distgit: adjust the selinux policy a little more

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>

roles/distgit/files/http_policy.te

@@ -2,23 +2,27 @@ module http_policy 1.2;
 
 require {
 	type gitosis_var_lib_t;
+	type httpd_suexec_t;
 	type httpd_sys_script_t;
 	type httpd_t;
 	type shadow_t;
 	type var_t;
 	type git_content_t;
 	class process setrlimit;
-	class capability { audit_write dac_read_search setgid setuid sys_resource };
+	class capability { audit_write dac_read_search net_admin setgid setuid sys_resource };
 	class netlink_audit_socket { create nlmsg_relay };
 	class file { create getattr link open read rename setattr unlink write };
 	class dir { add_name create getattr remove_name rmdir search write };
 }
 
+#============= httpd_suexec_t ==============
+allow httpd_suexec_t httpd_sys_script_t:process { noatsecure rlimitinh siginh };
+
 #============= httpd_sys_script_t ==============
 allow httpd_sys_script_t git_content_t:dir search;
 allow httpd_sys_script_t gitosis_var_lib_t:dir { getattr search };
-allow httpd_sys_script_t self:capability { audit_write dac_read_search setgid setuid sys_resource };
+allow httpd_sys_script_t self:capability { audit_write dac_read_search net_admin setgid setuid sys_resource };
-allow httpd_sys_script_t self:netlink_audit_socket { create nlmsg_relay };
+allow httpd_sys_script_t self:netlink_audit_socket { create nlmsg_relay read write };
 allow httpd_sys_script_t self:process setrlimit;
 allow httpd_sys_script_t shadow_t:file { getattr open read };
 
@@ -29,5 +33,7 @@ allow httpd_t gitosis_var_lib_t:dir { create rmdir };
 allow httpd_t gitosis_var_lib_t:dir { add_name remove_name write };
 allow httpd_t gitosis_var_lib_t:file rename;
 allow httpd_t gitosis_var_lib_t:file { create link unlink write };
+allow httpd_t httpd_suexec_t:process { noatsecure rlimitinh siginh };
+allow httpd_t self:capability net_admin;
 allow httpd_t var_t:file { getattr open read };