forked from redmine-git-hosting/redmine_git_hosting
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathredmine_git.te
75 lines (60 loc) · 2.93 KB
/
redmine_git.te
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
policy_module(redmine_git,1.0.0)
########################################
#
# Declarations
#
require {
type httpd_t, httpd_sys_script_t, httpd_sys_script_exec_t;
type sudo_db_t;
type httpd_redmine_git_script_t;
type httpd_redmine_git_script_exec_t;
type gitosis_var_lib_t;
class process { setrlimit setfscreate };
class netlink_route_socket { write getattr read bind create nlmsg_read };
class capability { setuid sys_resource setgid };
class dir { getattr search write write rename create reparent rmdir };
class lnk_file unlink;
}
apache_content_template(redmine_git)
permissive httpd_redmine_git_script_t;
########################################
#
# httpd_redmine_git_script local policy
#
########################################
manage_dirs_pattern(httpd_redmine_git_script_t, httpd_redmine_git_script_rw_t, httpd_redmine_git_script_rw_t)
manage_files_pattern(httpd_redmine_git_script_t, httpd_redmine_git_script_rw_t, httpd_redmine_git_script_rw_t)
domain_use_interactive_fds(httpd_redmine_git_script_t)
files_read_etc_files(httpd_redmine_git_script_t)
miscfiles_read_localization(httpd_redmine_git_script_t)
# Allow our scripts to be called by redmine/apache
httpd_redmine_git_script_domtrans(httpd_sys_script_t)
# Allow us to access to rest of redmine site
miscfiles_read_public_files(httpd_redmine_git_script_t)
miscfiles_manage_public_files(httpd_redmine_git_script_t)
#============= httpd_redmine_git_script_t ==============
#Specific capabilities identified by audit2allow
allow httpd_redmine_git_script_t self:capability audit_write;
allow httpd_redmine_git_script_t self:capability { setuid sys_resource setgid };
allow httpd_redmine_git_script_t self:key write;
allow httpd_redmine_git_script_t self:netlink_audit_socket { write nlmsg_relay create read };
allow httpd_redmine_git_script_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
allow httpd_redmine_git_script_t self:process setrlimit;
allow httpd_redmine_git_script_t sudo_db_t:dir { getattr search };
# Capabilities required to manage gitolite repositories
allow httpd_redmine_git_script_t gitosis_var_lib_t:dir { rename create reparent rmdir };
allow httpd_redmine_git_script_t gitosis_var_lib_t:lnk_file unlink;
gitosis_read_lib_files(httpd_redmine_git_script_t)
gitosis_manage_lib_files(httpd_redmine_git_script_t)
apache_rw_stream_sockets(httpd_redmine_git_script_t)
kernel_read_kernel_sysctls(httpd_redmine_git_script_t)
logging_send_syslog_msg(httpd_redmine_git_script_t)
# These seem to be needed for ssh.... Not sure why ssh needs
# to read and/or validate contexts...
allow httpd_redmine_git_script_t self:process setfscreate;
miscfiles_manage_cert_dirs(httpd_redmine_git_script_t)
miscfiles_manage_cert_files(httpd_redmine_git_script_t)
selinux_load_policy(httpd_redmine_git_script_t)
selinux_validate_context(httpd_redmine_git_script_t)
seutil_read_file_contexts(httpd_redmine_git_script_t)
seutil_search_default_contexts(httpd_redmine_git_script_t)