Difference between revisions of "SVNserver"
Line 21: | Line 21: | ||
role $2; | role $2; | ||
') | ') | ||
− | |||
domtrans_pattern($1,svn_exec_t,svn_t) | domtrans_pattern($1,svn_exec_t,svn_t) | ||
role $2 types svn_t; | role $2 types svn_t; | ||
') | ') | ||
− | |||
interface(`svnadmin_domtrans',` | interface(`svnadmin_domtrans',` | ||
gen_require(` | gen_require(` | ||
Line 31: | Line 29: | ||
role $2; | role $2; | ||
') | ') | ||
− | |||
domtrans_pattern($1,svnadmin_exec_t,svnadmin_t) | domtrans_pattern($1,svnadmin_exec_t,svnadmin_t) | ||
role $2 types svnadmin_t; | role $2 types svnadmin_t; | ||
Line 44: | Line 41: | ||
class dir { manage_dir_perms }; | class dir { manage_dir_perms }; | ||
') | ') | ||
− | |||
allow $1 svndata_t : file { manage_file_perms }; | allow $1 svndata_t : file { manage_file_perms }; | ||
allow $1 svndata_t : dir { manage_dir_perms }; | allow $1 svndata_t : dir { manage_dir_perms }; |
Revision as of 08:27, 13 March 2010
Use case: SVN server
How I built a SELinux based server that holds the SVN repos of all our projects. Same thought patterns can be applied to securing any other sharing technology, not just SVN.
Requirements
- SVN should be confined to its own domain
- Access to SVN should be provided via SSH
- SVN data should be labeled by own type with only SVN having access to them
- Various SVN repos should be restricted only to certain people (ie. the project members)
- Within this restriction, some people should be granted read-only access
- Regular backups!
The policy module
I based the server on Debian 5.0, therefore I was dealing with quite an old release of refpolicy 2:0.0.20080702-16 (even for the launch time of the distro). Much water has passed since then so some things might need adjusting for newer refpolicies (I'll indicate those I know about).
The SVN module is pretty straightforward once you match the requirements to known macros. I'll start with the interface because it makes a line to follow.
interface(`svn_domtrans',` gen_require(` type svn_t, svn_exec_t, $1; role $2; ') domtrans_pattern($1,svn_exec_t,svn_t) role $2 types svn_t; ') interface(`svnadmin_domtrans',` gen_require(` type svnadmin_t, svnadmin_exec_t, $1; role $2; ') domtrans_pattern($1,svnadmin_exec_t,svnadmin_t) role $2 types svnadmin_t; ')
The first two macros are the classical 'allow-$1 to transition to another type and add that type to their $2 role'.
interface(`svn_manage_data',` gen_require(` type svndata_t, $1; class file { manage_file_perms }; class dir { manage_dir_perms }; ') allow $1 svndata_t : file { manage_file_perms }; allow $1 svndata_t : dir { manage_dir_perms }; ')
This macro will grant the $1 type access to manipulate our precious SVN repos.