policy_module(rocketgit,1.0.105)

########################################
#
# Declarations
#

gen_require(`
	# really needed httpd_log_t?
	type httpd_t;
	type httpd_log_t;
	type system_mail_t;
	type unconfined_t;
	role unconfined_r;
	type fs_t;
	# next are for worker.sh
	#class dir mounton;
	#class filesystem { getattr mount unmount };
	#class capability { setgid setuid sys_admin };

	@@EXTRA_GEN_REQUIRE@@
')

# Without this I get: type=SELINUX_ERR msg=audit(1422396984.627:349803): \
# security_compute_sid:  invalid context \
# unconfined_u:unconfined_r:rocketgit_t:s0-s0:c0.c1023 for \
# scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 \
# tcontext=system_u:object_r:rocketgit_exec_t:s0 tclass=process
role unconfined_r types rocketgit_t;

type rocketgit_t;
domain_type(rocketgit_t)

apache_content_template(rocketgit)
# Allow crons to search in /var/lib - not clear why
files_search_var_lib(rocketgit_t)

# Allow rocketgit_t to manage .ssh/authorized_keys
ssh_manage_home_files(rocketgit_t)

type rocketgit_exec_t;
domain_entry_file(rocketgit_t, rocketgit_exec_t)

# When cron executes rocketgit_exec_t, we transition to rocketgit_t
cron_system_entry(rocketgit_t, rocketgit_exec_t)

# When running from inetd, transit to rocketgit_t. Seems that rocketgit_exec_t
# is not enough. Why?!
optional_policy(`
	inetd_tcp_service_domain(rocketgit_t, rocketgit_exec_t)
')

# Force ssh to transition to rocketgit_t
domain_auto_trans(unconfined_t, rocketgit_exec_t, rocketgit_t)

# Allow events.php to manage /home/rocketgit/.ssh
userdom_manage_user_home_content(rocketgit_t)

# Allow PHP to read /proc/meminfo, probably other files
# Seems a little bit too much. TODO
kernel_read_system_state(rocketgit_t)

dev_read_urand(rocketgit_t)

# Allow rocketgit_t to execute flock.
# Seems a little bit too much to allow all execution. TODO
application_exec_all(rocketgit_t)

# Allow rocketgit_t to use tcp sockets (webhooks)
corenet_tcp_connect_all_ports(rocketgit_t)
corenet_tcp_bind_all_ports(rocketgit_t)
corenet_tcp_bind_all_nodes(rocketgit_t)
###allow rocketgit_t self:tcp_socket { connect getopt getattr create setopt listen accept };
###allow rocketgit_t unreserved_port_t:tcp_socket { name_bind getopt setopt };
###allow rocketgit_t node_t:tcp_socket node_bind;
sysnet_dns_name_resolve(rocketgit_t)

# builder.php:
#type=AVC msg=audit(1467841975.578:232307): avc:  denied  { listen } for  pid=21318 comm="php" lport=65000 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tclass=tcp_socket permissive=1
#type=AVC msg=audit(1467841975.808:232308): avc:  denied  { dac_override } for  pid=21319 comm="php" capability=1  scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tclass=capability permissive=1
#type=AVC msg=audit(1467841975.809:232309): avc:  denied  { fowner } for  pid=21319 comm="php" capability=3  scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tclass=capability permissive=1
#type=AVC msg=audit(1467841975.809:232310): avc:  denied  { fsetid } for  pid=21319 comm="php" capability=4  scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tclass=capability permissive=1
#type=AVC msg=audit(1467841975.949:232311): avc:  denied  { accept } for  pid=21318 comm="php" lport=65000 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tclass=tcp_socket permissive=1
allow rocketgit_t self:capability { dac_override fowner fsetid };
allow rocketgit_t self:tcp_socket { accept listen };

# Allow basic access to net
sysnet_read_config(rocketgit_t)
sysnet_dns_name_resolve(rocketgit_t)

# Probably to list owner of files
auth_read_passwd(rocketgit_t)


# php files
type rocketgit_usr_t;
files_type(rocketgit_usr_t)
read_files_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t)
exec_files_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t)
list_dirs_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t)
read_files_pattern(httpd_t, rocketgit_usr_t, rocketgit_usr_t)


# log files
type rocketgit_log_t;
files_type(rocketgit_log_t)
manage_files_pattern(rocketgit_t, rocketgit_log_t, rocketgit_log_t)
# Allow httpd(php-fpm) to create log files - note that it will run as
# 'rocketgit' user.
manage_files_pattern(httpd_t, rocketgit_log_t, rocketgit_log_t)
logging_log_filetrans(rocketgit_t, rocketgit_log_t, file)
# below line tries to allow httpd to create err-* files in /var/log/rocketgit-web
#filetrans_pattern(httpd_t,dirtype?,rocketgit_log_t, file)
# allow rocketgit_t access to /var/log/rocketgit-web. Why?
# Some of rights are needed because cron as apache is deleting log files in
# /var/log/rocketgit-web.
allow rocketgit_t httpd_log_t:dir { search write add_name remove_name getattr read open };
allow rocketgit_t httpd_log_t:file { getattr setattr create unlink open append };


# content (repos)
type rocketgit_var_t;
files_type(rocketgit_var_t)
admin_pattern(rocketgit_t, rocketgit_var_t, rocketgit_var_t)
filetrans_pattern(rocketgit_t, rocketgit_var_t, rocketgit_var_t, { file dir })
read_files_pattern(httpd_t, rocketgit_var_t, rocketgit_var_t)
list_dirs_pattern(httpd_t, rocketgit_var_t, rocketgit_var_t)


# sockets
type rocketgit_socket_t;
files_type(rocketgit_socket_t)
manage_sock_files_pattern(rocketgit_t, rocketgit_socket_t, rocketgit_socket_t)
filetrans_pattern(rocketgit_t, rocketgit_socket_t, rocketgit_socket_t, file)
rw_sock_files_pattern(httpd_t, rocketgit_socket_t, rocketgit_socket_t)
# Allow httpd to connect to _domain_ rocketgit_t for event.sock
allow httpd_t rocketgit_t:unix_stream_socket connectto;


# locks
type rocketgit_lock_t;
files_lock_file(rocketgit_lock_t)
manage_files_pattern(rocketgit_t, rocketgit_lock_t, rocketgit_lock_t)
#read_files_pattern(httpd_t, rocketgit_lock_t, rocketgit_lock_t)
filetrans_pattern(rocketgit_t, rocketgit_lock_t, rocketgit_lock_t, file)


# conf
type rocketgit_conf_t;
files_type(rocketgit_conf_t)
read_files_pattern(rocketgit_t, rocketgit_conf_t, rocketgit_conf_t)
filetrans_pattern(rocketgit_t, rocketgit_conf_t, rocketgit_conf_t, file)
read_files_pattern(httpd_t, rocketgit_conf_t, rocketgit_conf_t)


# Permit PHP to use nscd socket
optional_policy(`
	nscd_socket_use(rocketgit_t)
')

# Allow connection to database
postgresql_tcp_connect(rocketgit_t)
postgresql_stream_connect(rocketgit_t)

# mail
mta_send_mail(rocketgit_t)

# self
allow rocketgit_t self:unix_stream_socket { connectto };
allow rocketgit_t self:process { setsched };

# PHP needs getattr to /var/lib
files_getattr_var_lib_dirs(rocketgit_t)

# We leak log and lock fds, ignore for now - not clear if 'dontaudit' = allow! TODO
dontaudit system_mail_t rocketgit_lock_t:file { read write };
dontaudit system_mail_t rocketgit_log_t:file append;
dontaudit system_mail_t rocketgit_usr_t:file read;

# Seems that the opcode cache (php-opcache) needs write access to /tmp
allow rocketgit_t tmp_t:dir { write remove_name add_name };
allow rocketgit_t tmp_t:file { write open create unlink setattr };

# Locale
miscfiles_read_localization(rocketgit_t)

# Because cron.sh/apache:
# type=AVC msg=audit(1461432301.793:1002): avc:  denied  { getattr } for  pid=3503 comm="cron.sh" path="/var/www" dev="dm-0" ino=143915 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
apache_search_sys_content(rocketgit_t)

# type=AVC msg=audit(1461494910.399:8020179): avc:  denied  { read } for  pid=1667 comm="php" name="/" dev="tmpfs" ino=11809 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
files_list_tmp(rocketgit_t)

# worker.sh needs some rights
type rocketgit_worker_t;
domain_type(rocketgit_worker_t)
optional_policy(`
	unconfined_domain(rocketgit_worker_t)
')
role unconfined_r types rocketgit_worker_t;
type rocketgit_worker_exec_t;
domain_entry_file(rocketgit_worker_t, rocketgit_worker_exec_t)
# When cron executes rocketgit_worker_t, we transition to rocketgit_worker_t
cron_system_entry(rocketgit_worker_t, rocketgit_worker_exec_t)
#allow rocketgit_t fs_t:filesystem { getattr mount unmount };
#allow rocketgit_t rocketgit_var_t:dir mounton;
#allow rocketgit_t self:capability { setgid setuid };
#dev_list_sysfs(rocketgit_t)
#dev_read_sysfs(rocketgit_t)
#dev_read_rand(rocketgit_t)
#dev_rw_loop_control(rocketgit_t)
#kernel_setsched(rocketgit_t)
#kernel_read_network_state(rocketgit_t)
#virt_admin(rocketgit_t, unconfined_r)
#mount_rw_pid_files(rocketgit_t)
#storage_manage_fixed_disk(rocketgit_t)
#files_manage_isid_type_dirs(rocketgit_t)
#files_manage_isid_type_files(rocketgit_t)
#files_manage_isid_type_symlinks(rocketgit_t)
#userdom_read_admin_home_files(rocketgit_t)
#miscfiles_read_hwdata(rocketgit_t)