c086cbb5af
* Verify the ID of Forgejo Actions web endpoints belongs to the repository to
prevent the deletion of runners or variables or the modification of
variables
* Enforce permissions on publicly available user or organizations projects to
not leak information from issues and pull requests that belong to private
repositories
* fix(ui): display verified icon for default gpg key
* fix: load settings for valid user and email check
* Teach the doctor to remove orphaned two_factor with forgejo doctor check --run check-db-consistency --fix
* fix: listing tokens must not require basic auth
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=51
42 lines
1.1 KiB
Plaintext
42 lines
1.1 KiB
Plaintext
policy_module(forgejo, 1.0.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type forgejo_t;
|
|
type forgejo_exec_t;
|
|
init_daemon_domain(forgejo_t, forgejo_exec_t)
|
|
|
|
permissive forgejo_t;
|
|
|
|
type forgejo_log_t;
|
|
logging_log_file(forgejo_log_t)
|
|
|
|
type forgejo_var_lib_t;
|
|
files_type(forgejo_var_lib_t)
|
|
|
|
########################################
|
|
#
|
|
# forgejo local policy
|
|
#
|
|
allow forgejo_t self:fifo_file rw_fifo_file_perms;
|
|
allow forgejo_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
manage_dirs_pattern(forgejo_t, forgejo_log_t, forgejo_log_t)
|
|
manage_files_pattern(forgejo_t, forgejo_log_t, forgejo_log_t)
|
|
manage_lnk_files_pattern(forgejo_t, forgejo_log_t, forgejo_log_t)
|
|
logging_log_filetrans(forgejo_t, forgejo_log_t, { dir file lnk_file })
|
|
|
|
manage_dirs_pattern(forgejo_t, forgejo_var_lib_t, forgejo_var_lib_t)
|
|
manage_files_pattern(forgejo_t, forgejo_var_lib_t, forgejo_var_lib_t)
|
|
manage_lnk_files_pattern(forgejo_t, forgejo_var_lib_t, forgejo_var_lib_t)
|
|
files_var_lib_filetrans(forgejo_t, forgejo_var_lib_t, { dir file lnk_file })
|
|
|
|
domain_use_interactive_fds(forgejo_t)
|
|
|
|
files_read_etc_files(forgejo_t)
|
|
|
|
miscfiles_read_localization(forgejo_t)
|