fedora-infra_ansible/roles/distgit/files/http_policy.te

module http_policy 1.2;

require {
	type httpd_t;
	type chkpwd_t;
	type httpd_sys_script_t;
	type gitosis_var_lib_t;
	type git_content_t;
	type init_t;
	type unconfined_t;
	type httpd_suexec_t;
	type shadow_t;
    type var_t;
	class dir { add_name create getattr remove_name rmdir search write };
	class file { create getattr link open read rename setattr unlink write };
	class capability { audit_write dac_read_search net_admin setgid setuid sys_resource };
	class process { noatsecure rlimitinh setrlimit siginh };
	class netlink_audit_socket { create nlmsg_relay read write };
}

#============= httpd_suexec_t ==============
allow httpd_suexec_t httpd_sys_script_t:process { noatsecure rlimitinh siginh };

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t git_content_t:dir search;
allow httpd_sys_script_t gitosis_var_lib_t:dir { getattr search };
allow httpd_sys_script_t self:capability { audit_write dac_read_search net_admin setgid setuid sys_resource };
allow httpd_sys_script_t self:netlink_audit_socket { create nlmsg_relay read write };
allow httpd_sys_script_t self:process setrlimit;
allow httpd_sys_script_t shadow_t:file { getattr open read };

#============= httpd_t ==============
allow httpd_t git_content_t:dir { add_name remove_name write };
allow httpd_t git_content_t:file { create rename setattr unlink write };
allow httpd_t gitosis_var_lib_t:dir { create rmdir };
allow httpd_t gitosis_var_lib_t:dir { add_name remove_name write };
allow httpd_t gitosis_var_lib_t:file rename;
allow httpd_t gitosis_var_lib_t:file { create link unlink write };
allow httpd_t httpd_suexec_t:process { noatsecure rlimitinh siginh };
allow httpd_t self:capability net_admin;
allow httpd_t var_t:file { getattr open read };

#============= init_t ==============
allow init_t chkpwd_t:process siginh;
allow init_t unconfined_t:process siginh;