diff options
| author | Chris PeBenito <cpebenito@tresys.com> | 2009-09-03 09:52:08 -0400 |
|---|---|---|
| committer | Chris PeBenito <cpebenito@tresys.com> | 2009-09-03 09:52:08 -0400 |
| commit | dbed95369cf3e387abe8d43bf632093e64d80d37 (patch) | |
| tree | f2253efd462885366580f9aeb9be9518c1aeb555 | |
| parent | 634a13c21f137279bf470035ba28101448a9fb84 (diff) | |
add gitosis from miroslav grepl.
| -rw-r--r-- | Changelog | 1 | ||||
| -rw-r--r-- | policy/modules/apps/gitosis.fc | 3 | ||||
| -rw-r--r-- | policy/modules/apps/gitosis.if | 45 | ||||
| -rw-r--r-- | policy/modules/apps/gitosis.te | 37 |
4 files changed, 86 insertions, 0 deletions
@@ -9,6 +9,7 @@ - Handle unix_chkpwd usage by useradd and groupadd. - Add missing compatibility aliases for xdm_xserver*_t types. - Added modules: + gitosis (Miroslav Grepl) hddtemp (Dan Walsh) kdump (Dan Walsh) shorewall (Dan Walsh) diff --git a/policy/modules/apps/gitosis.fc b/policy/modules/apps/gitosis.fc new file mode 100644 index 00000000..75fa0fa1 --- /dev/null +++ b/policy/modules/apps/gitosis.fc @@ -0,0 +1,3 @@ +/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0) + +/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) diff --git a/policy/modules/apps/gitosis.if b/policy/modules/apps/gitosis.if new file mode 100644 index 00000000..d9d222dc --- /dev/null +++ b/policy/modules/apps/gitosis.if @@ -0,0 +1,45 @@ +## <summary>Tools for managing and hosting git repositories.</summary> + +####################################### +## <summary> +## Execute a domain transition to run gitosis. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`gitosis_domtrans',` + gen_require(` + type gitosis_t, gitosis_exec_t; + ') + + domtrans_pattern($1, gitosis_exec_t, gitosis_t) +') + +####################################### +## <summary> +## Execute gitosis-serve in the gitosis domain, and +## allow the specified role the gitosis domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`gitosis_run',` + gen_require(` + type gitosis_t; + ') + + gitosis_domtrans($1) + role $2 types gitosis_t; +') + diff --git a/policy/modules/apps/gitosis.te b/policy/modules/apps/gitosis.te new file mode 100644 index 00000000..1db10a3b --- /dev/null +++ b/policy/modules/apps/gitosis.te @@ -0,0 +1,37 @@ + +policy_module(gitosis, 1.0.0) + +######################################## +# +# Declarations +# + +type gitosis_t; +type gitosis_exec_t; +application_domain(gitosis_t, gitosis_exec_t) +role system_r types gitosis_t; + +type gitosis_var_lib_t; +files_type(gitosis_var_lib_t) + +######################################## +# +# gitosis local policy +# + +allow gitosis_t self:fifo_file rw_fifo_file_perms; + +exec_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t) +manage_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t) +manage_lnk_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t) +manage_dirs_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t) + +corecmd_exec_bin(gitosis_t) +corecmd_exec_shell(gitosis_t) + +kernel_read_system_state(gitosis_t) + +files_read_usr_files(gitosis_t) +files_search_var_lib(gitosis_t) + +miscfiles_read_localization(gitosis_t) |