Difference between revisions of "SVNserver"
m |
|||
Line 1: | Line 1: | ||
== Use case: SVN server == | == Use case: SVN server == | ||
− | How I built a SELinux based server that holds the SVN repos of all our projects. | + | How I built a SELinux based server that holds the SVN repos of all our projects. Same thought patterns can be applied to securing any other sharing technology, not just SVN. |
+ | |||
+ | === Requirements === | ||
+ | # SVN should be confined to its own domain | ||
+ | # Access to SVN should be provided via SSH | ||
+ | # SVN data should be labeled by own type with only SVN having access to them | ||
+ | # Various SVN repos should be restricted only to certain people (ie. the project members) | ||
+ | # Within this restriction, some people should be granted read-only access | ||
+ | # Regular backups! | ||
+ | |||
+ | === The policy module === | ||
+ | I based the server on Debian 5.0, therefore I was dealing with quite an old release of refpolicy 2:0.0.20080702-16 (even for the launch time of the distro). Much water has passed since then so some things might need adjusting for newer refpolicies (I'll indicate those I know about). | ||
+ | |||
+ | The SVN module is pretty straightforward once you match the requirements to known macros. I'll start with the interface because it makes a line to follow. | ||
+ | |||
+ | <code> | ||
+ | |||
+ | interface(`svn_domtrans',` | ||
+ | gen_require(` | ||
+ | type svn_t, svn_exec_t, $1; | ||
+ | role $2; | ||
+ | ') | ||
+ | |||
+ | domtrans_pattern($1,svn_exec_t,svn_t) | ||
+ | role $2 types svn_t; | ||
+ | ') | ||
+ | |||
+ | interface(`svnadmin_domtrans',` | ||
+ | gen_require(` | ||
+ | type svnadmin_t, svnadmin_exec_t, $1; | ||
+ | role $2; | ||
+ | ') | ||
+ | |||
+ | domtrans_pattern($1,svnadmin_exec_t,svnadmin_t) | ||
+ | role $2 types svnadmin_t; | ||
+ | ') | ||
+ | </code> | ||
+ | The first two macros are the classical 'allow-$1 to transition to another type and add that type to their $2 role'. | ||
+ | <code> | ||
+ | interface(`svn_manage_data',` | ||
+ | gen_require(` | ||
+ | type svndata_t, $1; | ||
+ | class file { manage_file_perms }; | ||
+ | class dir { manage_dir_perms }; | ||
+ | ') | ||
+ | |||
+ | allow $1 svndata_t : file { manage_file_perms }; | ||
+ | allow $1 svndata_t : dir { manage_dir_perms }; | ||
+ | ') | ||
+ | </code> | ||
+ | This macro will grant the $1 type access to manipulate our precious SVN repos. |
Revision as of 08:23, 13 March 2010
Use case: SVN server
How I built a SELinux based server that holds the SVN repos of all our projects. Same thought patterns can be applied to securing any other sharing technology, not just SVN.
Requirements
- SVN should be confined to its own domain
- Access to SVN should be provided via SSH
- SVN data should be labeled by own type with only SVN having access to them
- Various SVN repos should be restricted only to certain people (ie. the project members)
- Within this restriction, some people should be granted read-only access
- Regular backups!
The policy module
I based the server on Debian 5.0, therefore I was dealing with quite an old release of refpolicy 2:0.0.20080702-16 (even for the launch time of the distro). Much water has passed since then so some things might need adjusting for newer refpolicies (I'll indicate those I know about).
The SVN module is pretty straightforward once you match the requirements to known macros. I'll start with the interface because it makes a line to follow.
interface(`svn_domtrans',`
gen_require(` type svn_t, svn_exec_t, $1; role $2; ')
domtrans_pattern($1,svn_exec_t,svn_t) role $2 types svn_t;
')
interface(`svnadmin_domtrans',`
gen_require(` type svnadmin_t, svnadmin_exec_t, $1; role $2; ')
domtrans_pattern($1,svnadmin_exec_t,svnadmin_t) role $2 types svnadmin_t;
')
The first two macros are the classical 'allow-$1 to transition to another type and add that type to their $2 role'.
interface(`svn_manage_data',`
gen_require(` type svndata_t, $1; class file { manage_file_perms }; class dir { manage_dir_perms }; ')
allow $1 svndata_t : file { manage_file_perms }; allow $1 svndata_t : dir { manage_dir_perms };
') This macro will grant the $1 type access to manipulate our precious SVN repos.