xaizek / rocketgit (License: AGPLv3+) (since 2018-12-09)
Light and fast Git hosting solution suitable to serve both as a hub or as a personal code storage with its tickets, pull requests, API and much more.
Commit fa9d4acd0c6ee730ee45c3e3ab57b55665e74666

Updates SELinux policy file
Author: Catalin(ux) M. BOIE
Author date (UTC): 2017-01-30 18:51
Committer name: Catalin(ux) M. BOIE
Committer date (UTC): 2017-01-30 18:51
Parent(s): 63ff4cf11961421d6f187d2597354d12eff9a810
Signing key:
Tree: e4f9d0f443fa255bf9361a119d7082aca77be251
File Lines added Lines deleted
selinux/rocketgit.te.tmpl 7 17
File selinux/rocketgit.te.tmpl changed (mode: 100644) (index 6fe2153..303d90a)
1 policy_module(rocketgit,1.0.114)
1 policy_module(rocketgit,1.0.119)
2 2
3 3 ######################################## ########################################
4 4 # #
 
... ... role unconfined_r types rocketgit_t;
33 33 type rocketgit_t; type rocketgit_t;
34 34 domain_type(rocketgit_t) domain_type(rocketgit_t)
35 35
36 apache_content_template(rocketgit)
37 36 # Allow crons to search in /var/lib - not clear why # Allow crons to search in /var/lib - not clear why
38 37 files_search_var_lib(rocketgit_t) files_search_var_lib(rocketgit_t)
39 38
40 39 # Allow rocketgit_t to manage .ssh/authorized_keys # Allow rocketgit_t to manage .ssh/authorized_keys
41 40 ssh_manage_home_files(rocketgit_t) ssh_manage_home_files(rocketgit_t)
42 41
43 # Allow apache to write authrorized_keys[.tmp] file(s)
44 allow httpd_t user_home_dir_t:file { create getattr open rename setattr write };
45 userdom_manage_user_home_dirs(httpd_t)
46
47 42 type rocketgit_exec_t; type rocketgit_exec_t;
48 43 domain_entry_file(rocketgit_t, rocketgit_exec_t) domain_entry_file(rocketgit_t, rocketgit_exec_t)
49 44
 
... ... manage_files_pattern(rocketgit_t, rocketgit_log_t, rocketgit_log_t)
120 115 # 'rocketgit' user. # 'rocketgit' user.
121 116 manage_files_pattern(httpd_t, rocketgit_log_t, rocketgit_log_t) manage_files_pattern(httpd_t, rocketgit_log_t, rocketgit_log_t)
122 117 logging_log_filetrans(rocketgit_t, rocketgit_log_t, file) logging_log_filetrans(rocketgit_t, rocketgit_log_t, file)
123 # below line tries to allow httpd to create err-* files in /var/log/rocketgit-web
124 #filetrans_pattern(httpd_t,dirtype?,rocketgit_log_t, file)
125 # allow rocketgit_t access to /var/log/rocketgit-web. Why?
126 # Some of rights are needed because cron as apache is deleting log files in
127 # /var/log/rocketgit-web.
128 allow rocketgit_t httpd_log_t:dir { search write add_name remove_name getattr read open };
129 allow rocketgit_t httpd_log_t:file { getattr setattr create unlink open append };
130 118
131 119
132 120 # content (repos) # content (repos)
 
... ... allow rocketgit_t tmp_t:file { write open create unlink setattr };
197 185 # Locale # Locale
198 186 miscfiles_read_localization(rocketgit_t) miscfiles_read_localization(rocketgit_t)
199 187
200 # Because cron.sh/apache:
201 # type=AVC msg=audit(1461432301.793:1002): avc: denied { getattr } for pid=3503 comm="cron.sh" path="/var/www" dev="dm-0" ino=143915 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
202 apache_search_sys_content(rocketgit_t)
203
204 188 # type=AVC msg=audit(1461494910.399:8020179): avc: denied { read } for pid=1667 comm="php" name="/" dev="tmpfs" ino=11809 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 # type=AVC msg=audit(1461494910.399:8020179): avc: denied { read } for pid=1667 comm="php" name="/" dev="tmpfs" ino=11809 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
205 189 files_list_tmp(rocketgit_t) files_list_tmp(rocketgit_t)
206 190
191 # Hugetlbfs (for opcache):
192 # type=AVC msg=audit(1482069602.067:865): avc: denied { read write } for pid=2157 comm="php" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev="hugetlbfs" ino=26965 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=file permissive=0
193 fs_rw_hugetlbfs_files(rocketgit_t)
194 fs_exec_hugetlbfs_files(rocketgit_t)
195 allow rocketgit_t self:process execmem;
196
207 197 # worker.sh needs some rights # worker.sh needs some rights
208 198 type rocketgit_worker_t; type rocketgit_worker_t;
209 199 domain_type(rocketgit_worker_t) domain_type(rocketgit_worker_t)
Hints

Before first commit, do not forget to setup your git environment:
git config --global user.name "your_name_here"
git config --global user.email "your@email_here"

Clone this repository using HTTP(S):
git clone https://code.reversed.top/user/xaizek/rocketgit

Clone this repository using ssh (do not forget to upload a key first):
git clone ssh://rocketgit@code.reversed.top/user/xaizek/rocketgit

You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a pull request:
... clone the repository ...
... make some changes and some commits ...
git push origin master