distgit: keep working on the http_policy

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
2020-11-10 15:56:37 +01:00 · 2020-11-10 15:56:37 +01:00 · be1c8bcb45
commit be1c8bcb45
parent 033c798d6e
1 changed files with 5 additions and 3 deletions
--- a/roles/distgit/files/http_policy.te
+++ b/roles/distgit/files/http_policy.te
@ -1,4 +1,4 @@
-module http_policy 1.1;
+module http_policy 1.2;

 require {
 	type gitosis_var_lib_t;
@ -25,7 +25,9 @@ allow httpd_sys_script_t shadow_t:file { getattr open read };
 #============= httpd_t ==============
 allow httpd_t git_content_t:dir { add_name remove_name write };
 allow httpd_t git_content_t:file { create rename setattr unlink write };
-allow httpd_t gitosis_var_lib_t:dir { add_name create remove_name rmdir write };
-allow httpd_t gitosis_var_lib_t:file { create link rename unlink write };
+allow httpd_t gitosis_var_lib_t:dir { create rmdir };
+allow httpd_t gitosis_var_lib_t:dir { add_name remove_name write };
+allow httpd_t gitosis_var_lib_t:file rename;
+allow httpd_t gitosis_var_lib_t:file { create link unlink write };
 allow httpd_t var_t:file { getattr open read };