policy_module(dist_git,1.0.1)


require {
    type httpd_git_script_t;
    type git_script_tmp_t;
    type git_system_t;
    type git_user_content_t;
    type httpd_t;
}

files_tmp_file(git_script_tmp_t);
allow httpd_git_script_t git_script_tmp_t:file manage_file_perms;

# Do not audit attempts to read the process state (/proc/pid) of all domains. 
domain_read_all_domains_state(httpd_git_script_t);

# List the contents of the sysfs directories. 
dev_list_sysfs(httpd_git_script_t);

# Allow sending logs to syslog
logging_send_syslog_msg(httpd_git_script_t);

# Get the attributes of all pty device nodes. 
term_getattr_all_ptys(httpd_git_script_t);

# Get the attributes of all tty device nodes. 
term_getattr_all_ttys(httpd_git_script_t);

# Do not audit attempts to get the attributes of generic pty devices.
term_dontaudit_getattr_generic_ptys(httpd_git_script_t);

# For git-daemon
allow git_system_t git_user_content_t:dir { search getattr open read };
allow git_system_t git_user_content_t:file { read open getattr };
allow git_system_t git_user_content_t:lnk_file { read open getattr };

# For git-http-backend
allow httpd_t git_user_content_t:dir { search getattr open read };
allow httpd_t git_user_content_t:file { read open getattr };
allow httpd_t git_user_content_t:lnk_file { read open getattr };