.te;
echo "gitd_session_role(unconfined_r, unconfined_t)" >> mygittest.te;
echo "')" >> mygittest.te;

make -f /usr/share/selinux/devel/Makefile mygittest.pp
semodule -i mygittest.pp

Make sure that port tcp:9418 open and that tcp-wrappers is configured to accept connectivity on this port.

install git-daemon and its dependencies: yum install git-daemon.

You must edit /etc/xinetd.d/git. set "disable" to "no", "server" to "/usr/libexec/git-core/git-daemon", and remove the "daemon" argument from "server_args". Keep an eye on /var/log/messages in case it behaves strange.

Restore the following contexts:

restorecon -R -v /var/lib/git
restorecon -v /usr/libexec/git-core/git-daemon
restorecon -v ~/.gitconfig
restorecon -v ~/public_git

Start xinetd: service xinetd start.

Set up a default git shell user for generic shared repositories:

groupadd git
useradd -Z git_shell_u -M -s /usr/bin/git-shell joe
usermod -a -G git joe
passwd joe

Set up a bare "test" shared repostory:

mkdir /var/lib/git/test.git
cd /var/lib/git/test.git && git --bare init
chown -R root:git /var/lib/git/test.git
chmod -R g+w /var/lib/git/test.git
chmod -R g+s /var/lib/git/test.git
chmod -R +t /var/lib/git/test.git

From your "normal" user account clone the bare repository:

git clone git://localhost/test.git
cd test

Make changes to it:

echo "test" > test;
git init
git add .
git commit -a -s -m "My initial commit."

As user "joe" push to the shared repository:

git push --all git+ssh://joe@localhost/var/lib/git/test.git
git pull
git status
git show

Testing Git session:

Stop xinetd and in your "normal" (we are done with "joe" for now) user home directory make sure ~/public_git exists.
restorecon -R -v /public_git
Previously we called a "gitd_session_role" template for users operating in the unconfined_t domain. This means when your id -Z returns: unconfined_u:unconfined_r:unconfined_t:s0, git with the daemon option will run in a Git session SELinux environment for you.

Create a new personal repository in ~/public_git:

mkdir ~/public_git/hello
cd ~/public_git/hello
git init
echo "hello" > hello
git add .
git commit -a -s -m "My initial commit."

Serve your personal repository with the following command:

git daemon --export-all --user-path=public_git

In another terminal clone the repository:

git clone git://localhost/~yourloginnamehere/hello

Make a commit to it:

cd hello
echo "bye" >> hello
git commit -a -s -m "Add good bye"

Push the change to your personal repository:

git push --all ssh://yourloginnamehere@localhost/~/public_git/hello

Hosting personal repositories with Git system daemon.

Stop your Git session daemon (ctrl-c) and start xinetd.

Set the boolean to allow the Git system daemon to search user home directories for personal Git repositories to serve:

setsebool gitd_system_enable_homedirs on

Now clone the personal repository again:

git clone git://localhost/~yourloginnamehere/hello
cd hello
echo "hi" >> hello
git commit -a -s -m "Added Hi."

And push to the personal repository:

git push --all ssh://yourloginnamehere@localhost/~/public_git/hello

Create a customized Git Shell user that has access to a restricted shared repository (besides having access to any generic system repositories) Also create a restricted repository and allow our created Git shell user access to this new restricted repository.

echo "policy_module(secret_git_shell, 1.0.0)" > secret_git_shell.te;
echo "gitd_role_template(secret_git_shell)" >> secret_git_shell.te;
echo "gitd_content_template(secret)" >> secret_git_shell.te;
echo "gitd_content_delegation(secret_git_shell_t, gitd_secret_content_t)" >> secret_git_shell.te;
echo "gen_user(secret_git_shell_u, user, secret_git_shell_r, s0, s0)" >> secret_git_shell.te;

echo "/var/lib/git/secret\.git(/.*)? gen_context(system_u:object_r:gitd_secret_content_t, s0)" > secret_git_shell.fc;

make -f /usr/share/selinux/devel/Makefile secret_git_shell.pp
semodule -i secret_git_shell.pp

Create a secret Git shell user:

useradd -Z secret_git_shell_u -M -s /usr/bin/git-shell jane
usermod -a -G git jane
passwd jane

Create a bare secret shared repository:

mkdir /var/lib/git/secret.git
cd /var/lib/git/secret.git && git --bare init
chown -R root:git /var/lib/git/secret.git
chmod -R g+w /var/lib/git/secret.git
chmod -R g+s /var/lib/git/secret.git
chmod -R +t /var/lib/git/secret.git

Restore the context of the secret repository:

restorecon -R -v /var/lib/git/secret.git

Everyone can read it but only jane can push to it. As a "normal" user clone the secret repository.

git clone git://localhost/secret.git
cd secret
echo "secret" > secret
git init
git add .
git commit -a -s -m "My first commit."

Push it as user "jane"

git push --all git+ssh://jane@localhost/var/lib/git/secret.git
git pull
git status
git show

Make another commit:

echo "Joe here" >> secret
git commit -a -s -m "add Joe here"

Now try to push it as user "joe" (joe can push generic shared repositories but joe is not allowed to push to the secret repository)

git push --all git+ssh://joe@localhost/var/lib/git/secret.git