From 32cc1fa16c4869f92a9c463e656be91b3b2ccc2d Mon Sep 17 00:00:00 2001
From: Macartur Sousa <macartur.sc@gmail.com>
Date: Wed, 15 Apr 2015 17:35:09 -0300
Subject: [PATCH] Added Selinux permissions to allow key deploy

---
 cookbooks/gitlab/files/gitlab.te    | 11 +++++++++++
 cookbooks/gitlab/files/nginx.te     | 12 ++++++++++++
 cookbooks/gitlab/recipes/default.rb | 27 +++++++++++++++++++++++++++
 3 files changed, 50 insertions(+), 0 deletions(-)
 create mode 100644 cookbooks/gitlab/files/gitlab.te
 create mode 100644 cookbooks/gitlab/files/nginx.te

diff --git a/cookbooks/gitlab/files/gitlab.te b/cookbooks/gitlab/files/gitlab.te
new file mode 100644
index 0000000..989cdd1
--- /dev/null
+++ b/cookbooks/gitlab/files/gitlab.te
@@ -0,0 +1,11 @@
+
+module gitlab 1.0;
+
+require {
+	type initrc_tmp_t;
+	type ssh_keygen_t;
+	class file open;
+}
+
+#============= ssh_keygen_t ==============
+allow ssh_keygen_t initrc_tmp_t:file open;
diff --git a/cookbooks/gitlab/files/nginx.te b/cookbooks/gitlab/files/nginx.te
new file mode 100644
index 0000000..d17e1af
--- /dev/null
+++ b/cookbooks/gitlab/files/nginx.te
@@ -0,0 +1,12 @@
+
+module nginx 1.0;
+
+require {
+	type httpd_t;
+	type unreserved_port_t;
+	class tcp_socket name_connect;
+}
+
+#============= httpd_t ==============
+allow httpd_t unreserved_port_t:tcp_socket name_connect;
+allow httpd_t http_cache_port_t:tcp_socket name_connect;
diff --git a/cookbooks/gitlab/recipes/default.rb b/cookbooks/gitlab/recipes/default.rb
index a5be042..065124b 100644
--- a/cookbooks/gitlab/recipes/default.rb
+++ b/cookbooks/gitlab/recipes/default.rb
@@ -78,3 +78,30 @@ service 'gitlab' do
   action :enable
   supports :restart => true
 end
+
+
+####################################################
+#  SELinux: allow gitlab to use '/tmp'
+####################################################
+
+cookbook_file '/etc/selinux/local/gitlab.te' do
+  notifies :run, 'execute[selinux-gitlab]'
+end
+execute 'selinux-gitlab' do
+  command 'selinux-install-module /etc/selinux/local/gitlab.te'
+  action :nothing
+end
+
+
+####################################################
+#  SELinux: allow nginx to use gitlab upstream
+####################################################
+
+cookbook_file '/etc/selinux/local/nginx.te' do
+  notifies :run, 'execute[selinux-nginx]'
+end
+execute 'selinux-nginx' do
+  command 'selinux-install-module /etc/selinux/local/nginx.te'
+  action :nothing
+end
+
--
libgit2 0.21.2