Code Vault

xaizek / rocketgit (License: AGPLv3+) (since 2018-12-09)

Light and fast Git hosting solution suitable to serve both as a hub or as a personal code storage with its tickets, pull requests, API and much more.

Clone URLs: https://code.reversed.top/user/xaizek/rocketgit ssh://rocketgit@code.reversed.top/user/xaizek/rocketgit

Commit fa9d4acd0c6ee730ee45c3e3ab57b55665e74666

Updates SELinux policy file
Author: Catalin(ux) M. BOIE
Author date (UTC): 2017-01-30 18:51
Committer name: Catalin(ux) M. BOIE
Committer date (UTC): 2017-01-30 18:51
Parent(s): 63ff4cf11961421d6f187d2597354d12eff9a810
Signing key:
Tree: e4f9d0f443fa255bf9361a119d7082aca77be251

File	Lines added	Lines deleted
selinux/rocketgit.te.tmpl	7	17

File selinux/rocketgit.te.tmpl changed (mode: 100644) (index 6fe2153..303d90a)
1		policy_module(rocketgit,1.0.114)
	1		policy_module(rocketgit,1.0.119)
2	2
3	3	########################################	########################################
4	4	#	#

...	...	role unconfined_r types rocketgit_t;
33	33	type rocketgit_t;	type rocketgit_t;
34	34	domain_type(rocketgit_t)	domain_type(rocketgit_t)
35	35
36		apache_content_template(rocketgit)
37	36	# Allow crons to search in /var/lib - not clear why	# Allow crons to search in /var/lib - not clear why
38	37	files_search_var_lib(rocketgit_t)	files_search_var_lib(rocketgit_t)
39	38
40	39	# Allow rocketgit_t to manage .ssh/authorized_keys	# Allow rocketgit_t to manage .ssh/authorized_keys
41	40	ssh_manage_home_files(rocketgit_t)	ssh_manage_home_files(rocketgit_t)
42	41
43		# Allow apache to write authrorized_keys[.tmp] file(s)
44		allow httpd_t user_home_dir_t:file { create getattr open rename setattr write };
45		userdom_manage_user_home_dirs(httpd_t)
46
47	42	type rocketgit_exec_t;	type rocketgit_exec_t;
48	43	domain_entry_file(rocketgit_t, rocketgit_exec_t)	domain_entry_file(rocketgit_t, rocketgit_exec_t)
49	44

...	...	manage_files_pattern(rocketgit_t, rocketgit_log_t, rocketgit_log_t)
120	115	# 'rocketgit' user.	# 'rocketgit' user.
121	116	manage_files_pattern(httpd_t, rocketgit_log_t, rocketgit_log_t)	manage_files_pattern(httpd_t, rocketgit_log_t, rocketgit_log_t)
122	117	logging_log_filetrans(rocketgit_t, rocketgit_log_t, file)	logging_log_filetrans(rocketgit_t, rocketgit_log_t, file)
123		# below line tries to allow httpd to create err-* files in /var/log/rocketgit-web
124		#filetrans_pattern(httpd_t,dirtype?,rocketgit_log_t, file)
125		# allow rocketgit_t access to /var/log/rocketgit-web. Why?
126		# Some of rights are needed because cron as apache is deleting log files in
127		# /var/log/rocketgit-web.
128		allow rocketgit_t httpd_log_t:dir { search write add_name remove_name getattr read open };
129		allow rocketgit_t httpd_log_t:file { getattr setattr create unlink open append };
130	118
131	119
132	120	# content (repos)	# content (repos)

...	...	allow rocketgit_t tmp_t:file { write open create unlink setattr };
197	185	# Locale	# Locale
198	186	miscfiles_read_localization(rocketgit_t)	miscfiles_read_localization(rocketgit_t)
199	187
200		# Because cron.sh/apache:
201		# type=AVC msg=audit(1461432301.793:1002): avc: denied { getattr } for pid=3503 comm="cron.sh" path="/var/www" dev="dm-0" ino=143915 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
202		apache_search_sys_content(rocketgit_t)
203
204	188	# type=AVC msg=audit(1461494910.399:8020179): avc: denied { read } for pid=1667 comm="php" name="/" dev="tmpfs" ino=11809 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0	# type=AVC msg=audit(1461494910.399:8020179): avc: denied { read } for pid=1667 comm="php" name="/" dev="tmpfs" ino=11809 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
205	189	files_list_tmp(rocketgit_t)	files_list_tmp(rocketgit_t)
206	190
	191		# Hugetlbfs (for opcache):
	192		# type=AVC msg=audit(1482069602.067:865): avc: denied { read write } for pid=2157 comm="php" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev="hugetlbfs" ino=26965 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=file permissive=0
	193		fs_rw_hugetlbfs_files(rocketgit_t)
	194		fs_exec_hugetlbfs_files(rocketgit_t)
	195		allow rocketgit_t self:process execmem;
	196
207	197	# worker.sh needs some rights	# worker.sh needs some rights
208	198	type rocketgit_worker_t;	type rocketgit_worker_t;
209	199	domain_type(rocketgit_worker_t)	domain_type(rocketgit_worker_t)

Hints

Before first commit, do not forget to setup your git environment:

git config --global user.name "your_name_here"
git config --global user.email "your@email_here"

Clone this repository using HTTP(S):

git clone https://code.reversed.top/user/xaizek/rocketgit

Clone this repository using ssh (do not forget to upload a key first):

git clone ssh://rocketgit@code.reversed.top/user/xaizek/rocketgit

You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a pull request:

... clone the repository ...
... make some changes and some commits ...
git push origin master