From 7887029ffba69fff5eb20369853247db7477fb71 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Wed, 10 Oct 2018 20:01:45 +0000
Subject: [PATCH] Some selinux policy for staging.

---
 roles/distgit/files/pagure.pp       | Bin 0 -> 9020 bytes
 roles/distgit/files/pagure.te       |  30 ++++++++++++++++++++++++++++
 roles/distgit/pagure/tasks/main.yml |  10 ++++++++++
 roles/distgit/tasks/main.yml        |  12 +++++++++++
 4 files changed, 52 insertions(+)
 create mode 100644 roles/distgit/files/pagure.pp
 create mode 100644 roles/distgit/files/pagure.te

diff --git a/roles/distgit/files/pagure.pp b/roles/distgit/files/pagure.pp
new file mode 100644
index 0000000000000000000000000000000000000000..200eb4cede8354955aa188be7f10c4a270ee7a7c
GIT binary patch
literal 9020
zcmdT}OOG455$?@9+60@|A-5Euiw2Oj>&@okOR`?C5hL*fnRPCUph0z)B*tvAL$XIB
zz<(h~@(c18bM?u=M>Zv@M<Z*-j*}G7Xf;{yDi({>-(J6b^+8b--zbXWXGKx`^TVR}
z>+6@VJ}Qdh{7d@1)ZHaLHg%^MC_gQV0_fi>B7CPPidHN;%ik`F;_mE|*{^=nPv!8<
zqS!tFu=sxe0BUK$30y17!Ut~OEsA1orRNWeA_%hFm<ukoXc%+QXUSf8Z$StJL|upJ
zZxuy>$Fiuw7_uyb5MPk)SlDU>9O!0R*2yG%gBKov(l5$|RDlxsQ9<wlMyHk3FQ5+S
zdUb#XArOz>&=ex@8-VX0_74E;L5{ITv`I(NwycBx`;PfRat!#vG^hX~I4UXx)xc4j
z$}4Dx>0Ud0j)Dt<@4y5@$yXqazQPP1WvUl=Co^Cg9%zL(z|8;5l`m}`{p)@w$mgLS
zo}cvZBm<D+Eu}9z$F{7D_N;yBf83jTgu*!K$_rsjCFiAw2$*vn!OHu#E+NQOR<^$M
za8JU<d#F^T@IUHvBB2h^a+Xb7dc+Yvy$;`PT;)}%*_S>rI|4&KfIL3%A)cgu%J$s1
zfFT}iO5-_z4`janXvcF%n`FI72K9`Gc*!rQML93vrSJ3}(&9VEJ0=5m%rl-t+IJxX
zi!r4U;I=Z5xQRXo=!oZEAMAYdpO67x{o@_P{Foi^)z9BSJfJH8e#ilS!rc9Qu!kIX
z=s&~{a17_y*We@=(k6h-LwT?J#Je(%1#tlX7d^A<WW1~KcL6B|3Gm&Ud&S;-JcprQ
z-n7QI#VmuNPw<`O{m;a^5A4w1|EG8ZkmGo2X;ZlI##WS?tb80L0-X`Yuw3&uXj03O
z<}jaHh^uWv&KWJkQV!aJ904uD)ixl<KyLKgem;!ta=6Xs^Vst9Z9Shm1b=`1^3`}W
zrU%k;<&E7?E4*i`9ZhO!&qkPhCah@Kvvv1IW4b$|+B8CH@|%`NWBPPPXqJT3Yy(x~
zbe86SIiq^ZKGKYi0Yv_Rmz@%p5T8sXe7-B40_zjh83l#TH_hBASrK~SOrw-o?^i3h
zX!2a2;lxqXGug8H_~E06Pcy|9a$&-`;=iexGt~?BE>jC5?_Djp>po5yRP%+bn6#<$
zw3@5;uTxB`FIK{e%Co&jvub7EySJid53%yFJW6kccG63uw{Z*}#R3X*C62{?-I&DM
zFs-Ep@l^9VyelP~o3J~ZehoS#?w^pEQP_^vt=R;XIxR0#b&9!{s|;Z$!e~sRF`aj9
zYpkb6RMt3J7)uW6Y!(zZ2MT7fBcW?***4NSX>|0@S1ajam2oT6shW&d8(N7A-lHDS
zLP8RFhy02+qcK%NM{3Ipwydjt7EytZjm>qKMVEZ8R91eWXDEEV;@b!SO&fh@SE+Nf
z*%t2!aN;65jPT&tB&76l=@r;<ejvP9TG3oZpgv2^z2!sm{q%F)T6rNAFS#Btp$T7B
zs;il-Sj%=wnmr2nlv;rbb=IqKBE;-?d^IcfQy`?|vt3q@H`JI;`w)gs$KSz?ZsR;R
znKyDW<Xz{aUiMZ2E%{`K7jBP$ib$VI)Z^vuy{U}1p^clw+Zc7l({R}VSM*^&!H>};
z1N^|&v}^^cp(DQ%o*Glj#fF?0o{!jYIzuyeY%lnY93AUAL>h}qF11ic@@I>zYqDIi
zya1_Yzcv>AOxUM)i*cA%QTy|drSwO7^z4gJ5fYrZZpI-_Pk5azlu%K@46AC_hNkXw
z06^O74Yw`fAprJ%<F?nY?E{bx^;8ZrvR-Nc`()>R!?WM#>;ovSbR&-Tx{v{Y<Y24d
zXs<;Wz>UIk-f|^{x-K-&9n%DNxS_Iyd-F5$C~io+m<>>~_rPx8cf8qcGv{p4fTef`
znG4Bv+O!Y%8Y66hrfG$jbE%}?+zW<6+~=J)jqtL%HHQZqEgD%J5FKoQkf(mdmRf5n
zb}n;JZ{_=d8-?<>tXj5x7m<AJR&wF>M0d?pN#|#?Sv(npaWoo)VbWbgUN*donOx|a
z7Zbj0?bO?j%Q;%<=|U*i|Bj5B&!{%+NE;u!9KVuTNhwR#wUV04GB~yFnr0Jq#KtJK
zW9vzf<~6WpM4jV0l-$vn*xJ@g?Wg2SP_|OWp@+Au{ff~7p-GzKKq__3+H*~nu{eyX
z%}uxW(HNapYt&j;J!#lEvFs00K?@Ru8I;g|GUm#O5bTcv*xG~qH7qtZv7gb_x1%vN
z;suk?8^3}E3nA4l3|z7f|8z|7cL)0MDYcdt@^VVnC@vlQDK*NKH7`V`yy6R1al{I}
z<SBjKRIaRq=cTcdUFzpggx~}y5&mhp^ppNQg-plc$Z;Y4W_nP}i9({3O6Za=xk`r<
z{O-J%$IFD9oC-$cpz_=pH3>fJol{;2)rAbXnP$O$;oam(TthWiO4yLh!L9i936@7S
zd2;7&JTTot1l)N=#Lma;$OS1bNTId#E7Vh|g+{R^sYz<|Q=tphUBgyZWNghgBD+sW
znKe7C&&XpXmn(KYtP8-60tUB)d~=g0)5p;@@tYRbG`+T&vb!wo{WW=fOLyHD4!1l=
zc0z>vV_)oilv#)E55^_SZe&<~W>`yKg#|okzh>6tOlK>m7WYgz^`Tc&M$|~ueiYqi
zr<hzknTFba6v8TdXe^03G>fS7i3d8?hINe5Q7$_+o#U7dp6x<Z?54<0)1o03N^N#^
z-11*KX_>-q5z8a3;>NV-bOnMbIf=7u^BJv;_QaPhY>vlmq}_r9F5H-;BY_qG>e6I<
zcJECI73_YbgT0H+cNS_VozsDQ9&FjVIQj(}-<Ui%trDK&Dz}|t7gyg2etHYBTOF^+
zJ;~sweH>D@tVGyym(l%4Az1wYx4cbo_=47){Dhz*ar$Bh_jEdBWhi?j965B4p_7|$
z0`4}8jYS+mZZ6nbS#wX---^sRZ1kt9_~oU?jTxZ?v(S!A=W!u}9rLoa94=sR4hz>W
ynz;_=?m3fXoOQz8K!%Du3-xZ;N&tEG=E@cP_EqnWSiZyQ@Kk#eY4q1##QqHwjzXRQ

literal 0
HcmV?d00001

diff --git a/roles/distgit/files/pagure.te b/roles/distgit/files/pagure.te
new file mode 100644
index 0000000000..1a81ad8756
--- /dev/null
+++ b/roles/distgit/files/pagure.te
@@ -0,0 +1,30 @@
+module pagure 1.0.5;
+
+require {
+        type httpd_t;
+        type sysctl_net_t;
+        type gitosis_var_lib_t;
+        type httpd_git_script_t;
+        type git_script_tmp_t;
+        type git_user_content_t;
+        class dir { search getattr open read add_name remove_name write create rename};
+        class file { append open ioctl lock rename append getattr read create link setattr unlink write };
+        class lnk_file { read open getattr create unlink};
+}
+
+allow httpd_git_script_t git_script_tmp_t:file manage_file_perms;
+
+allow httpd_t git_user_content_t:dir { search getattr open read };
+allow httpd_t git_user_content_t:file { read open getattr };
+allow httpd_t git_user_content_t:lnk_file { read open getattr };
+
+optional_policy(`
+gen_require(` class file map; ')
+allow httpd_t git_user_content_t:file map;
+')
+
+allow httpd_t gitosis_var_lib_t:dir { add_name remove_name write create rename};
+allow httpd_t gitosis_var_lib_t:file { create link setattr unlink write rename append};
+allow httpd_t gitosis_var_lib_t:lnk_file { create unlink };
+
+allow httpd_t sysctl_net_t:file { open read };
diff --git a/roles/distgit/pagure/tasks/main.yml b/roles/distgit/pagure/tasks/main.yml
index 66b19a8237..c6f29fcb4f 100644
--- a/roles/distgit/pagure/tasks/main.yml
+++ b/roles/distgit/pagure/tasks/main.yml
@@ -229,6 +229,16 @@
   - web
   - pagure
 
+- name: set sebooleans so pagure can talk to libgit2
+  seboolean: name=httpd_execmem
+                    state=true
+                    persistent=true
+  tags:
+  - selinux
+  - web
+  - pagure
+  when: env == "staging"
+
 # HOTFIX: adjust bugzilla overrides
 - name: HOTFIX - adjust bugzilla overrides
   copy: src=fas2.py dest=/usr/lib/python2.7/site-packages/fedora/client/fas2.py
diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml
index 49e682521d..9092db03c0 100644
--- a/roles/distgit/tasks/main.yml
+++ b/roles/distgit/tasks/main.yml
@@ -468,6 +468,18 @@
   file: dest=/usr/local/share/selinux/ state=directory
   tags: selinux
 
+- name: copy over our custom selinux policy for pagure
+  copy: src=pagure.pp dest=/usr/local/share/selinux/pagure.pp
+  register: selinux_module
+  tags: selinux
+  when: env == "staging"
+
+- name: install our custom selinux policy for pagure
+  command: semodule -i /usr/local/share/selinux/pagure.pp
+  when: selinux_module is changed
+  tags: selinux
+  when: env == "staging"
+
 - name: copy over our custom selinux policy
   copy: src=upload_cgi.pp dest=/usr/local/share/selinux/upload_cgi.pp
   register: selinux_module