policy_module(rocketgit,1.0.81)

########################################
#
# Declarations
#

gen_require(`
	# really needed httpd_log_t?
	type httpd_t;
	type httpd_log_t;
	type system_mail_t;
	type unconfined_t;
	type unreserved_port_t;
	role unconfined_r;
')

# Without this I get: type=SELINUX_ERR msg=audit(1422396984.627:349803): \
# security_compute_sid:  invalid context \
# unconfined_u:unconfined_r:rocketgit_t:s0-s0:c0.c1023 for \
# scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 \
# tcontext=system_u:object_r:rocketgit_exec_t:s0 tclass=process
role unconfined_r types rocketgit_t;

type rocketgit_t;
domain_type(rocketgit_t)

apache_content_template(rocketgit)
# Allow crons to search in /var/lib - not clear why
files_search_var_lib(rocketgit_t)

# Allow rocketgit_t to manage .ssh/authorized_keys
ssh_manage_home_files(rocketgit_t)

type rocketgit_exec_t;
domain_entry_file(rocketgit_t, rocketgit_exec_t)

# When cron executes rocketgit_exec_t, we transition to rocketgit_t
cron_system_entry(rocketgit_t, rocketgit_exec_t)

# When running from inetd, transit to rocketgit_t. Seems that rocketgit_exec_t
# is not enough. Why?!
optional_policy(`
	inetd_tcp_service_domain(rocketgit_t, rocketgit_exec_t)
')

# Force ssh to transition to rocketgit_t
domain_auto_trans(unconfined_t, rocketgit_exec_t, rocketgit_t)

# Allow events.php to manage /home/rocketgit/.ssh
userdom_manage_user_home_content(rocketgit_t)

# Allow PHP to read /proc/meminfo, probably other files
# Seems a little bit too much. TODO
kernel_read_system_state(rocketgit_t)

dev_read_urand(rocketgit_t)

# Allow rocketgit_t to execute flock.
# Seems a little bit too much to allow all execution. TODO
application_exec_all(rocketgit_t)

# Allow rocketgit_t to use tcp sockets
allow rocketgit_t self:tcp_socket { connect getopt getattr create setopt };

# Allow basic access to net
sysnet_read_config(rocketgit_t)
sysnet_dns_name_resolve(rocketgit_t)

# Allow it to connect to any port - think about webhooks
allow rocketgit_t unreserved_port_t:tcp_socket name_connect;

# Probably to list owner of files
auth_read_passwd(rocketgit_t)


# php files
type rocketgit_usr_t;
files_type(rocketgit_usr_t)
read_files_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t)
exec_files_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t)
list_dirs_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t)
read_files_pattern(httpd_t, rocketgit_usr_t, rocketgit_usr_t)


# log files
type rocketgit_log_t;
files_type(rocketgit_log_t)
manage_files_pattern(rocketgit_t, rocketgit_log_t, rocketgit_log_t)
logging_log_filetrans(rocketgit_t, rocketgit_log_t, file)
# below line tries to allow httpd to create err-* files in /var/log/rocketgit-web
#filetrans_pattern(httpd_t,dirtype?,rocketgit_log_t, file)
# allow rocketgit_t access to /var/log/rocketgit-web. Why?
# Some of rights are needed because cron as apache is deleting log files in
# /var/log/rocketgit-web.
allow rocketgit_t httpd_log_t:dir { search write add_name remove_name getattr read open };
allow rocketgit_t httpd_log_t:file { getattr setattr create unlink open append };


# content (repos)
type rocketgit_var_t;
files_type(rocketgit_var_t)
admin_pattern(rocketgit_t, rocketgit_var_t, rocketgit_var_t)
filetrans_pattern(rocketgit_t, rocketgit_var_t, rocketgit_var_t, { file dir })
read_files_pattern(httpd_t, rocketgit_var_t, rocketgit_var_t)
list_dirs_pattern(httpd_t, rocketgit_var_t, rocketgit_var_t)


# sockets
type rocketgit_socket_t;
files_type(rocketgit_socket_t)
manage_sock_files_pattern(rocketgit_t, rocketgit_socket_t, rocketgit_socket_t)
filetrans_pattern(rocketgit_t, rocketgit_socket_t, rocketgit_socket_t, file)
rw_sock_files_pattern(httpd_t, rocketgit_socket_t, rocketgit_socket_t)
# Allow httpd to connect to _domain_ rocketgit_t for event.sock
allow httpd_t rocketgit_t:unix_stream_socket connectto;


# locks
type rocketgit_lock_t;
files_lock_file(rocketgit_lock_t)
manage_files_pattern(rocketgit_t, rocketgit_lock_t, rocketgit_lock_t)
#read_files_pattern(httpd_t, rocketgit_lock_t, rocketgit_lock_t)
filetrans_pattern(rocketgit_t, rocketgit_lock_t, rocketgit_lock_t, file)


# conf
type rocketgit_conf_t;
files_type(rocketgit_conf_t)
read_files_pattern(rocketgit_t, rocketgit_conf_t, rocketgit_conf_t)
filetrans_pattern(rocketgit_t, rocketgit_conf_t, rocketgit_conf_t, file)
read_files_pattern(httpd_t, rocketgit_conf_t, rocketgit_conf_t)


# Permit PHP to use nscd socket
optional_policy(`
	nscd_socket_use(rocketgit_t)
')

# Allow connection to database
postgresql_tcp_connect(rocketgit_t)
postgresql_stream_connect(rocketgit_t)

# mail
mta_send_mail(rocketgit_t)

# self
allow rocketgit_t self:unix_stream_socket { connectto };
allow rocketgit_t self:process { setsched };

# PHP needs getattr to /var/lib
files_getattr_var_lib_dirs(rocketgit_t)

# We leak log and lock fds, ignore for now - not clear if 'dontaudit' = allow! TODO
dontaudit system_mail_t rocketgit_lock_t:file { read write };
dontaudit system_mail_t rocketgit_log_t:file append;
dontaudit system_mail_t rocketgit_usr_t:file read;

# Seems that the opcode cache (php-opcache) needs write access to /tmp
allow rocketgit_t tmp_t:dir { write remove_name add_name };
allow rocketgit_t tmp_t:file { write open create unlink setattr };