Update upload_cgi and add cgi-nfs for pkgs

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>

roles/distgit/files/cgi-nfs.te

@@ -0,0 +1,23 @@
+policy_module(nfscgi, 1.0.0)
+
+require {
+	type httpd_git_script_t;
+	type git_script_t;
+	type git_system_t;
+	type httpd_git_content_t;
+	type nfs_t;
+	class dir { create write search add_name remove_name getattr open };
+	class file { create write rename setattr read open };
+}
+
+
+allow git_system_t httpd_git_content_t:dir { getattr read open };
+allow git_system_t httpd_git_content_t:file { read open getattr };
+
+
+
+allow httpd_git_script_t nfs_t:dir { write };
+allow git_system_t httpd_git_content_t:dir { search };
+allow httpd_git_script_t nfs_t:dir { create write add_name remove_name };
+allow httpd_git_script_t nfs_t:file { create write rename setattr };
+allow git_script_t nfs_t:file { unlink link };

roles/distgit/files/upload_cgi.te

@@ -1,4 +1,4 @@
-policy_module(upload_cgi,1.1.0)
+policy_module(upload_cgi,1.2.0)
 
 
 require {
@@ -27,6 +27,3 @@ term_getattr_all_ptys(httpd_git_script_t);
 term_getattr_all_ttys(httpd_git_script_t);
 # Do not audit attempts to get the attributes of generic pty devices.
 term_dontaudit_getattr_generic_ptys(httpd_git_script_t);
-
-# Allow upload.cgi to make link on nfs
-allow git_script_t nfs_t:file { unlink link };

roles/distgit/tasks/main.yml

@@ -328,3 +328,10 @@
   command: semodule -i /usr/local/share/selinux/upload_cgi.pp
   when: selinux_module|changed
 
+- name: copy over our custom nfs selinux policy
+  copy: src=cgi-nfs.pp dest=/usr/local/share/selinux/cgi-nfs.pp
+  register: nfs_selinux_module
+
+- name: install our custom nfs selinux policy
+  command: semodule -i /usr/local/share/selinux/cgi-nfs.pp
+  when: nfs_selinux_module|changed