From d2e73c5d91ff4698334a95a3fc47c4f503c18011 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Wed, 28 Jan 2015 12:22:10 +0100
Subject: [PATCH] Add our own SELinux policy for upload.cgi

Many thanks to tfirg on #selinux for helping out making this policy
---
 roles/distgit/files/upload_cgi.pp | Bin 0 -> 65035 bytes
 roles/distgit/files/upload_cgi.te |  25 +++++++++++++++++++++++++
 roles/distgit/tasks/main.yml      |  13 +++++++++++++
 3 files changed, 38 insertions(+)
 create mode 100644 roles/distgit/files/upload_cgi.pp
 create mode 100644 roles/distgit/files/upload_cgi.te

diff --git a/roles/distgit/files/upload_cgi.pp b/roles/distgit/files/upload_cgi.pp
new file mode 100644
index 0000000000000000000000000000000000000000..2b472f7aab7528d7644f8748686e26673455c161
GIT binary patch
literal 65035
zcmeI51(@8%{r<PVvdhfvwk|lW<KBsta+{`@G;Nx4yVYsu?o{utHj>uoYg1-sW@ct)
zW@ct)2LGRT-ktBR?!M>PiJklldY-fQ9sInb(aZ=|`{;cq|Mg6rPUrtRoz8_jozBTW
z>U18t@8rLpuhZ$AaKrA+i_v6n_t>&O85ktFK&R6|@^f^!ZR>P8lkuR;`n`OmIBTcV
zS=_a-YvH=n==sg>bnG8$!FI(?r*o<4AGVQc2E}N1FPrp>rdOBwZquBr)9G9Saf4yK
z(yPoMTR&T;V{6UEV>9ZXrPJvk(NZz$pS{!RoV(NM<mG5&@&*YJomVDn4A9Qp>2%hr
zqA@Uss#$E)tg})S1Y@XY$qbgOa)@m3Ta<Y-IA^ERxhS$_L(@Zz=k0Vlmy~iUll8|{
zu?NLmTtaPyV7XAI)2Yp<-;}5Wtx%bKPj6VSKwo4U3k@Tvc*QhX(^QZspr*t}RGj6x
z8C#dIvtpWZ+`un(6Ht)u{LEI48`OcFSFcW*ez`V+zTlJrMv)U04a$5seBy7~4o!)o
z&V$IJZp;Y#{9@t{RUrhMYge=_wk97>cO*(cs?)O9l-+|O(LdN0@BwbXO*=tT?tc#=
zx!r?hpSu)oV0WHbLlNLUJ$4-Wt?iNMT2uDZWoM!iY^WTq>2~F?UO5SkgZ9Yky3C8L
zvE3L)!|aek``8|iwCGclQL)$d31mc9?3=o&%5_K_e{+2rRZsggK4M3qGa)4?%;=<v
znHYRT;kIB~6^g-zgxLA`!`3e<lz}6(8ukl&pddH<97s_O*^w6qk=bkV$%fHE>1W7@
zU4#J&1tG~~1l8(ZNP^D8Aq<_eu8|Zys4~NHkLh6tqjKb%YYP-QZ3}l~X8pcR4b9PF
zoK<GjINLxUmUaZ3Kjd+oRtD9eOb#nqm9N4AvZ@C-A}~4(%gLxIZKuFNRF2IEQ5Z%}
znv_je+5-ZIdA*j6nGoBq=`e}Tfo*Jz-KWqP<=_Du8UtS39I!Ol-CHgO7WMSsRoE@_
zy9!pf-Y<v+_bImf!L~Gp;ZtmB*Mevz^l<!P%U7#2umwRe--4h+tC~?$t&husz4dUn
zDY_>bae6TKMrE(5vXR}N8+tX4hf{28H^5wGI`m-p!B&j(GiFFcv$n@T*BuZ#e?SdJ
z|2v=#?0~}Ij16Pw<)(kw##M=78-ph%h!xZ1*%-=>dRDn{qAphIrW|9`M+xJm%5u}o
zSBrt2#L$iEVkKW4^l=2(wb*J_*?o8EX?I;U*%*5la~KMrR2bsjoKc%*x#on0O3)u`
z)9g0u43h!ASSd!U82B;y^w&qW_ZLl3+O--S&O$IcVOU-+tKFy>b*-4DHg!EskNz|&
zv!*urq_UG0^3=u3?qV>2chp-KE2GIkmc+GbszEU<?CgYNZaTN2pQ4YVhJ4l7cEO=q
zn+8WKq5)CQMZ@WeX~rvsO$}Q$CF(^EHZ+RGss-iLO~z#_W-WqDTja9S(#w4JtkGZs
z1~O|0>pwfFn;{wl+tsI&rRyYlHqMrcLD8&xz{Tz~<8rW;?KTs;|IwnuEbo<jOjQ+q
z3x{?`Sk@mFcHXodV!a-eD=-B&OPGy&^`yqR3`#~zqtsqD$f_Y45(s%Y99QMAs7-IT
zsYYgiqOqYhP&NLrE%#9e)TFlE1KU+Mm>Fm8)Cy%Um(^NU^?T*So+H58@}OLUc3lN$
zE%=ODF`EMv^e$^L!oEPwa>js?k;N88_t<bm&Cg!gE#`2Y9KZ^iLO*wdfzxAUKWn(d
zcuI!$$A*42KOHO=%jFrkJotB7U|~ODL%*2sqG#Ol^gnZP<=Ppu0ESyP<l+q6jjdI-
zR*ZY@!~w@Jt|T~(fo9UDc0&<!V4%W~XlFcJdzfm}i5$>4RFI~hPm4qV{%inJU;@JU
zWk$<om75;UV9_f;ig;eYLCqk-MF$*m*e<`J@3>1^qvb)la(J(V{1**&*#FqBwqah|
zZS2KCJ7I3V=7&Cjp0uYhYxs-?!wEc+WADygiQqiP;TlP6djgHa5nFe<&ca#?o7>4v
zKJFLU8M>R%L+!;Yd%5(#;mRXM5o}oZ&0h<$SBvVVGTHF(9(Nc9Q1Pk00*U@-_u1)t
z!4ds>zMmhKE5%suVOyA1h6=H95!<UxwWrAK)p*44ptZ}Dx|h{B-<qyuds!_jYd6+n
zVUKp(co<gYq%ntgpYMOH{qH*n-GGdfS{x7f!&a}_%kk*pr|%_XbZ$W4><a&5dY@fC
zb_4nLEoST53~<-$jO;`IQ70#^J7BM1^28suTu!RdLlBDV9eHN2uV9zqv_I#?7vx<o
z*G9%(QNU<luh+e$vTQKM;4%O-?&Rg=Xt}Vr&=4~+O|Qz<P#ShS64}#nFxj)e^}3g@
zR%O{B1n1ib8QS}u$Yifotk)=`D6ufaK-J%HqK~n&80S692U6@lTr9y5hJyncaBHK-
zl>`d57v|UN-Z;zi2B&Q(9JEVSnf3FmZcr-55*t{Ikl7BGSiEA;L+(+LTa8N?&`rV1
z{urT_Ytt0=$`g*u;qFmsyA|5HHqA;Qms4ufOqdWCm<A@Rt#v@5Zrfe}!HCO?y>?{*
zb7(XkEX8m*X|kn(UBhFHw&v^=F%*RBW6YbEqoyhcaDfugZa7R~-(CbmW1G61RJpxp
ziy0taE!ReF+`rNm<9;!Yme<b6WA?vq+=pXqJ2&hSo=Kf?mv(S`VTh2Mx~JE0icW0T
za;NuQT)4%C!%SNgEf<wp%Lar09UrzY9G1l{#zNccrq8NmwjW|cx4`h_hA<o&|GO%O
zsr3|Z#bHLqhE9zM+^ya0YOcRh9q!Y+{V(-TuW<!yio<@ghRGk>jtx!iu5auvm+ofr
zrZ+Kr%*Z{Ug%&`^Kg7@V{1-JlS`Qm6<FnJa?p&|ejj`uYST4yq6a<plM>1CUlpM0p
zJ-3Evtn_C0{h-i~Hr$xAWeiKZPQ+TvJ^_NX>~A9NMc0v)m|n5p<z^2S(%7!B#q6_p
zxjM{OVfNo&{`*#DZjW4fi(|Pzs{VHb^K|dDKM#qc1)Dd$vw*`B+w^?R4c>TE0EZ2Z
zq`JwPiG4l=iTg#3Gbco%EHi>aHgs#8N8&SL@tiIGhpr5i>-cq(RrVAXo0}-zWVzd{
zpOFhc5ZiNYxp#tv5bmA)8$SGs2FC_N^TYMXG{rIkkl?i3zd~!F9J5lH+IA6)x5dax
z^cD=v`@6Y?F4VfYWxH5Dy&Z;=acsE$;Q9$RJ{0i3ZelM1o%S&Sdl1`^(~H=cTCoic
zp5$muZf8+D;SRHL@9w55-Bnav%fUXzpUqOQ;CM$`96__WIXA@~d$|SM;`Hppoe4IR
z(ZA2m#0e6>v!==N)t-Is7d~+;=?}@`D8co;GxQ;NY&ew!x@&iPoB6-+(g(UImyCz;
z6dR3=?T8J7S2i9GOp^_E|NC_L|IfR(o96JP9gI9~{2Eu~-gP$|;gU8EU2GUP=Z}Nw
z0~!B25)RMBCU@!eD$~^<b_q6jjyQdk)2=m5gKO?)uRU3J(+D48;StM+Sg=e$G2?PD
z%$j`F-MqzOZGNTTt_Pff`}RL-Md{{!-2K2(4}aKdp7~>-aC_CBB47{Bo^L@@9O5tF
zVC@2k*&S0<f(@uR;N3yb>l27Y=ix~Wx(!AT-b3qE=A_B=`6)Q54DQ+C6MFF6iH}|K
z+7lnw29r_WEEgkVpXh>V+$t(Y%O!H6<ML5jdt(j#78tA9!1i(g@&pMuh@B?R%TZnO
zCY3!l?9;fo-v<NOP*KYw9)d2Kb(Dh~coY{87!1vD$y7)QGcI&en+hp`=fb$J;LkRa
zX{OJWVI>Z-eAVQ;?QJo$x4|tj_`^Yq@XDNo^&*1d&y_j7^n$9<T(xPI%5s2=XnOl~
z%yBs=@^u8UF|z(#5NPnswaLd>mD#IBwp&fjWqV)%e?UeIw(0f1YW~ZeTYYxhd_2lR
znb_EKSQgT_I$ZpGzWL8?n-9a(gFmzc?4vAqP$3=uHkOa8YrSTDY_Oz2rAXis%@;oV
za%-;{j(heQY3z-y()SG>X<<6_g#Dx&H+4@gpl+28Uq|T40kc)Adc9t*dkrqBV{aqb
zRxN-yZ0>*<6u6p;robSNPPV_?ZvTwRQO_M3_Ev^10sRr(dSeN08#n8?Cx>L%VOu3@
zn9LnA8<T1Kb6gJAXNM$qDstfu+x!m2GXicWp}kx>E$wR4jQhP6d>uKjigCjh20l`6
z)xz^_lueq|S^J=O;*fWBZel|ZL-8p3K&ohlWA}VAdjG~OZtIuBtQa}vHb>!j>ji|&
zx0QuG%j^KbmM;Jf<BC;_3ovA6aseiPI&GVLae)E9p9L)16#twBc(#aAieQoJq8WdG
z(Y{UpNYR1SPZk|o{an$J)h`zvTm44SiPi5Gomz*uK!Po2^&g!{oBZ>liTh2_O#fri
z#Qm*k;{IJUanFjjx788%e4>ea3DLyeE}FQw^K0|7x+7h*Puy5Eajz$uxHl8c{3nVg
zZcj9E3(>@_MHBa)qKW%p(Zt0WoW*7Fk9E-jai1=lxGxk<+*gYx?psB(y!VSH?k7bP
z_sgP*`(4q*{kdr3;xx$OvbaCG=#aSkL=*R%(?co`iF+Z@#J!AY;$B5G%U={t+-ry?
z?hQo~_ZFgwdo72{?6-H(5pi?T#2tzz?wV-g-d8knA1<1>PZZ7io-LZVFBMJP*NZ0Z
zjT|nMztcs>#Qm^n;(k^%albB_xIYw4++T|(?q5X{_sni6idp}8L=*R7qKSJ;hs)^8
zyXb_tR})R#P&9F`BbvB35l!3^L=*SUqKUgAnz$#4CeJ-Y6Zeh|H?;%T16_1V+((Nh
z?o&k*_xYlU`%2NoeY0rdzE?DHKQ5ZMUldK;Z;MVBuw$k>r;{&YBKet%U0hgL#7wj7
z+$=8G1b>(%ShNBEngw`^_>2V+wtUeRFrG=P?=IT2`T?SSs~;sgu=**YL#v-BI<oo|
zqGPMyBs#JBJ)%>qKjyTzU~%0|o18dbkZ9t5OElwuBAU3r6HVNIh$imY+)(8a_xz%X
zdr8s6y`pI1?sD2Et~|`i>Jy13?)60z_vWIR{x+hCdsorKy_;y_Hlm4pFVVz(h-l(I
z&gp=-_%0;2oYg%;qKW$=(Zqd?XyU$2H1mHzG;u#Anz&yPP2BH^Chjjp6ZcO}hr|sW
zE{k^uM;;P)n;XeO;$B!ZaW5;HxI09%JWn)nuPK_i$A~8G@uG=)2d5+AUfbcaxV}Ua
zcO;s)dqorXexix{2+_oSl4zFy9MQymnP}p^K{RpS<#bHk8#`QP|A<5r_j96&`wh{=
z{gG(m{zf!$|0bHaXK^D_%=*qNnz$DiP24Luoe=j{4wuPyN;GjJ(Zs#3XyV>fG;wb&
znz(lnP25${#H~cL{*y%$_d!ml#J!WlW%Oetnz&CBP23lVChn_56Zb8miTgg$#QlV5
z;(kdqala!vwe!T!onBm6@G#Z<aTc)XVX9ei1{RrM-z<S=6PzRo7Cpqdd#gF~-$SCA
z{DGo<oBh$E1FN4ZI<)%vq9dzcDLS_L&7u>l-zz$`2lf=VliS#jyI60*>Mx2Wyt{#w
z6ZYE@P5o2Rg#W#0!v9k=;m__yGLP^V5KZ_?i6;D&M5h+->Q4K_O+^zIU$w-R6XymJ
zP26KeGyb-siJOTg?rzb<orosxy+srEp`wZVc&7v6K2tPt@m)oW%j#b&(ZqeNXyU$I
zG}C`jG;u#Inz&yTP2BH`Chjjq6Zg+fhr~UT8>&L$h7On2olByLdlAvZy_{&`9wD0f
zebL0dmT2PMNHlS8DVn%<bUGrgeH9&ceni~sI9wKAN^;_^ize><MHBatqKW%t(Jb$|
zqKW%*(ZqeDXyU%x>6o}56;0fmI9wL@d5I?OH$@Zo$D)b*ThYY*yJ+H`)s0gz%RirJ
z;$A{Dako325cf#Y#67{`GJ7o1#J!$q;@(U&aZeOY+@5IS7NUt;i)MZI6iwU*JDn2u
zv7(84XNSw=PnT%ozECuAUoD!rZxv14_lqX(Cq)zY%c6<<UD2tXR(|31;=+QDdFD^E
zfJGZ%ud>+_lm*Yn#Ix!gEG}4GiC(n&WYM0F!f>4#Th8bQ&7@8K7}0^%PZJ$l{Q}XE
z)vppATm2T%iPi5Dom%|~r#<3+Ni=!BBbvB)mK$46w?CUnTihQ+6Zc=DiF*z=c6r3T
zplIS=S~PL5EIPI05Ly^pZfmpGJgp-9Q7*Ml_@hM=9?!Tkz0H1{L{r~RG~t&-6Mi6?
z@OwlP{yw4!|1i;P>nAuJ5cgT4iTe`K#Kl*0EG}_gC(*=xhiJxsNHlRjBbvBh6HVM7
zh$il@L=*QfPKU((KQ~l`#67oY;zkaa)n8PiiQ5%T+^dRa`am>suPvImHx^CYTZty_
zot%z{yDXZxW6{KQ*UEENcXx><?gK;<_fevW`xMd4|2)yeeT8V^zDYE3-{W*l+>ePS
z?iWN8_ol9OS^T#onz%m^P2As!Chk8(6ZdRxAd6Yv`9%}=lA?)wMW++u?h;MhL^N@4
z?QmJ#^(C6PHy2IZ+lVIaT}2c3Zla0Xh-Ufs5>4EPIGqyraiWR)4AI2Bi^FC17fCd6
zUn82hZxc=24~Qo2r$iI?E24?}J<+M1MSkh@;=)3JdFIcvfW-iVUf}>27p$&DGya~U
zJsbaE(SCrkaN84G&g74sNt^uXqC=}+C_1wG)uLmo-zqw>`u(C)t3T<qN8B%qX8qq4
zP28W0CN7?*z?L)mk27hD-zS>5=X67rN8AgEChlcK6Za~jiM!~uPuy#WChiSIljjzq
ziHmQeW6OPucYBE@ZZ4X*L(#-t6HVOviYD&EMW=R@L=Umm+1j4yVgtfITQuQcDw^=G
z7fpCP=E~A+aqpC9>JN)1{AWcI{_CO%|3lG)|FvkgwS8kX+A1XOncc_~68Ai!iF+~8
z#EnVY$%%7$i6-vVL^D1VP2B5<Chko{6ZZts#J#iA5ph>U6Za(1#Jz`T;$F|;vib)~
zG;tp-nz&CD&GgR~P25+CChnU>6ZgGN$He`(XySfRG;zNznz%P}xUBA{5>4FSize<r
zMHBbzZrqBQ{{o_kdnwVxy^_-jaj!0#xT$F3-as^QPjt8}{#c17?rlXAHxo_V-J*#*
z5zX@MEt<Fwbvh;P<3$tqnWBmNV$sCyIb0U^T8Sp^+eH)igQAK1Y0<>}s%YYVUvz3`
zkzYBzxUdjn(D=(NU@^qBayJLGxL|c7n(_A%?b-N;i1w|1oan&bDsvC{=FI*Ki4JY@
z7m1FnevRnZ>bHqbtp0%L)ap+;?Gg7YqFLYfL=*QHqKW$_(Zt2$`q*+Nw@+12+UmBs
zq01xgg+&whvZ9H*Lo{(cr+wmHQ#5gp5zYFK7fswdh$b%Hx^MXy-Ir+Mjzkl8uV~`l
zPc(5KA)2^PaylUHb3_yOWul4u2GQhsmuTYR#nKixu&wzKi6-vnL=*QLqKW$>(Zv0Y
z=+qACc-+YrZ%hB1iwy~X7B@15gg>un!e3l8;jbW?@QIXei{B~H)RAbyUsp8YZz`Jb
zw-(K|zKhclaaTnXw-Qa<lSLEvL86I!eTPe&$4E4BpC+2|FAz=KSBWO>TSOE0eNM;3
z{e)=Zen~WOzayHsKNC&dn>$=q{|AXC?!QD6_Z)8Aikbd`qKSKH(Zs#7(+P3yLqRyO
z6XG5v@x(n^G;xm;P2Af!Tvm5Gi6-unXyOh;6L*hj=D&|<;y%pjl(<h2P26XRChki_
z6ZdtZiF;Rv%i`Z5(Zv0bXySfGG;zNsnz%m@o!VLC*G?}kEJT=A{yGa-j4-Y2b^wbD
zR!>AT{@$WJ8~;$zzSWNx9a#NL(V@Llh6fO_<t*;SGij5*R&;Fj+eIf<e^7L4^{1Wo
zi2GI1EdTqWiTg{@#Qn2q;-1NkMILeSiX&_}v!6?%iF*;z#J!wo;vONIxW3aqajzws
zxHl5b`fe$jxOWsyTqByecuSAPW%5#@iMuYExc3)L+((Kg?vtGki2Gd8#C^GF;=WNd
z>wmXs;(k;#aq+%qi_7TGOEhu6DVn%H7ERpWiYD&goeqh6RyP)f#66#A;$A{Dakq;m
z&yk{un>yUk_Pto5iF-ZK#J!nl;+`lvwQ~@jIK`IR(t0j7B77m5@U>{d-%~W<A1s>i
zj}=Y$8%S-ox~EGt^$SH4{?(!h|5nj#>-Rey6Zey%iTh>I#Qm;l;{IGTasMcqxW_tN
z;_Q=X;-1ruTQTD=B$~LF5l!5yIGqsJKJ&wA#Wu$^B%Zi86iwV)h$imsMHBb74wu#E
z5>4EpXyUGkX8QYzCho(XPKo<O(ZqeWXyU$9G;v=qnz-*2P29}kvbqmTG;u#Gnz&yV
zP23-fPVFr68>bf+7Gg{*f13p?#+X(HuENCytM`az{Cz}wHvVCveXE}!I<Wd#qC=}+
zB091+%J7Ieww%SkZYFK=cZg1`{*dU@>d!ds5%+7NS>6vs6Zco5iTfAP#Qi@vGI_*3
zw`k(xRdLvI7I#sJCT>?Wajz<xxPj9?ajz|!xHlHf@^2-YxOWmw+-1?k9g8L|-fv-X
znf>k(P22~FChns|6Za`j2gH4zXyU#?G;!Y~n)SU$G;u#Bnz&yOO<cSO)#5Vww<Mal
zKM_sb--#yfKb#JUdp0)~g~UC-XyRT{G;yyen)UAzP25B@agTDijK01^6Zht#iF+H-
z#J#K25pnM(nz)T<;@(R%aUUX@xQ`P}o@a<A?$Hi6vWL!#B$~Ld5l!5;iB9bV>b?P%
z+uR>;u`%I4C7SSG5l#5-i6;CnL=*l`q6zPw&dFoKALrl+yUmSTG4+K-6aKQI+15Lp
zPKaxtN8+?%?OaphiF=G_;vO%WxOWguT=$OGJR$Dw94>L(ml*SexO*i#<L@V$xQ}o;
zCGL|%6ZbiyiTg6q#C?Nk;=W5XaX%uOxJwR~)qhT+iTe%F#Ql-z)XpNmb$W4OA;Glr
z_gTPVf@x*wDp*{wdQCLr?<?A~@edd6Tm3}Qfz{6z9a{ZT(UH}!7aiN%X6}VQIjei8
zL?<@+hefAWf7WS_xL+5|{67>;++T|(?q5X{_sni&@`!sL(Zs!&XyUqejpZ!<@)Awl
ztBEFV=(JDV>xd@qO+>T26GRjD&Z3FCBAU1-i6-tnL=zX^vc{IPxCcr!aUU(3xKDLD
zAnx-;6Ze&(iTh^JEdRZtiTiQU#QmaZ;(l8+aq%t?i_7dkm1yGrUNmw4>2yfkv%8@x
zB<=-76ZcZ0iF+l{tnccgiJOWh?hQl}_ZkkD$&Zz2;@(y?aWkhQ;_enr+=*!7-di+r
zA1a!-j~C7QpDCKSFBVPQ8#-J@zgD7&`*zX9{h-q^aX&4ZxL*}b-0zDf?k`0X_s^n<
zdnPv&#pF4cXyV?&;l}pJzlcN=_j00BJN@HpgxGSM`Un@B5Z*p+#A(IGUrXW%e<RU^
zzolrx-%&K--ETSO3E|yKaPoxkw<k;|C+xapr@p^vw)G>OPKo<u(ZqeOXyU$HG;!Z3
znz-*4P27))Chq4&6E}Cb#QCN~6ZglWQ#*_N&gsR4g%s1uKV|`oDW(<ooy~l4!Ro!P
zf<?yPPqb&_A0gVe`bnY#tDhq}wEAVDBdgyaI=1><q7!=?&Aq`iXZ0VE=+q|voYNk0
zzag6Ge<Yf?zY$H`zlkR9S=`9v5%;{JiF<L;#Jz%O;^K|f*m734Q=*9*Iqehox}u4D
zQ_;+SYth8Li)iAmiY9I)nz$#6Chmho6BlpZw74w(F%nJOr#T%E_XVPf`zq1IeT!(8
z_de0Y{e)=Zen~WOzayHsKNC${yzkE9vbaA;G;#msbV%HDxPdDq?gd2?_tK(?du7oq
z-+ns`J2NEiQ4&wwqeT<<IMKwtCTTl4v)@jliM!-<L|pe9Yk5Rm`$_~<9})LHlAgE^
z6HVMFh-Q7y5>4Efh$imqL=*QIhs)&ekZ9t5$my84pAk*muZbq^4@499SE7mg7tzH1
zKQ|P`tpD7iiF;Ae#68~OGP*0##J#H1332TMMVv_N$Z>6nC+>|!6Zcl4iF+r}#9bCm
z+_7l#++8$r@8EC~Tm1thI<>16ym|mzZet(iVpGCDMKs}`Cz|lD5KZ_ui6;DeL=*mF
zq6z;6(S-k&Xu|h}&f@(<qEq`V2^@FRW6y55b>K9fSj3;x?tk|rquVy7oA!=P>5v~c
zQSW`(^S8=6HFdZX@Qo~}1DB|8+qsQA9I%n^Kz;154)}o2`La%p57$^*`8a>)_<xT&
zrVX)`j}s1sk5j1QkhIl)>cBofp>x{%?*8gP-#y$uuxxj4Gr@Lhj}P~B{8sz?kodsL
zcH^5yrpMiXiVy7bLvnmfcf?`cAE!{qe}a!g)~}}Dci(D%9Fn%0J^`oIfrW{CyOBGF
zkj~9n?*EN>q36@N1RK*K{~;T%riE`+$02E}Q>f#Rj92@q<B;{M>7LWt>X7a8>AlVU
z)iJ+5LOR!<-2WT%LeHn$-|^vmY~1F{+*sZ|yPbVg`22cwzW#qsU&XVrOt)<;zvb&J
zJhrg0-hKO!-hD>%xzBiuhx?2|+-F=uaG&vAF83LC3f*VGyU%#$&wa)jrTdJp_PEcu
zRpdV7Oa1OM9szToaZ2Gn<7Gt~eeRond1F)fzJ2yVs!icrr?+36*pz;H4zekHAHSQs
zIh;FcWBC03K%CS2ra&9hZ(TkOY)*f$;al=!m{iK=b7`CF-6GtUqLg#c?YR}_R^fX4
zZ`q#H9kJ2Z6mwJfmi$}!+M@h@>~5ROKj`o++rb|18+~or4*Ry+?*~`T^zb@}dUbyH
z6y!$!t-`lzH+P(EEN83mt;*lBKWx?iZR>AthxvNl1~#{C{0!~#%+C#O+nC;M^WleT
z!}yB}<?cnv{M|#oE*XsO5A&h@AqV@CY!{0E?H%QM#om^5;b_@@VJ|7WAS4?b(+a}`
zzBJ&^i@9|8AL03GW#2_PAC6*+vHf<L3r5nxXmb%5s_;5eQ`@)wx#V~iWG+ADX}_=F
zqOd2H?N<z32+p_pQxh%(|08sBD`0K4Tr8KHnBg0*y__!sVR*ObeAxU>nEwg(`84pq
z+t}w(T`=Cj<@R0sN4;GN{ExHk&A&1|p8{XYZ~xNqeC#~j{BIV|rvY5OYQO5|g6HAd
zKUC{d;D2<j**=+%nXh*KCo|{MV2{rIhU0t`-V)>5X2XvP&L_jJ!w%iF>+sa|rr&Ox
z&xt1kTm|Ycj?E{A&Drl{&Bx$*2v^M9&rfZYWbXHn=98euPk+T{J{Z-`ep6>Y1~>8S
zFTu<Q;<Z4npI4cWL|L;R1(}b*&L7tHQ3V%_#IqmvaH04gF|(hZn2*8P;>O=cn2!gt
zeXIX`pnYX@wpNUlVGF&(y^y>p?H7hzR`ht+>YI;e+nY^mH`xQ<{>Ygt0{>$GaxWL2
z565tVIQJrIXcuqu*phm!@zA{(T3-0<GT?u-&BhlzZ!FZkD|kL1D(f4*z<EC0j&Ama
z&GVtQ7x4wn^T8NEHot^<K7~Ej)fX+#r?SH`-<Z5Hc={sc`CxRE*~^mWW3bQXUyeK<
z2iDCmL*AGItnC*b&!<2~voAQF4+Q-5CC2l?Xh^=acs|r^2*YmT3yWO}OaTbZ?JGT8
zC^}uf*b2f_fm`k_3H}Eh!nDA4?rBP|m6Aoa6EaLo=PP*wB`j3JA|)(V!V)DcZH3vE
zQSiKWBUl@rV$IX?D%L#3nx|Ov6l<Ph%~Py-iZunrSFHJpHD9sjYvn1{e8rltSo0NY
zzGBT+tSQw7inTzo7AV#N#af`%p;!wPYk^`dP^<-tHKmGBu@)-ULd9CBSPK<vp;oVA
zEmW+9inUO&rW6+`)*{7Pq*#j-Yms6tQmjQ9i()NOtVN17C2Oo$ixq3JVl7sz#fr69
zu@)=VVvSF+7Aw}2WQk%eQLH73wM4O&DAp3iTB2A>6l;mbtXOLY*?~S)tfh*zRI!#S
z)>6e<s#r@EYpG%_Rjj3LA9f93-^Su5csIGX0y#am!=?!rTM6BS-wNciq7}pfwXk+p
zrt_7&ff5!fVUZFRD`ANemTnI7+Ks?<fs#zI=4t5^Yo21wQ>=N4HBYhTDb_s2ny*+>
z@O;IZuUPZ7yoxnnvF0n*e8rltSo0NYfnrTT2^4FAVl7at1zLHEwLq~JDAoeSTA)}9
z6>Cbhp<*pmtc8lTP_Y(jbtu+C#agIX3l(dTVoj+cQmjRawMelRDb^yzTBOyhSc?>E
zkzy@YtSQCCinUm=7Aw|b#agUbixq3J#-dn@6>EuNP05-l))K{9qF755Yl&hlQLH73
zwM64ntfh)IEtz61Rjj3owN$Z|D%MiPTB=w}6>Djm+0FQ^tI=+DZv{@50j)4M<F^8*
z(|aq7tAJJzlWAFfC0(F|g-TeYgvCl&qJ*WbFuOWxg;-**-2x12JL9@Q$*P4ZW<ABM
zr<nB=vz}tsQ_Om8v(|>MSo0NY3bL<Q^R;w}HD9sjE7p9)ny*;%6>EWFEl{i}c!6Rq
zP^<-7Ud39VSPK+ufnqICtc8lTP_d?<go?FLu@)-ULajW-TBukH6>FhlEmEvSiZ!L$
zNU;_v)*{7Pq*#lzIuvV>Vl7gv#fr69v8GfJE7oGgTC7-$6>G6#E!OH)ti_78M6s4A
z)|BEB#ag0ROB8E~Vl7duC5p8~V^OT7inUa+re#&ErHZvwv6d><QpH-TSW6XaX`9cj
z0qm=eHe3o=)B?R$ASd#6ZiclpGpwDL>jI@XUkMA8uuut$l(1L{OO&v5bC{=C^Au)J
zvDOZ<E#N8EJjI%)So0KXo?^{Yta)u~c6qbetgo2$6|;WZnca_yF<%Q)%=(I1Uoq<|
zW_`u1-!^L-K2WR$inTzorXUB3wLnX!SPK+ufnqICtObg-P_Y&&)<VUaf)^^*Ld9CB
z<yEYOinUO&7An>v#ag6Tixg`LN~Bne6l;-UEz-(UtVN2oNU;_x)?&q4tXNa3jTLLL
zVl7sz#fr69t3$CCE7lUlTB2A>6l+QqiDE5LtR;%IM6s4A))K8=#agOZOBHLWVofVf
zv6d><QpH-TSW6XasbVc{v$!>YeJ|C<H9#wn(|9`}!?bjslGksAaS6~0VsU{I7Aj$p
z5*90Ai4vA>4)YXip2FuT);z_UmQ1ncDb_s2nx|Ov6l<Ph%~!1XiZx$h_7!XGAiLLm
z#hR~J^A&5pV$D~q`E6@<C9`=y28!80F&ijmgSIo<MHOR#7N(dD6tjV1Hc-q4ZL_wK
zL&aLCSPK<vp<+!z4i#&mmQJx2D%L{9TBuly6l;-UEmEvSiZul<QmjRawMfgWSc?>E
zkzy@Yti_78Sg{r>))bUju@)=VV#Qjlm8V#X6>EuNEm5o`inT<src|3K))K{9qF755
zYl&8eVl7pyrHZvwv6d><v?>&9sbVcvtfh*zRI!$}>vhw;eP7td>An@nxwxH>VOly*
z$?Gd&K`V?)fL0Kz2$ir%35%7mL<vhbhk1%MPhs&CYo21wQ><xO6>FYi%~Py-iZxHM
z<}22G#hS11`HD4Pv8E+ctoe#HU$N#Z)_lcUpjZnOYk^`dP?!V7T06*g$Uw0cDAoeS
zTA)}9+Scq!W^)$}6|<pYHdM@pirKL3%pQG;u}}+B%!Z2DP%#^}&DsWy6l;-UEmEvS
zinU0wrXWX(wMa{+Sc?>Ekzy@Yti_78Sg{r>)?&q)f)^{+V#Qjl<yEZ3inT<smMGQ|
z#ag0ROB8DgN}^ax6l;lMEz!zTtfh*zRI!#S)>6e<s#w#iRjj3owN$Z|D%R3=9d5d}
z?{V8W-M0cc@3s>%OiSk}d3_};P{P7i7?%L8AXXbGVX+dHC}HX5Fi)}ODfN1aHBYhT
zDb_s2npT`*%~Py-iZxHM<}22G#hS0M_=+`OvF0n*w5*CXU$N#Z)_lcUpjZnOYk^`d
zQ1}AHTA*0dk}1{##af_P3lwXiVl7mxg^IOMu@)-Kp<=BaWRJB_u@)-ULd9Cxwq{o{
zn~%OoF&imnBgJf_n2i*(QQMgvSQKNC7N(eu6thv=tZlqlu@)=VV#QjlSc?^Fv0_a@
zjumUMmQJx2E7lUlTB2A>6l;lMEm5o`iZul<QLH73wM5ISSW6XasbVcvtfh*zRI!#S
z)-)8wTB=w}6>Dj`JU89PZmP%s)4;`6Am`Y2LWXJSJSDHMgat}isDwqWFfIXFK}3m_
zutW(<H-~wOHBYI-Q>=N4HBYhTDb_s2npTBk%~Py-iZx%c<}22GrCwjL<}22G#hR~J
z(~489`HD4Pu@)%S0>xUOSPK-EK(Q7m)&j+vmQ}G9DAoeSTBukH6>FhlEmW+93SX#L
z3l(cxGR0b`SPK<vkzy@UtVN2oNU;_v)*^*DQmnOu>@X53)*{7P)V5|<GMfjMSTP$b
zW@E){teA}zv$0|}ZacGMreZAC!W6S{+pKM<M6s4A))K{9qF755Yl&hlQLHJ*iDE6$
z(ka$b#agOZOBHLWVl7pyrHZvwv8LfE)>6e<+Rp2y`$U`WTY;QU+X)$_rSp`$z7iHF
zVWAQhDPeIdj7xx45b+WvEZrRDDb_rtJWsLaDb_s2nx|Ov6l<PhO{-S1<|)>E#hR~J
z^OZV$#hR~J^A&5pV$D~qX;moJe8pOzSPK+ufnqIC>J1cYfnqICtObfStvJP6pjZnP
zYoTH-RIG)HwNPOR6>FhlEmW*&Sru!cVl7gvMT)gZu@))TBE?#y@I{KXNU^3RQ>;ab
zwOFwhE7oGgTC7-$6>G6#EmoLg#acVaj*zipEpA)0E1At>W}=u)6tjt9Hc`wbirGXl
zn<!?Jwlg~&D8>>ktZmjdN~%~(6>F(tEmf?ginUa+mMYd##hQk!SWDaK+;rdi2?KX_
z-wNd1*-pqXEuE+2^_8$d2@935NC}ITu%s2nB|s~P$nBqOuwkBJ%~SGviZxHM<|)=Z
z#hRyB^Au~IVogI)toe#HU$N#Z<@t&=U$N#Z)_ld9uUPXHYg)C6wLq~JDAoeSTA<Vs
zDAoeSTA)}96l;NEO{+q&7An?4#agIX3l(djQg5hO3l(djVl7mxX~iklBE?#ySc?>E
zkzy@UtVIe-q*#j-Yms72%c@w56>G6#Emo|>inUm=7Aw|bg)dgD#fmj8nPM$btR;%I
zM6s4A))K{9qF755Yl*^~DAw9RcA!t%*6d1V^AwRPW>dv%s+dg`v#DY>Rm`S}*;Fx`
zww>9Tu5HYkReqf4G5b#b>-KHiyGIw5$(yoT?~b#kG1aK<?&ufQ5!(=Xd{$*c)0nD0
zYTNei;;t^=3)pSe$7b91uD7e3m!l>tMy9g4Ske(L-rv>jOYzLJZGRi8yp>s*46>?=
zcSg=3K^`h5Tl4|oY_mWotPhvUL6LU{#c1~&k$X$;=}Uzs+HvCOh*35){qFI_*wj})
z<|fD7Vh&7R+j~Zm@eQQ)9G1M2_VmO;b6tN>=DWLmm1q~QDV~FJZ)-k1nb@svu$om_
z-k53&GWWjd)1T}Z9C<iAdQFv$>H;sCl_s+-iUY{T^|F4yHyt;2aBSGwFDhi-IWlYZ
z|9p_u^$t@XvGb0|hmLz^m|`=`iaOQBSR}mH*o{u?d-KSs>;SiI+q>JgcTbp%$7R)Y
zhgn{gb$7X}y0vNQZn@m$3vj#EmZ`hhsNWr%YFN~DQI6O?w_Yu3jxzOXIT`f3<!G?p
zUCs8GR_+aXQG=`S$ZoT0*0*i%=Gln3E3<4WGs@dV5a8-%HP5h%O>(`#U~c#YrycmF
z;IaphY*dbpoQ>4;$#zM)<B-PeDRQ$#f}{5riCU)nWePAW`RJ_4R;p~cIYHNr!A)hf
z_-XWsqj6R2DF$Z6^fwgJ-C_3TgGt|X?JJdccBijM-r40_p^uni9N@;@aqQ+^(e47a
zOCCS#72T%n4$H}?vAbb1;%D2=d~fnxYs_auznj#>Xl3dO$y}RkOqW+CYmgLs`am;H
z)6F;U!PaqF^4gd0A8duKOq*I7O{O%(bhjTsJF-bOq_@SEV^d`q4eM^Rnl;^F*)NvY
zyLFQ_W<NXTzzZyw@WOL*iY3-&)VF&Y2UW2$$_D%CKazOV?^Y%^#U5lGnP#o5u%5|x
z8@mgp$I`}bMfwx$+r7KD>E7h{8`u%SZ3lSVY`6RAII}i)px6-=h2f~0EkoVvbHj#2
zt+k;n3AGKW+Y7hWdab=7v9_kFQOEQr5IAGCwsy7?*e$#5bxwOjj!mnPy4zZXY}k-R
zT`JVw))HaEc2K+Jgt5tsY_Qd?Ik7g~9hJ%Yc4S$ripCt#Z7{f@<FPjYbJ_y4fSZ~1
z*)(&4sW5lA{cY=9E==D|+WJ~!8>YZ=IL?}4sTdT^`cc*>s=MB#DTi58<fpoXqt{2-
zu*j9Ftp`+ci)PhS-RTc+%r(%|<>A>5YUkb9492FKt{YtI)~m&GGuknl40jHSy4kgB
z7nhMX97~HXg1e*1u-g<vGuunW@~Cf?cbL87YG+eTOm7K`=bg*hpq_qaLBpWiFHPMY
zl?~T5&1x|>2K9Po)E^Wh)9cx0>`#WnbuwZqEJn4dnr_w|nKh)^)$LAd)3<}{w(VV0
zRpY7{H9Na?X<_q0S!2~+nNhQ9u;{_EXbGpF#i(yajp=vuvcl=-VEtex^ljU*wi=g%
zwX7QL7@E4yR;H_NOVQ1`h{2#ajb!gQz|Hz+1*WRh@<(u7R<8J6U1{5G+q=VTx9Mi1
z^=1_W%ULlv6$V$#s5hxiwFCcP1-`R8uFP_=cW1XM2c}n>W@mResC#|0oJ|JJ!0a&t
zhE&;T#q8|fahTV=JZsEKSrw*sEBFK4Y$E^ymkZ3^X2<mZov5=m_9SCZ(X8)Ot2w|*
zSWBLbdS<W5-RTHEPnv9rmk$o+JYd^)i@a2pgB`Zbrj66vlMN=E5DtpW`p=qr$8kJ{
z`X(P_mF>*7S@CHBhey8SxFZ+cgmchUpgA{HF>7N}cWYZqZENYS70oI}&|;L0Fg$mQ
zQMVXj1!dQrqsh=zMcyr|zNwhFUg!?WHB;mGWErc)%Brawdt6{UXlC2r>K(`JJeEyE
z-CeHA;gog`cGe50?X~0BQ`ubC&uU!PL1*t`4^L0@xYikzYj(neIp^%4jLn}VtQAde
z58x%!tQj-v*5#ziO?QkdOE}NN>TFPEeRR}mDAt#gf$7#f7qw&iem8rR9aC1_tZ$cx
z80TFXSfdWji2G>2rOb+%)P}vGG1YRGn|ddDXF0|aI2#PsXXAKfPMQ>z>Dt+X!((@q
z6Vvi!lq18=Ze8H)br^Kl%2Crbd&lt16Kr(5<!**cY^Gb(-3*gHaJxIUA92(vbtvom
zCL`;2dD2WOU^`}a3ch5$NE5SNF!62gHfA^;WR2lbUQGt3=FxWm?Q|Nd6~;~V9+2T%
zO!tH9EvuQGa#z^=``xVTqj6n#Xd8UFyJlQFVW*?xOb0tO&tznKr5*OVS>3I%UbJhs
zrFENDdU07{KO%d%$5d6(H`83x>mW<UPV@(gc*DI7u90;y1e<JBcgsnGOE8!*_l_%L
zFS+2%%U*C98Pm6C+DoQe8JykNs{wOK(a-F7w{a<f#Jf&;<g)E{>uGav__pVR2kOUV
KWqY;u*#83`h@;&A

literal 0
HcmV?d00001

diff --git a/roles/distgit/files/upload_cgi.te b/roles/distgit/files/upload_cgi.te
new file mode 100644
index 0000000000..f58050d1dc
--- /dev/null
+++ b/roles/distgit/files/upload_cgi.te
@@ -0,0 +1,25 @@
+policy_module(upload_cgi,1.0.0)
+
+
+gen_require(` type httpd_git_script_t ; ')
+type upload_cgi_tmp_t;
+files_tmp_file(upload_cgi_tmp_t);
+allow httpd_git_script_t upload_cgi_tmp_t:file manage_file_perms;
+files_tmp_filetrans(httpd_git_script_t, upload_cgi_tmp_t, file);
+
+
+# Do not audit attempts to read the process state (/proc/pid) of all domains. 
+domain_read_all_domains_state(httpd_git_script_t);
+
+# List the contents of the sysfs directories. 
+dev_list_sysfs(httpd_git_script_t);
+
+# Allow sending logs to syslog
+logging_send_syslog_msg(httpd_git_script_t);
+
+# Get the attributes of all pty device nodes. 
+term_getattr_all_ptys(httpd_git_script_t);
+# Get the attributes of all tty device nodes. 
+term_getattr_all_ttys(httpd_git_script_t);
+# Do not audit attempts to get the attributes of generic pty devices.
+term_dontaudit_getattr_generic_ptys(httpd_git_script_t);
diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml
index c2e4a16b35..e372d1143a 100644
--- a/roles/distgit/tasks/main.yml
+++ b/roles/distgit/tasks/main.yml
@@ -295,3 +295,16 @@
   - config
   - lookaside
   - selinux
+
+# Three tasks for handling our selinux policy for upload.cgi
+- name: ensure a directory exists for our SELinux policy
+  file: dest=/usr/local/share/selinux/ state=directory
+
+- name: copy over our custom selinux policy
+  copy: src=upload_cgi.pp dest=/usr/local/share/selinux/upload_cgi.pp
+  register: selinux_module
+
+- name: install our custom selinux policy
+  command: semodule -i /usr/local/share/selinux/upload_cgi.pp
+  when: selinux_module|changed
+