From 29404e5deeb6e5cb35c55be34fac2bc26f5c59ec Mon Sep 17 00:00:00 2001
From: Maddy <maddy@kitty.garden>
Date: Mon, 20 May 2024 20:51:23 +0200
Subject: [PATCH] Create basic hg policy

---
 policy/modules.conf          |  7 +++++
 policy/modules/contrib/hg.fc |  4 +++
 policy/modules/contrib/hg.if |  1 +
 policy/modules/contrib/hg.te | 59 ++++++++++++++++++++++++++++++++++++
 4 files changed, 71 insertions(+)
 create mode 100644 policy/modules/contrib/hg.fc
 create mode 100644 policy/modules/contrib/hg.if
 create mode 100644 policy/modules/contrib/hg.te

diff --git a/policy/modules.conf b/policy/modules.conf
index 5c6fd8a305..afc1b36950 100644
--- a/policy/modules.conf
+++ b/policy/modules.conf
@@ -3155,3 +3155,10 @@ nvme_stas = module
 # coreos_installer
 #
 coreos_installer = module
+
+# Layer: contrib
+# Module: hg
+#
+#  hg - Mercurial source control management
+#
+hg = module
diff --git a/policy/modules/contrib/hg.fc b/policy/modules/contrib/hg.fc
new file mode 100644
index 0000000000..380ca09b97
--- /dev/null
+++ b/policy/modules/contrib/hg.fc
@@ -0,0 +1,4 @@
+/var/lib/hg(/.*)?	gen_context(system_u:object_r:hg_content_t,s0)
+/var/www/hg(/.*)?	gen_context(system_u:object_r:hg_content_t,s0)
+
+/var/www/cgi-bin/hgweb.*	--	gen_context(system_u:object_r:hg_script_exec_t,s0)
diff --git a/policy/modules/contrib/hg.if b/policy/modules/contrib/hg.if
new file mode 100644
index 0000000000..889987bdbd
--- /dev/null
+++ b/policy/modules/contrib/hg.if
@@ -0,0 +1 @@
+## <summary>Mercurial source control management</summary>
diff --git a/policy/modules/contrib/hg.te b/policy/modules/contrib/hg.te
new file mode 100644
index 0000000000..2a03922468
--- /dev/null
+++ b/policy/modules/contrib/hg.te
@@ -0,0 +1,59 @@
+policy_module(hg, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether Mercurial CGI
+##	can access cifs file systems.
+##	</p>
+## </desc>
+gen_tunable(hg_cgi_use_cifs, false)
+
+## <desc>
+##	<p>
+##	Determine whether Mercurial CGI
+##	can access nfs file systems.
+##	</p>
+## </desc>
+gen_tunable(hg_cgi_use_nfs, false)
+
+########################################
+#
+# CGI policy
+#
+
+optional_policy(`
+	apache_content_template(hg)
+	apache_content_alias_template(hg, hg)
+
+	list_dirs_pattern(hg_script_t, hg_content_t, hg_content_t)
+	read_files_pattern(hg_script_t, hg_content_t, hg_content_t)
+
+	auth_use_nsswitch(hg_script_t)
+
+	dev_read_sysfs(hg_script_t)
+
+	kernel_dgram_send(hg_script_t)
+	optional_policy(`
+		abrt_stream_connect(hg_script_t)
+		logging_write_syslog_pid_socket(hg_script_t)
+	')
+
+	tunable_policy(`hg_cgi_use_cifs',`
+		fs_getattr_cifs(hg_script_t)
+		fs_read_cifs_files(hg_script_t)
+	',`
+		fs_dontaudit_read_cifs_files(hg_script_t)
+	')
+
+	tunable_policy(`hg_cgi_use_nfs',`
+		fs_getattr_nfs(hg_script_t)
+		fs_read_nfs_files(hg_script_t)
+	',`
+		fs_dontaudit_read_nfs_files(hg_script_t)
+	')
+')