git client domain fixes

policy/modules/apps/gpg.if

@@ -516,6 +516,25 @@ interface(`gpg_list_user_secrets',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Allow gpg to read a file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain gpg is allowed access to.
+##	</summary>
+## </param>
+#
+interface(`gpg_read_files',`
+	gen_require(`
+		type gpg_t;
+	')
+
+	allow gpg_t $1:file read_file_perms;
+	allow gpg_t $1:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempt to search gpg user secrets dirs.

policy/modules/services/git.fc

@@ -7,7 +7,9 @@ HOME_DIR/\.git-credentials	--	gen_context(system_u:object_r:git_xdg_config_t,s0)
 /usr/bin/git-[^/]+	--	gen_context(system_u:object_r:git_exec_t,s0)
 /usr/bin/git2_cli	--	gen_context(system_u:object_r:git_exec_t,s0)
 
-/usr/lib/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t,s0)
+/usr/lib/git-core/git	--	gen_context(system_u:object_r:git_exec_t,s0)
+/usr/lib/git-core/git-[^/]+ --	gen_context(system_u:object_r:git_exec_t,s0)
+/usr/lib/git-core/git-daemon --	gen_context(system_u:object_r:gitd_exec_t,s0)
 
 /usr/libexec/git-core/git	--	gen_context(system_u:object_r:git_exec_t,s0)
 /usr/libexec/git-core/git-[^/]+ --	gen_context(system_u:object_r:git_exec_t,s0)

policy/modules/services/git.if

@@ -92,6 +92,7 @@ template(`git_client_role_template',`
 	gen_require(`
 		attribute git_client_domain;
 		type git_exec_t, git_home_t, git_home_hook_t;
+		type git_xdg_config_t;
 	')
 
 	########################################
@@ -117,16 +118,43 @@ template(`git_client_role_template',`
 	allow $2 git_home_hook_t:dir { manage_dir_perms relabel_dir_perms };
 	allow $2 git_home_hook_t:file { exec_file_perms manage_file_perms relabel_file_perms };
 	filetrans_pattern($2, git_home_t, git_home_hook_t, dir, "hooks")
+	xdg_config_filetrans($2, git_xdg_config_t, dir, "git")
+	userdom_user_home_dir_filetrans($2, git_xdg_config_t, file, ".gitconfig")
+	userdom_user_home_dir_filetrans($2, git_xdg_config_t, file, ".git-credentials")
 
 	allow $3 $1_git_t:process { ptrace signal_perms };
 	ps_process_pattern($3, $1_git_t)
 
 	auth_use_nsswitch($1_git_t)
 
+	type $1_git_tmp_t;
+	userdom_user_tmp_file($1_git_tmp_t)
+
+	allow $2 $1_git_tmp_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 $1_git_tmp_t:file { exec_file_perms manage_file_perms relabel_file_perms };
+	allow $2 $1_git_tmp_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	allow $1_git_t $1_git_tmp_t:dir manage_dir_perms;
+	allow $1_git_t $1_git_tmp_t:file mmap_manage_file_perms;
+	allow $1_git_t $1_git_tmp_t:lnk_file manage_lnk_file_perms;
+	files_tmp_filetrans($1_git_t, $1_git_tmp_t, {dir file})
+
 	# allow userdomains to exec git hooks
 	exec_files_pattern($3, git_home_hook_t, git_home_hook_t)
 	# transition back to the user domain when executing git hooks
 	domtrans_pattern($1_git_t, git_home_t, $2)
+	# execute shell scripts
+	corecmd_exec_shell($1_git_t)
+	# execute user utilities, e.g., editor
+	corecmd_bin_domtrans($1_git_t, $2)
+
+	optional_policy(`
+		tunable_policy(`git_client_use_gpg', `
+			gpg_domtrans($1_git_t)
+			dev_read_urand($1_git_t)
+
+			gpg_read_files($1_git_tmp_t)
+		')
+	')
 
 	# transition to ssh client domain when performing ssh operations
 	optional_policy(`

policy/modules/services/git.te

@@ -88,6 +88,22 @@ gen_tunable(git_system_use_nfs, false)
 ## </desc>
 gen_tunable(git_client_manage_all_user_home_content, false)
 
+## <desc>
+##	<p>
+##	Determine whether Git client domains
+##	can run user binaries.
+##	</p>
+## </desc>
+gen_tunable(git_client_exec_user_bin, false)
+
+## <desc>
+##	<p>
+##	Determine whether Git client domains
+##	can access gpg.
+##	</p>
+## </desc>
+gen_tunable(git_client_use_gpg, false)
+
 attribute git_daemon;
 attribute_role git_session_roles;
 
@@ -347,3 +363,7 @@ tunable_policy(`git_client_manage_all_user_home_content',`
 	userdom_manage_all_user_home_content(git_client_domain)
 	userdom_map_all_user_home_content_files(git_client_domain)
 ')
+
+tunable_policy(`git_client_exec_user_bin',`
+	userdom_exec_user_bin_files(git_client_domain)
+')