Add our own SELinux policy for upload.cgi

Many thanks to tfirg on #selinux for helping out making this policy

roles/distgit/files/upload_cgi.te

@@ -0,0 +1,25 @@
+policy_module(upload_cgi,1.0.0)
+
+
+gen_require(` type httpd_git_script_t ; ')
+type upload_cgi_tmp_t;
+files_tmp_file(upload_cgi_tmp_t);
+allow httpd_git_script_t upload_cgi_tmp_t:file manage_file_perms;
+files_tmp_filetrans(httpd_git_script_t, upload_cgi_tmp_t, file);
+
+
+# Do not audit attempts to read the process state (/proc/pid) of all domains. 
+domain_read_all_domains_state(httpd_git_script_t);
+
+# List the contents of the sysfs directories. 
+dev_list_sysfs(httpd_git_script_t);
+
+# Allow sending logs to syslog
+logging_send_syslog_msg(httpd_git_script_t);
+
+# Get the attributes of all pty device nodes. 
+term_getattr_all_ptys(httpd_git_script_t);
+# Get the attributes of all tty device nodes. 
+term_getattr_all_ttys(httpd_git_script_t);
+# Do not audit attempts to get the attributes of generic pty devices.
+term_dontaudit_getattr_generic_ptys(httpd_git_script_t);

roles/distgit/tasks/main.yml

@@ -295,3 +295,16 @@
   - config
   - lookaside
   - selinux
+
+# Three tasks for handling our selinux policy for upload.cgi
+- name: ensure a directory exists for our SELinux policy
+  file: dest=/usr/local/share/selinux/ state=directory
+
+- name: copy over our custom selinux policy
+  copy: src=upload_cgi.pp dest=/usr/local/share/selinux/upload_cgi.pp
+  register: selinux_module
+
+- name: install our custom selinux policy
+  command: semodule -i /usr/local/share/selinux/upload_cgi.pp
+  when: selinux_module|changed
+