selinux-refpolicy/policy/modules/services/git.if

## <summary>GIT revision control system.</summary>

########################################
## <summary>
##	Role access for Git session.
## </summary>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	User domain for the role.
##	</summary>
## </param>
#
template(`git_role',`
	gen_require(`
		attribute_role git_session_roles;
		type git_session_t, gitd_exec_t, git_user_content_t;
	')

	########################################
	#
	# Declarations
	#

	roleattribute $1 git_session_roles;

	########################################
	#
	# Policy
	#

	allow $2 git_user_content_t:dir { manage_dir_perms relabel_dir_perms };
	allow $2 git_user_content_t:file { exec_file_perms manage_file_perms relabel_file_perms };
	userdom_user_home_dir_filetrans($2, git_user_content_t, dir, "public_git")

	allow $2 git_session_t:process { ptrace signal_perms };
	ps_process_pattern($2, git_session_t)

	tunable_policy(`git_session_users',`
		domtrans_pattern($2, gitd_exec_t, git_session_t)
	',`
		can_exec($2, gitd_exec_t)
	')
')

########################################
## <summary>
##	Read generic system content files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`git_read_generic_sys_content_files',`
	gen_require(`
		type git_sys_content_t;
	')

	list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
	read_files_pattern($1, git_sys_content_t, git_sys_content_t)

	files_search_var_lib($1)

	tunable_policy(`git_system_use_cifs',`
		fs_getattr_cifs($1)
		fs_list_cifs($1)
		fs_read_cifs_files($1)
	')

	tunable_policy(`git_system_use_nfs',`
		fs_getattr_nfs($1)
		fs_list_nfs($1)
		fs_read_nfs_files($1)
	')
')