## <summary>GIT revision control system.</summary>

########################################
## <summary>
##	Role access for Git session.
## </summary>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	User domain for the role.
##	</summary>
## </param>
#
template(`git_role',`
	gen_require(`
		type git_session_t, gitd_exec_t, git_user_content_t;
	')

	########################################
	#
	# Declarations
	#

	role $1 types git_session_t;

	########################################
	#
	# Policy
	#

	manage_dirs_pattern($2, git_user_content_t, git_user_content_t)
	relabel_dirs_pattern($2, git_user_content_t, git_user_content_t)

	exec_files_pattern($2, git_user_content_t, git_user_content_t)
	manage_files_pattern($2, git_user_content_t, git_user_content_t)
	relabel_files_pattern($2, git_user_content_t, git_user_content_t)

	allow $2 git_session_t:process { ptrace signal_perms };
	ps_process_pattern($2, git_session_t)

	tunable_policy(`git_session_users',`
		domtrans_pattern($2, gitd_exec_t, git_session_t)
	',`
		can_exec($2, gitd_exec_t)
	')
')