diff --git a/Changelog b/Changelog
index 53b1fbbae..5b8b560e1 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- New git service features from Dominick Grift.
- Corenetwork policy size optimization from Dan Walsh.
- Silence spurious udp_socket listen denials.
- Fix unexpanded MLS/MCS fields in monolithic seusers file.
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 2be17d2e3..c10c3d6fb 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -1,4 +1,4 @@
-policy_module(staff, 2.2.0)
+policy_module(staff, 2.2.1)
########################################
#
@@ -26,6 +26,10 @@ optional_policy(`
dbadm_role_change(staff_r)
')
+optional_policy(`
+ git_role(staff_r, staff_t)
+')
+
optional_policy(`
postgresql_role(staff_r, staff_t)
')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 0f9635354..fcf7605d3 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1,4 +1,4 @@
-policy_module(sysadm, 2.3.0)
+policy_module(sysadm, 2.3.1)
########################################
#
@@ -147,6 +147,10 @@ optional_policy(`
fstools_run(sysadm_t, sysadm_r)
')
+optional_policy(`
+ git_role(sysadm_r, sysadm_t)
+')
+
optional_policy(`
hostname_run(sysadm_t, sysadm_r)
')
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 7e9da772d..486f95df7 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,4 +1,4 @@
-policy_module(unprivuser, 2.2.0)
+policy_module(unprivuser, 2.2.1)
# this module should be named user, but that is
# a compile error since user is a keyword.
@@ -16,6 +16,10 @@ optional_policy(`
apache_role(user_r, user_t)
')
+optional_policy(`
+ git_role(user_r, user_t)
+')
+
optional_policy(`
screen_role_template(user, user_r, user_t)
')
diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
index 54f0737ca..13e72a7ad 100644
--- a/policy/modules/services/git.fc
+++ b/policy/modules/services/git.fc
@@ -1,3 +1,11 @@
-/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
-/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
-/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0)
+
+/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
+
+/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
+
+/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
+
+/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
+/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index 458aac631..b0242d92d 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@@ -1 +1,50 @@
-## GIT revision control system
+## GIT revision control system.
+
+########################################
+##
+## Role access for Git session.
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+##
+## User domain for the role.
+##
+##
+#
+template(`git_role',`
+ gen_require(`
+ type git_session_t, gitd_exec_t, git_user_content_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ role $1 types git_session_t;
+
+ ########################################
+ #
+ # Policy
+ #
+
+ manage_dirs_pattern($2, git_user_content_t, git_user_content_t)
+ relabel_dirs_pattern($2, git_user_content_t, git_user_content_t)
+
+ exec_files_pattern($2, git_user_content_t, git_user_content_t)
+ manage_files_pattern($2, git_user_content_t, git_user_content_t)
+ relabel_files_pattern($2, git_user_content_t, git_user_content_t)
+
+ allow $2 git_session_t:process { ptrace signal_perms };
+ ps_process_pattern($2, git_session_t)
+
+ tunable_policy(`git_session_users',`
+ domtrans_pattern($2, gitd_exec_t, git_session_t)
+ ',`
+ can_exec($2, gitd_exec_t)
+ ')
+')
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index 7382f851b..c05bec349 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -1,8 +1,227 @@
-policy_module(git, 1.0)
+policy_module(git, 1.0.1)
########################################
#
# Declarations
#
+##
+##
+## Determine whether Git CGI
+## can search home directories.
+##
+##
+gen_tunable(git_cgi_enable_homedirs, false)
+
+##
+##
+## Determine whether Git CGI
+## can access cifs file systems.
+##
+##
+gen_tunable(git_cgi_use_cifs, false)
+
+##
+##
+## Determine whether Git CGI
+## can access nfs file systems.
+##
+##
+gen_tunable(git_cgi_use_nfs, false)
+
+##
+##
+## Determine whether calling user domains
+## can execute Git daemon in the
+## git_session_t domain.
+##
+##
+gen_tunable(git_session_users, false)
+
+##
+##
+## Determine whether Git session daemons
+## can send syslog messages.
+##
+##
+gen_tunable(git_session_send_syslog_msg, false)
+
+##
+##
+## Determine whether Git system daemon
+## can search home directories.
+##
+##
+gen_tunable(git_system_enable_homedirs, false)
+
+##
+##
+## Determine whether Git system daemon
+## can access cifs file systems.
+##
+##
+gen_tunable(git_system_use_cifs, false)
+
+##
+##
+## Determine whether Git system daemon
+## can access nfs file systems.
+##
+##
+gen_tunable(git_system_use_nfs, false)
+
+attribute git_daemon;
+
apache_content_template(git)
+
+type git_system_t, git_daemon;
+type gitd_exec_t;
+inetd_service_domain(git_system_t, gitd_exec_t)
+
+type git_session_t, git_daemon;
+application_domain(git_session_t, gitd_exec_t)
+ubac_constrained(git_session_t)
+
+type git_sys_content_t;
+files_type(git_sys_content_t)
+
+type git_user_content_t;
+userdom_user_home_content(git_user_content_t)
+
+########################################
+#
+# Git session policy
+#
+
+allow git_session_t self:tcp_socket { accept listen };
+
+list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
+read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
+userdom_search_user_home_dirs(git_session_t)
+
+corenet_all_recvfrom_netlabel(git_session_t)
+corenet_all_recvfrom_unlabeled(git_session_t)
+corenet_tcp_bind_generic_node(git_session_t)
+corenet_tcp_sendrecv_generic_if(git_session_t)
+corenet_tcp_sendrecv_generic_node(git_session_t)
+corenet_tcp_sendrecv_generic_port(git_session_t)
+corenet_tcp_bind_git_port(git_session_t)
+corenet_tcp_sendrecv_git_port(git_session_t)
+corenet_sendrecv_git_server_packets(git_session_t)
+
+userdom_use_user_terminals(git_session_t)
+
+tunable_policy(`git_session_send_syslog_msg',`
+ logging_send_syslog_msg(git_session_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(git_session_t)
+',`
+ fs_dontaudit_read_nfs_files(git_session_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(git_session_t)
+',`
+ fs_dontaudit_read_cifs_files(git_session_t)
+')
+
+########################################
+#
+# Git system policy
+#
+
+list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
+read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
+files_search_var_lib(git_system_t)
+
+logging_send_syslog_msg(git_system_t)
+
+tunable_policy(`git_system_enable_homedirs',`
+ userdom_search_user_home_dirs(git_system_t)
+')
+
+tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_files(git_system_t)
+',`
+ fs_dontaudit_read_nfs_files(git_system_t)
+')
+
+tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(git_system_t)
+',`
+ fs_dontaudit_read_cifs_files(git_system_t)
+')
+
+tunable_policy(`git_system_use_cifs',`
+ fs_read_cifs_files(git_system_t)
+',`
+ fs_dontaudit_read_cifs_files(git_system_t)
+')
+
+tunable_policy(`git_system_use_nfs',`
+ fs_read_nfs_files(git_system_t)
+',`
+ fs_dontaudit_read_nfs_files(git_system_t)
+')
+
+########################################
+#
+# Git CGI policy
+#
+
+list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+files_search_var_lib(httpd_git_script_t)
+
+files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
+
+auth_use_nsswitch(httpd_git_script_t)
+
+tunable_policy(`git_cgi_enable_homedirs',`
+ userdom_search_user_home_dirs(httpd_git_script_t)
+')
+
+tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_files(httpd_git_script_t)
+',`
+ fs_dontaudit_read_nfs_files(httpd_git_script_t)
+')
+
+tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_git_script_t)
+',`
+ fs_dontaudit_read_cifs_files(httpd_git_script_t)
+')
+
+tunable_policy(`git_cgi_use_cifs',`
+ fs_read_cifs_files(httpd_git_script_t)
+',`
+ fs_dontaudit_read_cifs_files(httpd_git_script_t)
+')
+
+tunable_policy(`git_cgi_use_nfs',`
+ fs_read_nfs_files(httpd_git_script_t)
+',`
+ fs_dontaudit_read_nfs_files(httpd_git_script_t)
+')
+
+########################################
+#
+# Git global policy
+#
+
+allow git_daemon self:fifo_file rw_fifo_file_perms;
+
+kernel_read_system_state(git_daemon)
+
+corecmd_exec_bin(git_daemon)
+
+files_read_usr_files(git_daemon)
+
+fs_search_auto_mountpoints(git_daemon)
+
+auth_use_nsswitch(git_daemon)
+
+miscfiles_read_localization(git_daemon)