gentoo-overlay/sec-policy/selinux-gitea/files/gitea.if

309 lines
5.8 KiB
Plaintext
Raw Normal View History

2019-05-26 21:27:11 +03:00
## <summary>policy for gitea</summary>
########################################
## <summary>
## Role access for gitea
## </summary>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
interface(`gitea_role', `
gen_require(`
attribute_role gitea_roles;
type gitea_t, gitea_exec_t;
')
roleattribute $1 gitea_roles;
domtrans_pattern($2, gitea_exec_t, gitea_t)
')
########################################
## <summary>
## Execute gitea_exec_t in the gitea domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`gitea_domtrans',`
gen_require(`
type gitea_t, gitea_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, gitea_exec_t, gitea_t)
')
######################################
## <summary>
## Execute gitea in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gitea_exec',`
gen_require(`
type gitea_exec_t;
')
corecmd_search_bin($1)
can_exec($1, gitea_exec_t)
')
########################################
## <summary>
## Read gitea's tmp files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`gitea_read_tmp',`
gen_require(`
type gitea_tmp_t;
')
files_search_tmp($1)
read_files_pattern($1, gitea_tmp_t, gitea_tmp_t)
')
########################################
## <summary>
## Read gitea's log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`gitea_read_log',`
gen_require(`
type gitea_log_t;
')
logging_search_logs($1)
read_files_pattern($1, gitea_log_t, gitea_log_t)
')
########################################
## <summary>
## Append to gitea log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gitea_append_log',`
gen_require(`
type gitea_log_t;
')
logging_search_logs($1)
append_files_pattern($1, gitea_log_t, gitea_log_t)
')
########################################
## <summary>
## Manage gitea repo files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gitea_manage_repo',`
gen_require(`
type gitea_repo_t;
')
manage_dirs_pattern($1, gitea_repo_t, gitea_repo_t)
manage_files_pattern($1, gitea_repo_t, gitea_repo_t)
manage_lnk_files_pattern($1, gitea_repo_t, gitea_repo_t)
')
########################################
## <summary>
## Manage gitea log files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gitea_manage_log',`
gen_require(`
type gitea_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, gitea_log_t, gitea_log_t)
manage_files_pattern($1, gitea_log_t, gitea_log_t)
manage_lnk_files_pattern($1, gitea_log_t, gitea_log_t)
')
########################################
## <summary>
## Search gitea lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gitea_search_lib',`
gen_require(`
type gitea_var_lib_t;
')
allow $1 gitea_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
')
########################################
## <summary>
## Read gitea lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gitea_read_lib_files',`
gen_require(`
type gitea_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, gitea_var_lib_t, gitea_var_lib_t)
')
########################################
## <summary>
## Manage gitea lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gitea_manage_lib_files',`
gen_require(`
type gitea_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, gitea_var_lib_t, gitea_var_lib_t)
')
########################################
## <summary>
## Manage gitea lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gitea_manage_lib_dirs',`
gen_require(`
type gitea_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, gitea_var_lib_t, gitea_var_lib_t)
')
########################################
## <summary>
## Read gitea PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gitea_read_pid_files',`
gen_require(`
type gitea_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, gitea_var_run_t, gitea_var_run_t)
')
########################################
## <summary>
## All of the rules required to administrate
## an gitea environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`gitea_admin',`
gen_require(`
type gitea_t;
type gitea_log_t;
type gitea_var_lib_t;
type gitea_var_run_t;
')
allow $1 gitea_t:process { signal_perms };
ps_process_pattern($1, gitea_t)
tunable_policy(`deny_ptrace',`',`
allow $1 gitea_t:process ptrace;
')
logging_search_logs($1)
admin_pattern($1, gitea_log_t)
files_search_var_lib($1)
admin_pattern($1, gitea_var_lib_t)
files_search_pids($1)
admin_pattern($1, gitea_var_run_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
')