From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 21 Feb 2012 14:18:01 -0500
Subject: [refpolicy] [PATCH] Allow gitolite to send mail
In-Reply-To: <1329146544.13544.7.camel@i5.mricon.com>
References: <1329146544.13544.7.camel@i5.mricon.com>
Message-ID: <4F43EDE9.2070600@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 2/13/2012 10:22 AM, Konstantin Ryabitsev wrote:
> One of the most commonly used hooks in gitolite is
> the ability to invoke sendmail to send out notifications
> whenever someone commits to a repository. This sets up
> a tunable policy that preserves current behaviour (not
> allowed to send mail) unless gitosis_can_sendmail is set
> to true.
> ---
>   gitosis.te |    7 +++++++
>   1 files changed, 7 insertions(+), 0 deletions(-)
>
> diff --git a/gitosis.te b/gitosis.te
> index 8bcd98d..33e6737 100644
> --- a/gitosis.te
> +++ b/gitosis.te
> @@ -39,3 +39,10 @@ files_search_var_lib(gitosis_t)
>   miscfiles_read_localization(gitosis_t)
>
>   sysnet_read_config(gitosis_t)
> +
> +gen_tunable(gitosis_can_sendmail, false)
> +
> +tunable_policy(`gitosis_can_sendmail',`
> +    mta_send_mail(gitosis_t)
> +')
> +

I'm fine with adding the tunable, but I think it should be called gitosis_send_mail.  Also, the style needs to be fixed -- the tunable declaration needs to be moved up and XML documented.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com