Create basic hg policy

policy/modules/contrib/hg.fc

@@ -0,0 +1,4 @@
+/var/lib/hg(/.*)?	gen_context(system_u:object_r:hg_content_t,s0)
+/var/www/hg(/.*)?	gen_context(system_u:object_r:hg_content_t,s0)
+
+/var/www/cgi-bin/hgweb.*	--	gen_context(system_u:object_r:hg_script_exec_t,s0)

policy/modules/contrib/hg.if

@@ -0,0 +1 @@
+## <summary>Mercurial source control management</summary>

policy/modules/contrib/hg.te

@@ -0,0 +1,65 @@
+policy_module(hg, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether Mercurial CGI
+##	can access cifs file systems.
+##	</p>
+## </desc>
+gen_tunable(hg_cgi_use_cifs, false)
+
+## <desc>
+##	<p>
+##	Determine whether Mercurial CGI
+##	can access nfs file systems.
+##	</p>
+## </desc>
+gen_tunable(hg_cgi_use_nfs, false)
+
+apache_content_template(hg)
+apache_content_alias_template(hg, hg)
+
+########################################
+#
+# CGI policy
+#
+
+list_dirs_pattern(hg_script_t, hg_content_t, hg_content_t)
+read_files_pattern(hg_script_t, hg_content_t, hg_content_t)
+
+auth_use_nsswitch(hg_script_t)
+
+gen_require(`
+	type httpd_config_t;
+	type httpd_sys_script_exec_t;
+')
+list_dirs_pattern(hg_script_t, httpd_config_t, httpd_sys_script_exec_t)
+
+dev_read_sysfs(hg_script_t)
+
+kernel_dgram_send(hg_script_t)
+abrt_stream_connect(hg_script_t)
+optional_policy(`
+	logging_write_syslog_pid_socket(hg_script_t)
+')
+
+tunable_policy(`hg_cgi_use_cifs',`
+	fs_getattr_cifs(hg_script_t)
+	fs_list_cifs(hg_script_t)
+	fs_read_cifs_files(hg_script_t)
+',`
+	fs_dontaudit_read_cifs_files(hg_script_t)
+')
+
+tunable_policy(`hg_cgi_use_nfs',`
+	fs_getattr_nfs(hg_script_t)
+	fs_list_nfs(hg_script_t)
+	fs_read_nfs_files(hg_script_t)
+',`
+	fs_dontaudit_read_nfs_files(hg_script_t)
+')