From c22e4066a17204133d61a0300584a63d748b470b Mon Sep 17 00:00:00 2001
From: Antonio Enrico Russo <aerusso@aerusso.net>
Date: Fri, 11 Jul 2025 05:44:03 -0600
Subject: [PATCH 1/7] gpg_read_files interface

Allow gpg to read files of a specified type

Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net>
---
 policy/modules/apps/gpg.if | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
index 8b67b4f476..f60c48559b 100644
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
@@ -516,6 +516,25 @@ interface(`gpg_list_user_secrets',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Allow gpg to read a file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain gpg is allowed access to.
+##	</summary>
+## </param>
+#
+interface(`gpg_read_files',`
+	gen_require(`
+		type gpg_t;
+	')
+
+	allow gpg_t $1:file read_file_perms;
+	allow gpg_t $1:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempt to search gpg user secrets dirs.

From 780330127462d08dc5211710713dd025b005c8ac Mon Sep 17 00:00:00 2001
From: Antonio Enrico Russo <aerusso@aerusso.net>
Date: Sun, 16 Mar 2025 14:09:29 -0600
Subject: [PATCH 2/7] git: label git-core more reliably

git-core programs are located at /usr/lib/git rather than
/usr/libexec/git on some distribution.  Label those as well.

Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net>
---
 policy/modules/services/git.fc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
index 04944aaebf..483dbb948e 100644
--- a/policy/modules/services/git.fc
+++ b/policy/modules/services/git.fc
@@ -7,7 +7,9 @@ HOME_DIR/\.git-credentials	--	gen_context(system_u:object_r:git_xdg_config_t,s0)
 /usr/bin/git-[^/]+	--	gen_context(system_u:object_r:git_exec_t,s0)
 /usr/bin/git2_cli	--	gen_context(system_u:object_r:git_exec_t,s0)
 
-/usr/lib/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t,s0)
+/usr/lib/git-core/git	--	gen_context(system_u:object_r:git_exec_t,s0)
+/usr/lib/git-core/git-[^/]+ --	gen_context(system_u:object_r:git_exec_t,s0)
+/usr/lib/git-core/git-daemon --	gen_context(system_u:object_r:gitd_exec_t,s0)
 
 /usr/libexec/git-core/git	--	gen_context(system_u:object_r:git_exec_t,s0)
 /usr/libexec/git-core/git-[^/]+ --	gen_context(system_u:object_r:git_exec_t,s0)

From fc9eff3edea7bcb6384122b870bddffe9142b24a Mon Sep 17 00:00:00 2001
From: Antonio Enrico Russo <aerusso@aerusso.net>
Date: Sun, 16 Mar 2025 14:10:03 -0600
Subject: [PATCH 3/7] git: more git_xdg_config_t filetrans

Appropriately transition the file types for git_xdg_config_t when a user
creates such files.

Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net>
---
 policy/modules/services/git.if | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index 846e0bad76..c1014097a4 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@@ -92,6 +92,7 @@ template(`git_client_role_template',`
 	gen_require(`
 		attribute git_client_domain;
 		type git_exec_t, git_home_t, git_home_hook_t;
+		type git_xdg_config_t;
 	')
 
 	########################################
@@ -117,6 +118,9 @@ template(`git_client_role_template',`
 	allow $2 git_home_hook_t:dir { manage_dir_perms relabel_dir_perms };
 	allow $2 git_home_hook_t:file { exec_file_perms manage_file_perms relabel_file_perms };
 	filetrans_pattern($2, git_home_t, git_home_hook_t, dir, "hooks")
+	xdg_config_filetrans($2, git_xdg_config_t, dir, "git")
+	userdom_user_home_dir_filetrans($2, git_xdg_config_t, file, ".gitconfig")
+	userdom_user_home_dir_filetrans($2, git_xdg_config_t, file, ".git-credentials")
 
 	allow $3 $1_git_t:process { ptrace signal_perms };
 	ps_process_pattern($3, $1_git_t)

From 139cab8e505bedebe82d120c580ef32b0c33c4fb Mon Sep 17 00:00:00 2001
From: Antonio Enrico Russo <aerusso@aerusso.net>
Date: Sun, 16 Mar 2025 14:15:41 -0600
Subject: [PATCH 4/7] git: broaden execution permissions

Some git-core programs are shellscript. This allows them to run. Also,
allow comands to run in the user domain e.g., the commit log editor.

Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net>
---
 policy/modules/services/git.if | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index c1014097a4..d2e9d57205 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@@ -131,6 +131,10 @@ template(`git_client_role_template',`
 	exec_files_pattern($3, git_home_hook_t, git_home_hook_t)
 	# transition back to the user domain when executing git hooks
 	domtrans_pattern($1_git_t, git_home_t, $2)
+	# execute shell scripts
+	corecmd_exec_shell($1_git_t)
+	# execute user utilities, e.g., editor
+	corecmd_bin_domtrans($1_git_t, $2)
 
 	# transition to ssh client domain when performing ssh operations
 	optional_policy(`

From e9587399d8f99d98ae80d047c0966fc9b1a7f034 Mon Sep 17 00:00:00 2001
From: Antonio Enrico Russo <aerusso@aerusso.net>
Date: Fri, 11 Jul 2025 05:04:11 -0600
Subject: [PATCH 5/7] git: allow temporary file creation

git sometimes creates temporary files.  This creates new per-user file
domains of the form $user_git_tmp_t and automatically transitions to
them.

Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net>
---
 policy/modules/services/git.if | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index d2e9d57205..12005ecff8 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@@ -127,6 +127,17 @@ template(`git_client_role_template',`
 
 	auth_use_nsswitch($1_git_t)
 
+	type $1_git_tmp_t;
+	userdom_user_tmp_file($1_git_tmp_t)
+
+	allow $2 $1_git_tmp_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 $1_git_tmp_t:file { exec_file_perms manage_file_perms relabel_file_perms };
+	allow $2 $1_git_tmp_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	allow $1_git_t $1_git_tmp_t:dir manage_dir_perms;
+	allow $1_git_t $1_git_tmp_t:file mmap_manage_file_perms;
+	allow $1_git_t $1_git_tmp_t:lnk_file manage_lnk_file_perms;
+	files_tmp_filetrans($1_git_t, $1_git_tmp_t, {dir file})
+
 	# allow userdomains to exec git hooks
 	exec_files_pattern($3, git_home_hook_t, git_home_hook_t)
 	# transition back to the user domain when executing git hooks

From f2f6504ac4f99a602b91c09d41977606be8da685 Mon Sep 17 00:00:00 2001
From: Antonio Enrico Russo <aerusso@aerusso.net>
Date: Fri, 11 Jul 2025 05:08:07 -0600
Subject: [PATCH 6/7] git_client_exec_user_bin tunable

git may under some circumstances want to run user binaries (e.g.,
git-bisect and custom git commands).

Add a tunable to allow git to execute such user binaries.

Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net>
---
 policy/modules/services/git.te | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index b56052a357..7dcc73fb86 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -88,6 +88,14 @@ gen_tunable(git_system_use_nfs, false)
 ## </desc>
 gen_tunable(git_client_manage_all_user_home_content, false)
 
+## <desc>
+##	<p>
+##	Determine whether Git client domains
+##	can run user binaries.
+##	</p>
+## </desc>
+gen_tunable(git_client_exec_user_bin, false)
+
 attribute git_daemon;
 attribute_role git_session_roles;
 
@@ -347,3 +355,7 @@ tunable_policy(`git_client_manage_all_user_home_content',`
 	userdom_manage_all_user_home_content(git_client_domain)
 	userdom_map_all_user_home_content_files(git_client_domain)
 ')
+
+tunable_policy(`git_client_exec_user_bin',`
+	userdom_exec_user_bin_files(git_client_domain)
+')

From e4565ac9bfff5aa1a9f6092b4c22131f9f4739c6 Mon Sep 17 00:00:00 2001
From: Antonio Enrico Russo <aerusso@aerusso.net>
Date: Fri, 11 Jul 2025 05:10:14 -0600
Subject: [PATCH 7/7] git_client_use_gpg tunable

git calls gpg when signing and validating commits, and needs to
communicate with it through temporary files.

Add a tunable to allow this domain transition, and for gpg to be able to
read these temporary files.

Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net>
---
 policy/modules/services/git.if | 9 +++++++++
 policy/modules/services/git.te | 8 ++++++++
 2 files changed, 17 insertions(+)

diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index 12005ecff8..f6abdafbe6 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@@ -147,6 +147,15 @@ template(`git_client_role_template',`
 	# execute user utilities, e.g., editor
 	corecmd_bin_domtrans($1_git_t, $2)
 
+	optional_policy(`
+		tunable_policy(`git_client_use_gpg', `
+			gpg_domtrans($1_git_t)
+			dev_read_urand($1_git_t)
+
+			gpg_read_files($1_git_tmp_t)
+		')
+	')
+
 	# transition to ssh client domain when performing ssh operations
 	optional_policy(`
 		ssh_client_domtrans($1_git_t)
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index 7dcc73fb86..4041bbf0a0 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -96,6 +96,14 @@ gen_tunable(git_client_manage_all_user_home_content, false)
 ## </desc>
 gen_tunable(git_client_exec_user_bin, false)
 
+## <desc>
+##	<p>
+##	Determine whether Git client domains
+##	can access gpg.
+##	</p>
+## </desc>
+gen_tunable(git_client_use_gpg, false)
+
 attribute git_daemon;
 attribute_role git_session_roles;