module pagure 1.0.5;

require {
        type httpd_t;
        type sysctl_net_t;
        type gitosis_var_lib_t;
        type httpd_git_script_t;
        type git_script_tmp_t;
        type git_user_content_t;
        class dir { search getattr open read add_name remove_name write create rename};
        class file { append open ioctl lock rename append getattr read create link setattr unlink write };
        class lnk_file { read open getattr create unlink};
}

allow httpd_git_script_t git_script_tmp_t:file manage_file_perms;

allow httpd_t git_user_content_t:dir { search getattr open read };
allow httpd_t git_user_content_t:file { read open getattr };
allow httpd_t git_user_content_t:lnk_file { read open getattr };

optional_policy(`
gen_require(` class file map; ')
allow httpd_t git_user_content_t:file map;
')

allow httpd_t gitosis_var_lib_t:dir { add_name remove_name write create rename};
allow httpd_t gitosis_var_lib_t:file { create link setattr unlink write rename append};
allow httpd_t gitosis_var_lib_t:lnk_file { create unlink };

allow httpd_t sysctl_net_t:file { open read };