[selinux-policy: 2267/3172] add gitosis from miroslav grepl.

Thu Oct 7 22:21:21 UTC 2010

commit dbed95369cf3e387abe8d43bf632093e64d80d37
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Sep 3 09:52:08 2009 -0400

    add gitosis from miroslav grepl.

 Changelog                      |    1 +
 policy/modules/apps/gitosis.fc |    3 ++
 policy/modules/apps/gitosis.if |   45 ++++++++++++++++++++++++++++++++++++++++
 policy/modules/apps/gitosis.te |   37 ++++++++++++++++++++++++++++++++
 4 files changed, 86 insertions(+), 0 deletions(-)
---

diff --git a/Changelog b/Changelog
index e0331c3..d092330 100644
--- a/Changelog
+++ b/Changelog
@@ -9,6 +9,7 @@
 - Handle unix_chkpwd usage by useradd and groupadd.
 - Add missing compatibility aliases for xdm_xserver*_t types.
 - Added modules:
+	gitosis (Miroslav Grepl)
 	hddtemp (Dan Walsh)
 	kdump (Dan Walsh)
 	shorewall (Dan Walsh)
diff --git a/policy/modules/apps/gitosis.fc b/policy/modules/apps/gitosis.fc
new file mode 100644
index 0000000..75fa0fa
--- /dev/null
+++ b/policy/modules/apps/gitosis.fc
@@ -0,0 +1,3 @@
+/usr/bin/gitosis-serve			--	gen_context(system_u:object_r:gitosis_exec_t,s0)
+
+/var/lib/gitosis(/.*)?				gen_context(system_u:object_r:gitosis_var_lib_t,s0)
diff --git a/policy/modules/apps/gitosis.if b/policy/modules/apps/gitosis.if
new file mode 100644
index 0000000..d9d222d
--- /dev/null
+++ b/policy/modules/apps/gitosis.if
@@ -0,0 +1,45 @@
+## <summary>Tools for managing and hosting git repositories.</summary>
+
+#######################################
+## <summary>
+##	Execute a domain transition to run gitosis.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gitosis_domtrans',`
+	gen_require(`
+		type gitosis_t, gitosis_exec_t;
+	')
+
+	domtrans_pattern($1, gitosis_exec_t, gitosis_t)
+')
+
+#######################################
+## <summary>
+##	Execute gitosis-serve in the gitosis domain, and
+##	allow the specified role the gitosis domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`gitosis_run',`
+	gen_require(`
+		type gitosis_t;
+	')
+
+	gitosis_domtrans($1)
+	role $2 types gitosis_t;
+')
+
diff --git a/policy/modules/apps/gitosis.te b/policy/modules/apps/gitosis.te
new file mode 100644
index 0000000..1db10a3
--- /dev/null
+++ b/policy/modules/apps/gitosis.te
@@ -0,0 +1,37 @@
+
+policy_module(gitosis, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gitosis_t;
+type gitosis_exec_t;
+application_domain(gitosis_t, gitosis_exec_t)
+role system_r types gitosis_t;
+
+type gitosis_var_lib_t;
+files_type(gitosis_var_lib_t)
+
+########################################
+#
+# gitosis local policy
+#
+
+allow gitosis_t self:fifo_file rw_fifo_file_perms;
+
+exec_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
+manage_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
+manage_lnk_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
+manage_dirs_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
+
+corecmd_exec_bin(gitosis_t) 
+corecmd_exec_shell(gitosis_t)
+
+kernel_read_system_state(gitosis_t)
+
+files_read_usr_files(gitosis_t)
+files_search_var_lib(gitosis_t)
+
+miscfiles_read_localization(gitosis_t)
