|
|
@@ -0,0 +1,109 @@
|
|
|
+policy_module(gogs, 0.2.5)
|
|
|
+
|
|
|
+########################################
|
|
|
+#
|
|
|
+# Declarations
|
|
|
+#
|
|
|
+
|
|
|
+attribute_role gogs_roles;
|
|
|
+
|
|
|
+type gogs_t;
|
|
|
+type gogs_exec_t;
|
|
|
+init_daemon_domain(gogs_t, gogs_exec_t)
|
|
|
+
|
|
|
+type gogs_initrc_exec_t;
|
|
|
+init_script_file(gogs_initrc_exec_t)
|
|
|
+
|
|
|
+type gogs_opt_t;
|
|
|
+files_type(gogs_opt_t)
|
|
|
+
|
|
|
+type gogs_var_lib_t;
|
|
|
+files_type(gogs_var_lib_t)
|
|
|
+
|
|
|
+type gogs_tmp_t;
|
|
|
+files_tmp_file(gogs_tmp_t);
|
|
|
+
|
|
|
+type gogs_ssh_t;
|
|
|
+files_type(gogs_ssh_t)
|
|
|
+
|
|
|
+########################################
|
|
|
+#
|
|
|
+# Local policy
|
|
|
+#
|
|
|
+allow gogs_t self:fifo_file { read write getattr };
|
|
|
+allow gogs_t self:process { getsched signal };
|
|
|
+allow gogs_t self:tcp_socket { getattr setopt bind create accept listen read write connect getopt };
|
|
|
+allow gogs_t self:udp_socket { connect getattr create setopt };
|
|
|
+allow gogs_t self:fifo_file ioctl;
|
|
|
+allow gogs_t gogs_exec_t:file execute_no_trans;
|
|
|
+allow gogs_t gogs_var_lib_t:file { execute execute_no_trans };
|
|
|
+
|
|
|
+manage_dirs_pattern(gogs_t, gogs_opt_t, gogs_opt_t)
|
|
|
+manage_files_pattern(gogs_t, gogs_opt_t, gogs_opt_t)
|
|
|
+
|
|
|
+manage_dirs_pattern(gogs_t, gogs_ssh_t, gogs_ssh_t)
|
|
|
+manage_files_pattern(gogs_t, gogs_ssh_t, gogs_ssh_t)
|
|
|
+manage_lnk_files_pattern(gogs_t, gogs_ssh_t, gogs_ssh_t)
|
|
|
+filetrans_pattern(gogs_t, gogs_opt_t, gogs_ssh_t, { file dir lnk_file })
|
|
|
+
|
|
|
+
|
|
|
+manage_dirs_pattern(gogs_t, gogs_var_lib_t, gogs_var_lib_t)
|
|
|
+manage_files_pattern(gogs_t, gogs_var_lib_t, gogs_var_lib_t)
|
|
|
+manage_lnk_files_pattern(gogs_t, gogs_var_lib_t, gogs_var_lib_t)
|
|
|
+optional_policy(`
|
|
|
+ gen_require(`
|
|
|
+ type var_lib_t;
|
|
|
+ ')
|
|
|
+ filetrans_pattern(gogs_t, var_lib_t, gogs_var_lib_t, { file dir lnk_file })
|
|
|
+')
|
|
|
+
|
|
|
+manage_dirs_pattern(gogs_t, gogs_var_lib_t, gogs_tmp_t)
|
|
|
+manage_files_pattern(gogs_t, gogs_var_lib_t, gogs_tmp_t)
|
|
|
+files_tmp_filetrans(gogs_t, gogs_tmp_t, { file dir } )
|
|
|
+
|
|
|
+miscfiles_read_localization(gogs_t)
|
|
|
+
|
|
|
+corenet_tcp_bind_generic_node(gogs_t)
|
|
|
+corenet_tcp_bind_ntop_port(gogs_t)
|
|
|
+corenet_tcp_connect_smtp_port(gogs_t)
|
|
|
+corenet_tcp_connect_ntop_port(gogs_t)
|
|
|
+kernel_read_net_sysctls(gogs_t)
|
|
|
+kernel_read_system_state(gogs_t)
|
|
|
+
|
|
|
+git_exec(gogs_t)
|
|
|
+git_read_usr_t(gogs_t)
|
|
|
+corecmd_exec_bin(gogs_t)
|
|
|
+files_read_etc_files(gogs_t)
|
|
|
+mysql_tcp_connect(gogs_t)
|
|
|
+sysnet_read_config(gogs_t)
|
|
|
+kernel_read_kernel_sysctls(gogs_t)
|
|
|
+kernel_read_vm_sysctls(gogs_t)
|
|
|
+dev_read_sysfs(gogs_t)
|
|
|
+corecmd_exec_shell(gogs_t)
|
|
|
+
|
|
|
+dev_read_urand(gogs_t)
|
|
|
+
|
|
|
+optional_policy(`
|
|
|
+ gen_require(`
|
|
|
+ type sshd_t;
|
|
|
+ ')
|
|
|
+ manage_files_pattern(sshd_t, gogs_ssh_t, gogs_ssh_t)
|
|
|
+ manage_dirs_pattern(sshd_t, gogs_ssh_t, gogs_ssh_t)
|
|
|
+ search_dirs_pattern(sshd_t, gogs_opt_t, gogs_opt_t)
|
|
|
+ domain_auto_trans(sshd_t, gogs_exec_t, gogs_t)
|
|
|
+')
|
|
|
+
|
|
|
+optional_policy(`
|
|
|
+ gen_require(`
|
|
|
+ type supervisor_t;
|
|
|
+ ')
|
|
|
+ supervisor_service_domain(gogs_t, gogs_exec_t)
|
|
|
+ allow supervisor_t gogs_opt_t:dir search;
|
|
|
+')
|
|
|
+
|
|
|
+optional_policy(`
|
|
|
+ gen_require(`
|
|
|
+ type ssh_keygen_exec_t;
|
|
|
+ ')
|
|
|
+ allow gogs_t ssh_keygen_exec_t:file { read getattr open execute execute_no_trans };
|
|
|
+')
|
