Update upload_cgi and add cgi-nfs for pkgs

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
author: Patrick Uiterwijk <puiterwijk@redhat.com> 2015-06-05 09:02:09 +0000
committer: Patrick Uiterwijk <puiterwijk@redhat.com> 2015-06-05 09:02:28 +0000
commit: 4b22cd9f2a7fa0a740a0defa2f3b2cdb62dc1cd3 (patch)
tree: ff5b962595ef175ecb932d3c693e0e7752651cb4 /roles/distgit
parent: 37a27645fc3535ae31d46a001b214eba80e9cbf2 (diff)
5 files changed, 33 insertions, 6 deletions
diff --git a/roles/distgit/files/cgi-nfs.pp b/roles/distgit/files/cgi-nfs.pp
new file mode 100644
index 000000000..a0df2cccc
--- /dev/null
+++ b/roles/distgit/files/cgi-nfs.pp
diff --git a/roles/distgit/files/cgi-nfs.te b/roles/distgit/files/cgi-nfs.te
new file mode 100644
index 000000000..5ba0dfe4f
--- /dev/null
+++ b/roles/distgit/files/cgi-nfs.te
@@ -0,0 +1,23 @@
+policy_module(nfscgi, 1.0.0)
+
+require {
+	type httpd_git_script_t;
+	type git_script_t;
+	type git_system_t;
+	type httpd_git_content_t;
+	type nfs_t;
+	class dir { create write search add_name remove_name getattr open };
+	class file { create write rename setattr read open };
+}
+
+
+allow git_system_t httpd_git_content_t:dir { getattr read open };
+allow git_system_t httpd_git_content_t:file { read open getattr };
+
+
+
+allow httpd_git_script_t nfs_t:dir { write };
+allow git_system_t httpd_git_content_t:dir { search };
+allow httpd_git_script_t nfs_t:dir { create write add_name remove_name };
+allow httpd_git_script_t nfs_t:file { create write rename setattr };
+allow git_script_t nfs_t:file { unlink link };
diff --git a/roles/distgit/files/upload_cgi.pp b/roles/distgit/files/upload_cgi.pp
index cec221582..9091f9266 100644
--- a/roles/distgit/files/upload_cgi.pp
+++ b/roles/distgit/files/upload_cgi.pp
diff --git a/roles/distgit/files/upload_cgi.te b/roles/distgit/files/upload_cgi.te
index ea41d8063..f9ba1f339 100644
--- a/roles/distgit/files/upload_cgi.te
+++ b/roles/distgit/files/upload_cgi.te
@@ -1,11 +1,11 @@
-policy_module(upload_cgi,1.1.0)
+policy_module(upload_cgi,1.2.0)
 
 
 require {
 	type httpd_git_script_t;
 	type git_script_tmp_t;
-	type git_script_t;
-	type nfs_t;
+        type git_script_t;
+        type nfs_t;
 }
 
 files_tmp_file(git_script_tmp_t)
@@ -27,6 +27,3 @@ term_getattr_all_ptys(httpd_git_script_t);
 term_getattr_all_ttys(httpd_git_script_t);
 # Do not audit attempts to get the attributes of generic pty devices.
 term_dontaudit_getattr_generic_ptys(httpd_git_script_t);
-
-# Allow upload.cgi to make link on nfs
-allow git_script_t nfs_t:file { unlink link };
diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml
index 8a213060a..bc5b6fc5e 100644
--- a/roles/distgit/tasks/main.yml
+++ b/roles/distgit/tasks/main.yml
@@ -328,3 +328,10 @@
   command: semodule -i /usr/local/share/selinux/upload_cgi.pp
   when: selinux_module|changed
 
+- name: copy over our custom nfs selinux policy
+  copy: src=cgi-nfs.pp dest=/usr/local/share/selinux/cgi-nfs.pp
+  register: nfs_selinux_module
+
+- name: install our custom nfs selinux policy
+  command: semodule -i /usr/local/share/selinux/cgi-nfs.pp
+  when: nfs_selinux_module|changed
author	Patrick Uiterwijk <puiterwijk@redhat.com>	2015-06-05 09:02:09 +0000
committer	Patrick Uiterwijk <puiterwijk@redhat.com>	2015-06-05 09:02:28 +0000
commit	4b22cd9f2a7fa0a740a0defa2f3b2cdb62dc1cd3 (patch)
tree	ff5b962595ef175ecb932d3c693e0e7752651cb4 /roles/distgit
parent	37a27645fc3535ae31d46a001b214eba80e9cbf2 (diff)