Create basic hg policy

policy/modules.conf

@@ -3155,3 +3155,10 @@ nvme_stas = module
 # coreos_installer
 #
 coreos_installer = module
+
+# Layer: contrib
+# Module: hg
+#
+#  hg - Mercurial source control management
+#
+hg = module

policy/modules/contrib/hg.fc

@@ -0,0 +1,4 @@
+/var/lib/hg(/.*)?	gen_context(system_u:object_r:hg_content_t,s0)
+/var/www/hg(/.*)?	gen_context(system_u:object_r:hg_content_t,s0)
+
+/var/www/cgi-bin/hgweb.*	--	gen_context(system_u:object_r:hg_script_exec_t,s0)

policy/modules/contrib/hg.if

@@ -0,0 +1 @@
+## <summary>Mercurial source control management</summary>

policy/modules/contrib/hg.te

@@ -0,0 +1,59 @@
+policy_module(hg, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether Mercurial CGI
+##	can access cifs file systems.
+##	</p>
+## </desc>
+gen_tunable(hg_cgi_use_cifs, false)
+
+## <desc>
+##	<p>
+##	Determine whether Mercurial CGI
+##	can access nfs file systems.
+##	</p>
+## </desc>
+gen_tunable(hg_cgi_use_nfs, false)
+
+########################################
+#
+# CGI policy
+#
+
+optional_policy(`
+	apache_content_template(hg)
+	apache_content_alias_template(hg, hg)
+
+	list_dirs_pattern(hg_script_t, hg_content_t, hg_content_t)
+	read_files_pattern(hg_script_t, hg_content_t, hg_content_t)
+
+	auth_use_nsswitch(hg_script_t)
+
+	dev_read_sysfs(hg_script_t)
+
+	kernel_dgram_send(hg_script_t)
+	optional_policy(`
+		abrt_stream_connect(hg_script_t)
+		logging_write_syslog_pid_socket(hg_script_t)
+	')
+
+	tunable_policy(`hg_cgi_use_cifs',`
+		fs_getattr_cifs(hg_script_t)
+		fs_read_cifs_files(hg_script_t)
+	',`
+		fs_dontaudit_read_cifs_files(hg_script_t)
+	')
+
+	tunable_policy(`hg_cgi_use_nfs',`
+		fs_getattr_nfs(hg_script_t)
+		fs_read_nfs_files(hg_script_t)
+	',`
+		fs_dontaudit_read_nfs_files(hg_script_t)
+	')
+')