Skip to content

Commit f2f6504

Browse files
aerussoaerusso
committed
git_client_exec_user_bin tunable
git may under some circumstances want to run user binaries (e.g., git-bisect and custom git commands). Add a tunable to allow git to execute such user binaries. Signed-off-by: Antonio Enrico Russo <[email protected]>
1 parent e958739 commit f2f6504

File tree

1 file changed

+12
-0
lines changed

1 file changed

+12
-0
lines changed

policy/modules/services/git.te

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -88,6 +88,14 @@ gen_tunable(git_system_use_nfs, false)
8888
## </desc>
8989
gen_tunable(git_client_manage_all_user_home_content, false)
9090

91+
## <desc>
92+
## <p>
93+
## Determine whether Git client domains
94+
## can run user binaries.
95+
## </p>
96+
## </desc>
97+
gen_tunable(git_client_exec_user_bin, false)
98+
9199
attribute git_daemon;
92100
attribute_role git_session_roles;
93101

@@ -347,3 +355,7 @@ tunable_policy(`git_client_manage_all_user_home_content',`
347355
userdom_manage_all_user_home_content(git_client_domain)
348356
userdom_map_all_user_home_content_files(git_client_domain)
349357
')
358+
359+
tunable_policy(`git_client_exec_user_bin',`
360+
userdom_exec_user_bin_files(git_client_domain)
361+
')

0 commit comments

Comments
 (0)