Hoshpak
/
gentoo-selinux-policies


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114
							policy_module(gogs, 0.2.10)

########################################
#
# Declarations
#

attribute_role gogs_roles;

type gogs_t;
type gogs_exec_t;
init_daemon_domain(gogs_t, gogs_exec_t)

type gogs_initrc_exec_t;
init_script_file(gogs_initrc_exec_t)

type gogs_opt_t;
files_type(gogs_opt_t)

type gogs_var_lib_t;
files_type(gogs_var_lib_t)

type gogs_tmp_t;
files_tmp_file(gogs_tmp_t);

type gogs_ssh_t;
files_type(gogs_ssh_t)

########################################
#
# Local policy
#
allow gogs_t self:fifo_file { read write getattr };
allow gogs_t self:process { getsched signal sigkill };
allow gogs_t self:tcp_socket { getattr setopt bind create accept listen read write connect getopt };
allow gogs_t self:udp_socket { connect getattr create setopt write };
allow gogs_t self:fifo_file ioctl;
allow gogs_t gogs_exec_t:file execute_no_trans;
allow gogs_t gogs_var_lib_t:file { execute execute_no_trans };

manage_dirs_pattern(gogs_t, gogs_opt_t, gogs_opt_t)
manage_files_pattern(gogs_t, gogs_opt_t, gogs_opt_t)

manage_dirs_pattern(gogs_t, gogs_ssh_t, gogs_ssh_t)
manage_files_pattern(gogs_t, gogs_ssh_t, gogs_ssh_t)
manage_lnk_files_pattern(gogs_t, gogs_ssh_t, gogs_ssh_t)
allow gogs_t gogs_ssh_t:file map;
filetrans_pattern(gogs_t, gogs_opt_t, gogs_ssh_t, { file dir lnk_file })


manage_dirs_pattern(gogs_t, gogs_var_lib_t, gogs_var_lib_t)
manage_files_pattern(gogs_t, gogs_var_lib_t, gogs_var_lib_t)
manage_lnk_files_pattern(gogs_t, gogs_var_lib_t, gogs_var_lib_t)
optional_policy(`
  gen_require(`
    type var_lib_t;
  ')
  filetrans_pattern(gogs_t, var_lib_t, gogs_var_lib_t, { file dir lnk_file })
')

manage_dirs_pattern(gogs_t, gogs_var_lib_t, gogs_tmp_t)
manage_files_pattern(gogs_t, gogs_var_lib_t, gogs_tmp_t)
files_tmp_filetrans(gogs_t, gogs_tmp_t, { file dir } )

allow gogs_t gogs_opt_t:file map;
allow gogs_t gogs_var_lib_t:file map;

miscfiles_read_localization(gogs_t)
miscfiles_read_all_certs(gogs_t)

corenet_tcp_bind_generic_node(gogs_t)
corenet_tcp_bind_ntop_port(gogs_t)
corenet_tcp_connect_smtp_port(gogs_t)
corenet_tcp_connect_ntop_port(gogs_t)
kernel_read_net_sysctls(gogs_t)
kernel_read_system_state(gogs_t)

git_exec(gogs_t)
git_read_usr_t(gogs_t)
corecmd_exec_bin(gogs_t)
files_read_etc_files(gogs_t)
mysql_tcp_connect(gogs_t)
sysnet_read_config(gogs_t)
kernel_read_kernel_sysctls(gogs_t)
kernel_read_vm_sysctls(gogs_t)
dev_read_sysfs(gogs_t)
corecmd_exec_shell(gogs_t)

dev_read_urand(gogs_t)

optional_policy(`
  gen_require(`
    type sshd_t;
    ')
  manage_files_pattern(sshd_t, gogs_ssh_t, gogs_ssh_t)
  manage_dirs_pattern(sshd_t, gogs_ssh_t, gogs_ssh_t)
  search_dirs_pattern(sshd_t, gogs_opt_t, gogs_opt_t)
  domain_auto_transition_pattern(sshd_t, gogs_exec_t, gogs_t)
')

optional_policy(`
  gen_require(`
    type supervisor_t;
  ')
  supervisor_service_domain(gogs_t, gogs_exec_t)
  allow supervisor_t gogs_opt_t:dir search;
')

optional_policy(`
  gen_require(`
    type ssh_keygen_exec_t;
  ')
  allow gogs_t ssh_keygen_exec_t:file { read getattr open execute execute_no_trans map };
')