Hello: Looking at the gitolite policy (still called gitosis in refpolicy), it would appear that it needs mta_send_mail(gitosis_t), otherwise the very common "mail this to a list" hook doesn't work. Should I file a bug for this? Best, -- Konstantin Ryabitsev Systems Administrator, Kernel.org Montréal, Québec
From 7d315a3faa54b2de50a89989a189f4946da89599 Mon Sep 17 00:00:00 2001 From: Konstantin Ryabitsev <mricon@xxxxxxxxxx> Date: Mon, 13 Feb 2012 09:54:22 -0500 Subject: [PATCH] Allow gitolite to send mail One of the most commonly used hooks in gitolite is the ability to invoke sendmail to send out notifications whenever someone commits to a repository. This sets up a tunable policy that preserves current behaviour (not allowed to send mail) unless gitosis_can_sendmail is set to true. --- gitosis.te | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/gitosis.te b/gitosis.te index 8bcd98d..33e6737 100644 --- a/gitosis.te +++ b/gitosis.te @@ -39,3 +39,10 @@ files_search_var_lib(gitosis_t) miscfiles_read_localization(gitosis_t) sysnet_read_config(gitosis_t) + +gen_tunable(gitosis_can_sendmail, false) + +tunable_policy(`gitosis_can_sendmail',` + mta_send_mail(gitosis_t) +') + -- 1.7.7.6
Attachment:
signature.asc
Description: This is a digitally signed message part
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
