Some selinux policy for staging.

2018-10-10 20:01:45 +00:00 · 2018-10-10 20:01:45 +00:00 · 7887029ffb
commit 7887029ffb
parent 78775f1b36
4 changed files with 52 additions and 0 deletions
--- a/roles/distgit/files/pagure.pp
+++ b/roles/distgit/files/pagure.pp
--- a/roles/distgit/files/pagure.te
+++ b/roles/distgit/files/pagure.te
@ -0,0 +1,30 @@
+module pagure 1.0.5;
+
+require {
+        type httpd_t;
+        type sysctl_net_t;
+        type gitosis_var_lib_t;
+        type httpd_git_script_t;
+        type git_script_tmp_t;
+        type git_user_content_t;
+        class dir { search getattr open read add_name remove_name write create rename};
+        class file { append open ioctl lock rename append getattr read create link setattr unlink write };
+        class lnk_file { read open getattr create unlink};
+}
+
+allow httpd_git_script_t git_script_tmp_t:file manage_file_perms;
+
+allow httpd_t git_user_content_t:dir { search getattr open read };
+allow httpd_t git_user_content_t:file { read open getattr };
+allow httpd_t git_user_content_t:lnk_file { read open getattr };
+
+optional_policy(`
+gen_require(` class file map; ')
+allow httpd_t git_user_content_t:file map;
+')
+
+allow httpd_t gitosis_var_lib_t:dir { add_name remove_name write create rename};
+allow httpd_t gitosis_var_lib_t:file { create link setattr unlink write rename append};
+allow httpd_t gitosis_var_lib_t:lnk_file { create unlink };
+
+allow httpd_t sysctl_net_t:file { open read };
--- a/roles/distgit/pagure/tasks/main.yml
+++ b/roles/distgit/pagure/tasks/main.yml
@ -229,6 +229,16 @@
  - web
  - pagure

+- name: set sebooleans so pagure can talk to libgit2
+  seboolean: name=httpd_execmem
+                    state=true
+                    persistent=true
+  tags:
+  - selinux
+  - web
+  - pagure
+  when: env == "staging"
+
 # HOTFIX: adjust bugzilla overrides
 - name: HOTFIX - adjust bugzilla overrides
  copy: src=fas2.py dest=/usr/lib/python2.7/site-packages/fedora/client/fas2.py
--- a/roles/distgit/tasks/main.yml
+++ b/roles/distgit/tasks/main.yml
@ -468,6 +468,18 @@
  file: dest=/usr/local/share/selinux/ state=directory
  tags: selinux

+- name: copy over our custom selinux policy for pagure
+  copy: src=pagure.pp dest=/usr/local/share/selinux/pagure.pp
+  register: selinux_module
+  tags: selinux
+  when: env == "staging"
+
+- name: install our custom selinux policy for pagure
+  command: semodule -i /usr/local/share/selinux/pagure.pp
+  when: selinux_module is changed
+  tags: selinux
+  when: env == "staging"
+
 - name: copy over our custom selinux policy
  copy: src=upload_cgi.pp dest=/usr/local/share/selinux/upload_cgi.pp
  register: selinux_module