policy_module(git, 1.3.2)

########################################
#
# Declarations
#

## <desc>
##	<p>
##	Determine whether Git CGI
##	can search home directories.
##	</p>
## </desc>
gen_tunable(git_cgi_enable_homedirs, false)

## <desc>
##	<p>
##	Determine whether Git CGI
##	can access cifs file systems.
##	</p>
## </desc>
gen_tunable(git_cgi_use_cifs, false)

## <desc>
##	<p>
##	Determine whether Git CGI
##	can access nfs file systems.
##	</p>
## </desc>
gen_tunable(git_cgi_use_nfs, false)

## <desc>
##	<p>
##	Determine whether Git session daemon
##	can bind TCP sockets to all
##	unreserved ports.
##	</p>
## </desc>
gen_tunable(git_session_bind_all_unreserved_ports, false)

## <desc>
##	<p>
##	Determine whether calling user domains
##	can execute Git daemon in the
##	git_session_t domain.
##	</p>
## </desc>
gen_tunable(git_session_users, false)

## <desc>
##	<p>
##	Determine whether Git system daemon
##	can search home directories.
##	</p>
## </desc>
gen_tunable(git_system_enable_homedirs, false)

## <desc>
##	<p>
##	Determine whether Git system daemon
##	can access cifs file systems.
##	</p>
## </desc>
gen_tunable(git_system_use_cifs, false)

## <desc>
##	<p>
##	Determine whether Git system daemon
##	can access nfs file systems.
##	</p>
## </desc>
gen_tunable(git_system_use_nfs, false)

attribute git_daemon;
attribute_role git_session_roles;

apache_content_template(git)
apache_content_alias_template(git, git)

type git_system_t, git_daemon;
type gitd_exec_t;
inetd_service_domain(git_system_t, gitd_exec_t)
init_daemon_domain(git_system_t, gitd_exec_t)

type git_session_t, git_daemon;
userdom_user_application_domain(git_session_t, gitd_exec_t)
role git_session_roles types git_session_t;

type git_sys_content_t alias git_system_content_t;
files_type(git_sys_content_t)

type git_user_content_t alias git_session_content_t;
userdom_user_home_content(git_user_content_t)

type git_script_tmp_t;
files_tmp_file(git_script_tmp_t)

########################################
#
# Session policy
#

allow git_session_t self:tcp_socket { accept listen };

list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
userdom_search_user_home_dirs(git_session_t)
allow git_session_t git_user_content_t:file map;

kernel_read_system_state(git_session_t)

corenet_all_recvfrom_netlabel(git_session_t)
corenet_all_recvfrom_unlabeled(git_session_t)
corenet_tcp_bind_generic_node(git_session_t)
corenet_tcp_sendrecv_generic_if(git_session_t)
corenet_tcp_sendrecv_generic_node(git_session_t)

corenet_sendrecv_git_server_packets(git_session_t)
corenet_tcp_bind_git_port(git_session_t)
corenet_tcp_sendrecv_git_port(git_session_t)

auth_use_nsswitch(git_session_t)

userdom_use_user_terminals(git_session_t)

tunable_policy(`git_session_bind_all_unreserved_ports',`
	corenet_sendrecv_all_server_packets(git_session_t)
	corenet_tcp_bind_all_unreserved_ports(git_session_t)
	corenet_tcp_sendrecv_all_ports(git_session_t)
')

logging_send_syslog_msg(git_session_t)

tunable_policy(`use_nfs_home_dirs',`
	fs_getattr_nfs(git_session_t)
	fs_list_nfs(git_session_t)
	fs_read_nfs_files(git_session_t)
',`
	fs_dontaudit_read_nfs_files(git_session_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_getattr_cifs(git_session_t)
	fs_list_cifs(git_session_t)
	fs_read_cifs_files(git_session_t)
',`
	fs_dontaudit_read_cifs_files(git_session_t)
')

########################################
#
# System policy
#

list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
allow git_system_t git_sys_content_t:file map;

kernel_read_network_state(git_system_t)
kernel_read_system_state(git_system_t)

corenet_all_recvfrom_unlabeled(git_system_t)
corenet_all_recvfrom_netlabel(git_system_t)
corenet_tcp_sendrecv_generic_if(git_system_t)
corenet_tcp_sendrecv_generic_node(git_system_t)
corenet_tcp_bind_generic_node(git_system_t)

corenet_sendrecv_git_server_packets(git_system_t)
corenet_tcp_bind_git_port(git_system_t)
corenet_tcp_sendrecv_git_port(git_system_t)

files_search_var_lib(git_system_t)

auth_use_nsswitch(git_system_t)

logging_send_syslog_msg(git_system_t)

tunable_policy(`git_system_enable_homedirs',`
	userdom_search_user_home_dirs(git_system_t)
	list_dirs_pattern(git_script_t, git_user_content_t, git_user_content_t)
	list_dirs_pattern(git_system_t, git_user_content_t, git_user_content_t)
	read_files_pattern(git_system_t, git_user_content_t, git_user_content_t)
	allow git_system_t git_user_content_t:file map;

')

tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
	fs_getattr_nfs(git_system_t)
	fs_list_nfs(git_system_t)
	fs_read_nfs_files(git_system_t)
',`
	fs_dontaudit_read_nfs_files(git_system_t)
')

tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
	fs_getattr_cifs(git_system_t)
	fs_list_cifs(git_system_t)
	fs_read_cifs_files(git_system_t)
',`
	fs_dontaudit_read_cifs_files(git_system_t)
')

tunable_policy(`git_system_use_cifs',`
	fs_getattr_cifs(git_system_t)
	fs_list_cifs(git_system_t)
	fs_read_cifs_files(git_system_t)
',`
	fs_dontaudit_read_cifs_files(git_system_t)
')

tunable_policy(`git_system_use_nfs',`
	fs_getattr_nfs(git_system_t)
	fs_list_nfs(git_system_t)
	fs_read_nfs_files(git_system_t)
',`
	fs_dontaudit_read_nfs_files(git_system_t)
')

########################################
#
# CGI policy
#

manage_dirs_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t)
manage_files_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t)
manage_lnk_files_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t)
files_tmp_filetrans(git_script_t, git_script_tmp_t, { file dir })

list_dirs_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
read_files_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
files_search_var_lib(git_script_t)
allow git_script_t git_sys_content_t:file map;
allow git_script_t git_user_content_t:file map;

auth_use_nsswitch(git_script_t)

tunable_policy(`git_cgi_enable_homedirs',`
	userdom_search_user_home_dirs(git_script_t)
')

fs_getattr_tmpfs(git_script_t)
tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',`
	fs_getattr_nfs(git_script_t)
	fs_list_nfs(git_script_t)
	fs_read_nfs_files(git_script_t)
',`
	fs_dontaudit_read_nfs_files(git_script_t)
')

tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',`
	fs_getattr_cifs(git_script_t)
	fs_list_cifs(git_script_t)
	fs_read_cifs_files(git_script_t)
',`
	fs_dontaudit_read_cifs_files(git_script_t)
')

tunable_policy(`git_cgi_use_cifs',`
	fs_getattr_cifs(git_script_t)
	fs_list_cifs(git_script_t)
	fs_read_cifs_files(git_script_t)
',`
	fs_dontaudit_read_cifs_files(git_script_t)
')

tunable_policy(`git_cgi_use_nfs',`
	fs_getattr_nfs(git_script_t)
	fs_list_nfs(git_script_t)
	fs_read_nfs_files(git_script_t)
',`
	fs_dontaudit_read_nfs_files(git_script_t)
')

optional_policy(`
    gitosis_read_lib_files(git_script_t)
    gitosis_mmap_lib_files(git_script_t)
')

########################################
#
# Git global policy
#

allow git_daemon self:fifo_file rw_fifo_file_perms;

#kernel_read_system_state(git_daemon)

corecmd_exec_bin(git_daemon)

fs_search_auto_mountpoints(git_daemon)