Difference between revisions of "SVNserver"
Line 15: | Line 15: | ||
The SVN module is pretty straightforward once you match the requirements to known macros. I'll start with the interface because it makes a line to follow. | The SVN module is pretty straightforward once you match the requirements to known macros. I'll start with the interface because it makes a line to follow. | ||
− | + | ||
− | + | interface(`svn_domtrans',` | |
− | + | ||
− | interface(`svn_domtrans',` | + | |
gen_require(` | gen_require(` | ||
type svn_t, svn_exec_t, $1; | type svn_t, svn_exec_t, $1; | ||
Line 26: | Line 24: | ||
domtrans_pattern($1,svn_exec_t,svn_t) | domtrans_pattern($1,svn_exec_t,svn_t) | ||
role $2 types svn_t; | role $2 types svn_t; | ||
− | ') | + | ') |
− | interface(`svnadmin_domtrans',` | + | interface(`svnadmin_domtrans',` |
gen_require(` | gen_require(` | ||
type svnadmin_t, svnadmin_exec_t, $1; | type svnadmin_t, svnadmin_exec_t, $1; | ||
Line 36: | Line 34: | ||
domtrans_pattern($1,svnadmin_exec_t,svnadmin_t) | domtrans_pattern($1,svnadmin_exec_t,svnadmin_t) | ||
role $2 types svnadmin_t; | role $2 types svnadmin_t; | ||
− | ') | + | ') |
− | + | ||
The first two macros are the classical 'allow-$1 to transition to another type and add that type to their $2 role'. | The first two macros are the classical 'allow-$1 to transition to another type and add that type to their $2 role'. | ||
− | + | ||
− | interface(`svn_manage_data',` | + | interface(`svn_manage_data',` |
gen_require(` | gen_require(` | ||
type svndata_t, $1; | type svndata_t, $1; | ||
Line 49: | Line 47: | ||
allow $1 svndata_t : file { manage_file_perms }; | allow $1 svndata_t : file { manage_file_perms }; | ||
allow $1 svndata_t : dir { manage_dir_perms }; | allow $1 svndata_t : dir { manage_dir_perms }; | ||
− | ') | + | ') |
− | + | ||
This macro will grant the $1 type access to manipulate our precious SVN repos. | This macro will grant the $1 type access to manipulate our precious SVN repos. |
Revision as of 08:26, 13 March 2010
Use case: SVN server
How I built a SELinux based server that holds the SVN repos of all our projects. Same thought patterns can be applied to securing any other sharing technology, not just SVN.
Requirements
- SVN should be confined to its own domain
- Access to SVN should be provided via SSH
- SVN data should be labeled by own type with only SVN having access to them
- Various SVN repos should be restricted only to certain people (ie. the project members)
- Within this restriction, some people should be granted read-only access
- Regular backups!
The policy module
I based the server on Debian 5.0, therefore I was dealing with quite an old release of refpolicy 2:0.0.20080702-16 (even for the launch time of the distro). Much water has passed since then so some things might need adjusting for newer refpolicies (I'll indicate those I know about).
The SVN module is pretty straightforward once you match the requirements to known macros. I'll start with the interface because it makes a line to follow.
interface(`svn_domtrans',` gen_require(` type svn_t, svn_exec_t, $1; role $2; ')
domtrans_pattern($1,svn_exec_t,svn_t) role $2 types svn_t; ')
interface(`svnadmin_domtrans',` gen_require(` type svnadmin_t, svnadmin_exec_t, $1; role $2; ')
domtrans_pattern($1,svnadmin_exec_t,svnadmin_t) role $2 types svnadmin_t; ')
The first two macros are the classical 'allow-$1 to transition to another type and add that type to their $2 role'.
interface(`svn_manage_data',` gen_require(` type svndata_t, $1; class file { manage_file_perms }; class dir { manage_dir_perms }; ')
allow $1 svndata_t : file { manage_file_perms }; allow $1 svndata_t : dir { manage_dir_perms }; ')
This macro will grant the $1 type access to manipulate our precious SVN repos.