policy_module(svnmailer,0.1.4) ######################################## # # Declarations # # log files type svnmailer_log_t; logging_log_file(svnmailer_log_t) # tmp files type svnmailer_tmp_t; files_tmp_file(svnmailer_tmp_t) ######################################## # # svnmailer local policy # # Use of svnmailer requires httpd_enable_cgi to be set # # Underlying subversion repo is expected to be httpd_sys_content_rw_t # (served via mod_dav_svn), with hooks directory and its contents # labeled httpd_sys_script_exec_t # # svnmailer output should be redirected to svnmailer_log_t, # e.g. in hooks/post-commit: # /usr/bin/svn-mailer --commit --repository "${REPOS}" --revision "${REV}" \ # --background 2>>/var/log/svnmailer/my-repo.log apache_content_template(svnmailer) # log files manage_dirs_pattern(httpd_svnmailer_script_t, svnmailer_log_t, svnmailer_log_t) manage_files_pattern(httpd_svnmailer_script_t, svnmailer_log_t, svnmailer_log_t) logging_log_filetrans(httpd_svnmailer_script_t, svnmailer_log_t, { file dir }) # tmp files manage_dirs_pattern(httpd_svnmailer_script_t, svnmailer_tmp_t, svnmailer_tmp_t) manage_files_pattern(httpd_svnmailer_script_t, svnmailer_tmp_t, svnmailer_tmp_t) files_tmp_filetrans(httpd_svnmailer_script_t, svnmailer_tmp_t, { file dir }) # repository data lives in httpd-writable files and dirs apache_read_sys_content(httpd_svnmailer_script_t) apache_read_sys_content_rw(httpd_svnmailer_script_t) # leaked file descriptors again (we need read access but not write) apache_dontaudit_rw_sys_content_rw_files(httpd_svnmailer_script_t) # svn-mailer looks for and does getattr on locale (in /usr/bin when it finds it) corecmd_getattr_bin_files(httpd_svnmailer_script_t) corecmd_read_bin_symlinks(httpd_svnmailer_script_t) corecmd_search_bin(httpd_svnmailer_script_t) # svn-mailer can act as an SMTP client... corenet_tcp_connect_smtp_port(httpd_svnmailer_script_t) corenet_sendrecv_smtp_client_packets(httpd_svnmailer_script_t) # ... or it can send mail using /usr/sbin/sendmail mta_send_mail(httpd_svnmailer_script_t)