dist-git/selinux/dist_git.te

policy_module(dist_git,1.0.1)


require {
    type httpd_git_script_t;
    type git_script_tmp_t;
    type git_system_t;
    type git_user_content_t;
    type httpd_t;
}

files_tmp_file(git_script_tmp_t);
allow httpd_git_script_t git_script_tmp_t:file manage_file_perms;

# List the contents of the sysfs directories. 
dev_list_sysfs(httpd_git_script_t);

# Allow sending logs to syslog
logging_send_syslog_msg(httpd_git_script_t);

# Get the attributes of all pty device nodes. 
term_getattr_all_ptys(httpd_git_script_t);

# Get the attributes of all tty device nodes. 
term_getattr_all_ttys(httpd_git_script_t);

# Do not audit attempts to get the attributes of generic pty devices.
term_dontaudit_getattr_generic_ptys(httpd_git_script_t);

# For git-daemon
allow git_system_t git_user_content_t:dir { search getattr open read };
allow git_system_t git_user_content_t:file { read open getattr };
allow git_system_t git_user_content_t:lnk_file { read open getattr };
optional_policy(`
gen_require(` class file map; ')
allow git_system_t git_user_content_t:file map;
')

# For git-http-backend
allow httpd_t git_user_content_t:dir { search getattr open read };
allow httpd_t git_user_content_t:file { read open getattr };
allow httpd_t git_user_content_t:lnk_file { read open getattr };
optional_policy(`
gen_require(` class file map; ')
allow httpd_t git_user_content_t:file map;
')
bump dist-git-selinux policy version 2017-02-08 13:00:52 +01:00			`policy_module(dist_git,1.0.1)`
selinux subpackage created 2015-04-27 12:08:55 +02:00

selinux labels update 2015-04-29 12:22:33 +02:00			`require {`
			`type httpd_git_script_t;`
			`type git_script_tmp_t;`
use git_user_content_t instead of git_content_t for /srv/git/* and allow git-daemon to work with it 2017-02-06 18:22:40 +01:00			`type git_system_t;`
			`type git_user_content_t;`
add policy rules for git-http-backend 2017-02-07 05:55:23 +01:00			`type httpd_t;`
selinux labels update 2015-04-29 12:22:33 +02:00			`}`
selinux subpackage created 2015-04-27 12:08:55 +02:00
selinux labels update 2015-04-29 12:22:33 +02:00			`files_tmp_file(git_script_tmp_t);`
			`allow httpd_git_script_t git_script_tmp_t:file manage_file_perms;`
selinux subpackage created 2015-04-27 12:08:55 +02:00
			`# List the contents of the sysfs directories.`
			`dev_list_sysfs(httpd_git_script_t);`

			`# Allow sending logs to syslog`
			`logging_send_syslog_msg(httpd_git_script_t);`

			`# Get the attributes of all pty device nodes.`
			`term_getattr_all_ptys(httpd_git_script_t);`
[selinux] improve readability 2017-04-08 16:21:02 +02:00
selinux subpackage created 2015-04-27 12:08:55 +02:00			`# Get the attributes of all tty device nodes.`
			`term_getattr_all_ttys(httpd_git_script_t);`
[selinux] improve readability 2017-04-08 16:21:02 +02:00
selinux subpackage created 2015-04-27 12:08:55 +02:00			`# Do not audit attempts to get the attributes of generic pty devices.`
			`term_dontaudit_getattr_generic_ptys(httpd_git_script_t);`
use git_user_content_t instead of git_content_t for /srv/git/* and allow git-daemon to work with it 2017-02-06 18:22:40 +01:00
			`# For git-daemon`
			`allow git_system_t git_user_content_t:dir { search getattr open read };`
			`allow git_system_t git_user_content_t:file { read open getattr };`
			`allow git_system_t git_user_content_t:lnk_file { read open getattr };`
give optional map permission to git_system_t on git_user_content_t 2018-01-13 16:40:16 +01:00			optional_policy(`
			gen_require(` class file map; ')
			`allow git_system_t git_user_content_t:file map;`
			`')`
add policy rules for git-http-backend 2017-02-07 05:55:23 +01:00
			`# For git-http-backend`
			`allow httpd_t git_user_content_t:dir { search getattr open read };`
			`allow httpd_t git_user_content_t:file { read open getattr };`
			`allow httpd_t git_user_content_t:lnk_file { read open getattr };`
add optional map permission for git_user_content_t type for httpd_t map permission is needed up from f27. 2017-12-16 23:15:08 +01:00			optional_policy(`
			gen_require(` class file map; ')
			`allow httpd_t git_user_content_t:file map;`
			`')`