## <summary>Fast Version Control System.</summary>

## <desc>

##	

##		A really simple TCP git daemon that normally listens on

##		port DEFAULT_GIT_PORT aka 9418. It waits for a

##		connection asking for a service, and will serve that

##		service if it is enabled.

##	

## </desc>

#######################################

## <summary>

##	Role access for Git daemon session.

## </summary>

## <param name="role">

##	<summary>

##	Role allowed access.

##	</summary>

## </param>

## <param name="domain">

##	<summary>

##	User domain for the role.

##	</summary>

## </param>

#

interface(`git_session_role',`

	gen_require(`

		type git_session_t, gitd_exec_t;

		type git_session_content_t;

	')

	########################################

	#

	# Git daemon session shared declarations.

	#

	role $1 types git_session_t;

	########################################

	#

	# Git daemon session shared policy.

	#

	domtrans_pattern($2, gitd_exec_t, git_session_t)

	allow $2 git_session_t:process { ptrace signal_perms };

	ps_process_pattern($2, git_session_t)

')

########################################

## <summary>

##	Create a set of derived types for Git

##	daemon shared repository content.

## </summary>

## <param name="prefix">

##	<summary>

##	The prefix to be used for deriving type names.

##	</summary>

## </param>

#

template(`git_content_template',`

	gen_require(`

		attribute git_system_content;

		attribute git_content;

	')

	########################################

	#

	# Git daemon content shared declarations.

	#

	type git_$1_content_t, git_system_content, git_content;

	files_type(git_$1_content_t)

')

########################################

## <summary>

##	Create a set of derived types for Git

##	daemon shared repository roles.

## </summary>

## <param name="prefix">

##	<summary>

##	The prefix to be used for deriving type names.

##	</summary>

## </param>

#

template(`git_role_template',`

	gen_require(`

		class context contains;

		role system_r;

	')

	########################################

	#

	# Git daemon role shared declarations.

	#

	attribute $1_usertype;

	type $1_t;

	userdom_unpriv_usertype($1, $1_t)

	domain_type($1_t)

	role $1_r types $1_t;

	allow system_r $1_r;

	########################################

	#

	# Git daemon role shared policy.

	#

	allow $1_t self:context contains;

	allow $1_t self:fifo_file rw_fifo_file_perms;

	corecmd_exec_bin($1_t)

	corecmd_bin_entry_type($1_t)

	corecmd_shell_entry_type($1_t)

	domain_interactive_fd($1_t)

	domain_user_exemption_target($1_t)

	kernel_read_system_state($1_t)

	files_read_etc_files($1_t)

	files_dontaudit_search_home($1_t)

	miscfiles_read_localization($1_t)

	git_rwx_generic_system_content($1_t)

	ssh_rw_stream_sockets($1_t)

	tunable_policy(`git_system_use_cifs',`

		fs_exec_cifs_files($1_t)

		fs_manage_cifs_dirs($1_t)

		fs_manage_cifs_files($1_t)

	')

	tunable_policy(`git_system_use_nfs',`

		fs_exec_nfs_files($1_t)

		fs_manage_nfs_dirs($1_t)

		fs_manage_nfs_files($1_t)

	')

	optional_policy(`

		nscd_read_pid($1_t)

	')

')

#######################################

## <summary>

##	Allow specified domain access to the

##	specified Git daemon content.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

## <param name="object">

##	<summary>

##	Type of the object that access is allowed to.

##	</summary>

## </param>

#

interface(`git_content_delegation',`

	gen_require(`

		type $1, $2;

	')

	exec_files_pattern($1, $2, $2)

	manage_dirs_pattern($1, $2, $2)

	manage_files_pattern($1, $2, $2)

	files_search_var_lib($1)

	tunable_policy(`git_system_use_cifs',`

		fs_exec_cifs_files($1)

		fs_manage_cifs_dirs($1)

		fs_manage_cifs_files($1)

	')

	tunable_policy(`git_system_use_nfs',`

		fs_exec_nfs_files($1)

		fs_manage_nfs_dirs($1)

		fs_manage_nfs_files($1)

	')

')

########################################

## <summary>

##	Allow the specified domain to manage

##	and execute all Git daemon content.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`git_rwx_all_content',`

	gen_require(`

		attribute git_content;

	')

	exec_files_pattern($1, git_content, git_content)

	manage_dirs_pattern($1, git_content, git_content)

	manage_files_pattern($1, git_content, git_content)

	userdom_search_user_home_dirs($1)

	files_search_var_lib($1)

	tunable_policy(`use_nfs_home_dirs',`

		fs_exec_nfs_files($1)

		fs_manage_nfs_dirs($1)

		fs_manage_nfs_files($1)

	')

	tunable_policy(`use_samba_home_dirs',`

		fs_exec_cifs_files($1)

		fs_manage_cifs_dirs($1)

		fs_manage_cifs_files($1)

	')

	tunable_policy(`git_system_use_cifs',`

		fs_exec_cifs_files($1)

		fs_manage_cifs_dirs($1)

		fs_manage_cifs_files($1)

	')

	tunable_policy(`git_system_use_nfs',`

		fs_exec_nfs_files($1)

		fs_manage_nfs_dirs($1)

		fs_manage_nfs_files($1)

	')

')

########################################

## <summary>

##	Allow the specified domain to manage

##	and execute all Git daemon system content.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`git_rwx_all_system_content',`

	gen_require(`

		attribute git_system_content;

	')

	exec_files_pattern($1, git_system_content, git_system_content)

	manage_dirs_pattern($1, git_system_content, git_system_content)

	manage_files_pattern($1, git_system_content, git_system_content)

	files_search_var_lib($1)

	tunable_policy(`git_system_use_cifs',`

		fs_exec_cifs_files($1)

		fs_manage_cifs_dirs($1)

		fs_manage_cifs_files($1)

	')

	tunable_policy(`git_system_use_nfs',`

		fs_exec_nfs_files($1)

		fs_manage_nfs_dirs($1)

		fs_manage_nfs_files($1)

	')

')

########################################

## <summary>

##	Allow the specified domain to manage

##	and execute Git daemon generic system content.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`git_rwx_generic_system_content',`

	gen_require(`

		type git_system_content_t;

	')

	exec_files_pattern($1, git_system_content_t, git_system_content_t)

	manage_dirs_pattern($1, git_system_content_t, git_system_content_t)

	manage_files_pattern($1, git_system_content_t, git_system_content_t)

	files_search_var_lib($1)

	tunable_policy(`git_system_use_cifs',`

		fs_exec_cifs_files($1)

		fs_manage_cifs_dirs($1)

		fs_manage_cifs_files($1)

	')

	tunable_policy(`git_system_use_nfs',`

		fs_exec_nfs_files($1)

		fs_manage_nfs_dirs($1)

		fs_manage_nfs_files($1)

	')

')

########################################

## <summary>

##	Allow the specified domain to read

##	all Git daemon content files.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`git_read_all_content_files',`

	gen_require(`

		attribute git_content;

	')

	list_dirs_pattern($1, git_content, git_content)

	read_files_pattern($1, git_content, git_content)

	userdom_search_user_home_dirs($1)

	files_search_var_lib($1)

	tunable_policy(`use_nfs_home_dirs',`

		fs_list_nfs($1)

		fs_read_nfs_files($1)

	')

	tunable_policy(`use_samba_home_dirs',`

		fs_list_cifs($1)

		fs_read_cifs_files($1)

	')

	tunable_policy(`git_system_use_cifs',`

		fs_list_cifs($1)

		fs_read_cifs_files($1)

	')

	tunable_policy(`git_system_use_nfs',`

		fs_list_nfs($1)

		fs_read_nfs_files($1)

	')

')

########################################

## <summary>

##	Allow the specified domain to read

##	Git daemon session content files.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`git_read_session_content_files',`

	gen_require(`

		type git_session_content_t;

	')

	list_dirs_pattern($1, git_session_content_t, git_session_content_t)

	read_files_pattern($1, git_session_content_t, git_session_content_t)

	userdom_search_user_home_dirs($1)

	tunable_policy(`use_nfs_home_dirs',`

		fs_list_nfs($1)

		fs_read_nfs_files($1)

	')

	tunable_policy(`use_samba_home_dirs',`

		fs_list_cifs($1)

		fs_read_cifs_files($1)

	')

')

########################################

## <summary>

##	Allow the specified domain to read

##	all Git daemon system content files.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`git_read_all_system_content_files',`

	gen_require(`

		attribute git_system_content;

	')

	list_dirs_pattern($1, git_system_content, git_system_content)

	read_files_pattern($1, git_system_content, git_system_content)

	files_search_var_lib($1)

	tunable_policy(`git_system_use_cifs',`

		fs_list_cifs($1)

		fs_read_cifs_files($1)

	')

	tunable_policy(`git_system_use_nfs',`

		fs_list_nfs($1)

		fs_read_nfs_files($1)

	')

')

########################################

## <summary>

##	Allow the specified domain to read

##	Git daemon generic system content files.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`git_read_generic_system_content_files',`

	gen_require(`

		type git_system_content_t;

	')

	list_dirs_pattern($1, git_system_content_t, git_system_content_t)

	read_files_pattern($1, git_system_content_t, git_system_content_t)

	files_search_var_lib($1)

	tunable_policy(`git_system_use_cifs',`

		fs_list_cifs($1)

		fs_read_cifs_files($1)

	')

	tunable_policy(`git_system_use_nfs',`

		fs_list_nfs($1)

		fs_read_nfs_files($1)

	')

')

########################################

## <summary>

##	Allow the specified domain to relabel

##	all Git daemon content.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`git_relabel_all_content',`

	gen_require(`

		attribute git_content;

	')

	relabel_dirs_pattern($1, git_content, git_content)

	relabel_files_pattern($1, git_content, git_content)

	userdom_search_user_home_dirs($1)

	files_search_var_lib($1)

')

########################################

## <summary>

##	Allow the specified domain to relabel

##	all Git daemon system content.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`git_relabel_all_system_content',`

	gen_require(`

		attribute git_system_content;

	')

	relabel_dirs_pattern($1, git_system_content, git_system_content)

	relabel_files_pattern($1, git_system_content, git_system_content)

	files_search_var_lib($1)

')

########################################

## <summary>

##	Allow the specified domain to relabel

##	Git daemon generic system content.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`git_relabel_generic_system_content',`

	gen_require(`

		type git_system_content_t;

	')

	relabel_dirs_pattern($1, git_system_content_t, git_system_content_t)

	relabel_files_pattern($1, git_system_content_t, git_system_content_t)

	files_search_var_lib($1)

')

########################################

## <summary>

##	Allow the specified domain to relabel

##	Git daemon session content.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`git_relabel_session_content',`

	gen_require(`

		type git_session_content_t;

	')

	relabel_dirs_pattern($1, git_session_content_t, git_session_content_t)

	relabel_files_pattern($1, git_session_content_t, git_session_content_t)

	userdom_search_user_home_dirs($1)

')