From 1ef758c40882fddc1f9eaa72a47d048abfc0a513 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Tue, 10 Nov 2020 15:35:33 +0100
Subject: [PATCH] distgit: install another custom selinux policy

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
---
 roles/distgit/files/http_policy.te | 14 ++++++++++++++
 roles/distgit/tasks/main.yml       |  8 ++++++++
 2 files changed, 22 insertions(+)
 create mode 100644 roles/distgit/files/http_policy.te

diff --git a/roles/distgit/files/http_policy.te b/roles/distgit/files/http_policy.te
new file mode 100644
index 0000000000..5f41da0b9e
--- /dev/null
+++ b/roles/distgit/files/http_policy.te
@@ -0,0 +1,14 @@
+#============= httpd_sys_script_t ==============
+allow httpd_sys_script_t git_content_t:dir search;
+allow httpd_sys_script_t gitosis_var_lib_t:dir { getattr search };
+allow httpd_sys_script_t self:capability { audit_write dac_read_search setgid setuid sys_resource };
+allow httpd_sys_script_t self:netlink_audit_socket { create nlmsg_relay };
+allow httpd_sys_script_t self:process setrlimit;
+allow httpd_sys_script_t shadow_t:file { getattr open read };
+
+#============= httpd_t ==============
+allow httpd_t git_content_t:dir { add_name remove_name write };
+allow httpd_t git_content_t:file { create rename setattr unlink write };
+allow httpd_t gitosis_var_lib_t:dir { add_name create remove_name rmdir write };
+allow httpd_t gitosis_var_lib_t:file { create link rename unlink write };
+
diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml
index c3ff4548e4..97ef03c810 100644
--- a/roles/distgit/tasks/main.yml
+++ b/roles/distgit/tasks/main.yml
@@ -313,6 +313,14 @@
   when: nfs_selinux_module is changed
   tags: selinux
 
+- name: Install another one of our own SELinux policy
+  run_once: true
+  include_role:
+    name: selinux/module
+  vars:
+    policy_file: files/http_policy.te
+    policy_name: http_policy
+
 - name: setup grokmirror for repos
   package: name=python3-grokmirror state=installed
   tags: