From: icon@fedoraproject.org (Konstantin Ryabitsev)
Date: Wed, 15 Feb 2012 11:01:33 -0500
Subject: [refpolicy] A few tweaks for the gitolite policy
Message-ID: <1329321693.8039.35.camel@i5.mricon.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi, all:

ADCs are "Admin-defined commands" that come bundled with gitolite.
Though they are normally not packaged, they are part of the gitolite
distribution and are almost always installed by admins:

http://sitaramc.github.com/gitolite/shipped_ADCs.html

It would be welcome if the default gitosis policy allowed them to work.
It already partially supports ADCs by permitting:
exec_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)

>From my recent experience, it also requires the following:

      * managing files in /tmp, as a couple of these ADCs use here-docs
        (bash writes those out into /tmp/sh-thd-{timestamp} and then
        reads them back in)
      * ability to execute /usr/bin/gl-* (gitosis_exec_t) -- notably the
        "fork" ADC relies on that.

I don't submit a patch, because I wanted to leave it up to the
maintainer's discretion whether to add support for the default ADCs.

Best,
-- 
Konstantin Ryabitsev
Systems Administrator, Kernel.org
Montr?al, Qu?bec
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 665 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120215/f9281c46/attachment.bin