radicale add missing source files
Signed-off-by: webbuilder_pel7x64builder0 <webbuilder@powerel.org>master
webbuilder_pel7x64builder0
parent
533ff1e855
commit
03fde148fb
|
|
@ -0,0 +1,13 @@
|
|||
/usr/bin/radicale -- gen_context(system_u:object_r:radicale_exec_t,s0)
|
||||
|
||||
/usr/lib/systemd/system/radicale.service -- gen_context(system_u:object_r:radicale_unit_file_t,s0)
|
||||
|
||||
/var/lib/radicale(/.*)? gen_context(system_u:object_r:radicale_var_lib_t,s0)
|
||||
|
||||
/var/log/radicale(/.*)? gen_context(system_u:object_r:radicale_log_t,s0)
|
||||
|
||||
/var/run/radicale(/.*)? gen_context(system_u:object_r:radicale_var_run_t,s0)
|
||||
|
||||
/etc/radicale(/.*)? gen_context(system_u:object_r:radicale_etc_t,s0)
|
||||
|
||||
#portcon tcp 5232 gen_context(system_u:object_r:radicale_port_t,s0)
|
||||
|
|
@ -0,0 +1,265 @@
|
|||
|
||||
## <summary>policy for radicale</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute TEMPLATE in the radicale domin.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`radicale_domtrans',`
|
||||
gen_require(`
|
||||
type radicale_t, radicale_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, radicale_exec_t, radicale_t)
|
||||
')
|
||||
########################################
|
||||
## <summary>
|
||||
## Read radicale's log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`radicale_read_log',`
|
||||
gen_require(`
|
||||
type radicale_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
read_files_pattern($1, radicale_log_t, radicale_log_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Append to radicale log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`radicale_append_log',`
|
||||
gen_require(`
|
||||
type radicale_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
append_files_pattern($1, radicale_log_t, radicale_log_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage radicale log files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`radicale_manage_log',`
|
||||
gen_require(`
|
||||
type radicale_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
manage_dirs_pattern($1, radicale_log_t, radicale_log_t)
|
||||
manage_files_pattern($1, radicale_log_t, radicale_log_t)
|
||||
manage_lnk_files_pattern($1, radicale_log_t, radicale_log_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search radicale lib directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`radicale_search_lib',`
|
||||
gen_require(`
|
||||
type radicale_var_lib_t;
|
||||
')
|
||||
|
||||
allow $1 radicale_var_lib_t:dir search_dir_perms;
|
||||
files_search_var_lib($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read radicale lib files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`radicale_read_lib_files',`
|
||||
gen_require(`
|
||||
type radicale_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
read_files_pattern($1, radicale_var_lib_t, radicale_var_lib_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage radicale lib files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`radicale_manage_lib_files',`
|
||||
gen_require(`
|
||||
type radicale_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
manage_files_pattern($1, radicale_var_lib_t, radicale_var_lib_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage radicale lib directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`radicale_manage_lib_dirs',`
|
||||
gen_require(`
|
||||
type radicale_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
manage_dirs_pattern($1, radicale_var_lib_t, radicale_var_lib_t)
|
||||
')
|
||||
|
||||
#####################################
|
||||
## <summary>
|
||||
## Read radicale pid files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`radicale_read_pid_files',`
|
||||
gen_require(`
|
||||
type radicale_var_run_t;
|
||||
')
|
||||
files_search_pids($1)
|
||||
read_files_pattern($1, radicale_var_run_t, radicale_var_run_t)
|
||||
')
|
||||
|
||||
#####################################
|
||||
## <summary>
|
||||
## Search radicale pid files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
##
|
||||
#
|
||||
interface(`radicale_search_pid_files',`
|
||||
gen_require(`
|
||||
type radicale_var_run_t;
|
||||
')
|
||||
files_search_pids($1)
|
||||
search_dirs_pattern($1, radicale_var_run_t, radicale_var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute radicale server in the radicale domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`radicale_systemctl',`
|
||||
gen_require(`
|
||||
type radicale_t;
|
||||
type radicale_unit_file_t;
|
||||
')
|
||||
|
||||
systemd_exec_systemctl($1)
|
||||
systemd_read_fifo_file_password_run($1)
|
||||
allow $1 radicale_unit_file_t:file read_file_perms;
|
||||
allow $1 radicale_unit_file_t:service manage_service_perms;
|
||||
|
||||
ps_process_pattern($1, radicale_t)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an radicale environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`radicale_admin',`
|
||||
gen_require(`
|
||||
type radicale_t;
|
||||
type radicale_log_t;
|
||||
type radicale_var_lib_t;
|
||||
type radicale_var_run_t;
|
||||
type radicale_unit_file_t;
|
||||
')
|
||||
|
||||
allow $1 radicale_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, radicale_t)
|
||||
|
||||
logging_search_logs($1)
|
||||
admin_pattern($1, radicale_log_t)
|
||||
|
||||
files_search_var_lib($1)
|
||||
admin_pattern($1, radicale_var_lib_t)
|
||||
|
||||
radicale_search_pid_files($1)
|
||||
radicale_read_pid_files($1)
|
||||
|
||||
radicale_systemctl($1)
|
||||
admin_pattern($1, radicale_unit_file_t)
|
||||
allow $1 radicale_unit_file_t:service all_service_perms;
|
||||
optional_policy(`
|
||||
systemd_passwd_agent_exec($1)
|
||||
systemd_read_fifo_file_passwd_run($1)
|
||||
')
|
||||
')
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
[Unit]
|
||||
Description=Radicale CalDAV and CardDAV server
|
||||
Documentation=http://radicale.org/documentation/
|
||||
After=network-online.target
|
||||
Requires=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
WorkingDirectory=/var/lib/radicale
|
||||
User=radicale
|
||||
Group=radicale
|
||||
UMask=0027
|
||||
PIDFile=/var/run/radicale/radicale.pid
|
||||
ExecStart=/usr/bin/radicale --daemon --pid=/var/run/radicale/radicale.pid
|
||||
PrivateTmp=true
|
||||
CapabilityBoundingSet=
|
||||
ProtectSystem=full
|
||||
ProtectHome=true
|
||||
Restart=on-abnormal
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
@ -0,0 +1,92 @@
|
|||
policy_module(radicale, 1.0.8)
|
||||
|
||||
gen_require(`
|
||||
type httpd_t;
|
||||
type pop_port_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type radicale_t;
|
||||
type radicale_exec_t;
|
||||
init_daemon_domain(radicale_t, radicale_exec_t)
|
||||
|
||||
type radicale_log_t;
|
||||
logging_log_file(radicale_log_t)
|
||||
|
||||
type radicale_var_lib_t;
|
||||
files_type(radicale_var_lib_t)
|
||||
|
||||
type radicale_var_run_t;
|
||||
files_pid_file(radicale_var_run_t)
|
||||
|
||||
type radicale_etc_t;
|
||||
files_config_file(radicale_etc_t);
|
||||
|
||||
type radicale_unit_file_t;
|
||||
systemd_unit_file(radicale_unit_file_t)
|
||||
|
||||
type radicale_port_t;
|
||||
corenet_port(radicale_port_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# radicale local policy
|
||||
#
|
||||
allow radicale_t self:fifo_file rw_fifo_file_perms;
|
||||
allow radicale_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow radicale_t self:tcp_socket create_stream_socket_perms;
|
||||
allow radicale_t self:unix_dgram_socket create_stream_socket_perms;
|
||||
|
||||
allow radicale_t radicale_port_t:tcp_socket name_bind;
|
||||
allow radicale_t pop_port_t:tcp_socket name_connect;
|
||||
|
||||
manage_dirs_pattern(radicale_t, radicale_log_t, radicale_log_t)
|
||||
manage_files_pattern(radicale_t, radicale_log_t, radicale_log_t)
|
||||
manage_lnk_files_pattern(radicale_t, radicale_log_t, radicale_log_t)
|
||||
logging_log_filetrans(radicale_t, radicale_log_t, { dir file lnk_file })
|
||||
|
||||
manage_dirs_pattern(radicale_t, radicale_var_lib_t, radicale_var_lib_t)
|
||||
manage_files_pattern(radicale_t, radicale_var_lib_t, radicale_var_lib_t)
|
||||
manage_lnk_files_pattern(radicale_t, radicale_var_lib_t, radicale_var_lib_t)
|
||||
files_var_lib_filetrans(radicale_t, radicale_var_lib_t, { dir file lnk_file })
|
||||
|
||||
manage_files_pattern(radicale_t, radicale_var_run_t, radicale_var_run_t)
|
||||
files_pid_filetrans(radicale_t, radicale_var_lib_t, file)
|
||||
|
||||
domain_use_interactive_fds(radicale_t)
|
||||
|
||||
files_read_etc_files(radicale_t)
|
||||
read_files_pattern(radicale_t, radicale_etc_t, radicale_etc_t)
|
||||
|
||||
bool httpd_can_read_write_radicale false;
|
||||
|
||||
if (httpd_can_read_write_radicale) {
|
||||
manage_dirs_pattern(httpd_t, radicale_log_t, radicale_log_t)
|
||||
manage_files_pattern(httpd_t, radicale_log_t, radicale_log_t)
|
||||
manage_lnk_files_pattern(httpd_t, radicale_log_t, radicale_log_t)
|
||||
#logging_log_filetrans(httpd_t, radicale_log_t, { dir file lnk_file })
|
||||
|
||||
manage_dirs_pattern(httpd_t, radicale_var_lib_t, radicale_var_lib_t)
|
||||
manage_files_pattern(httpd_t, radicale_var_lib_t, radicale_var_lib_t)
|
||||
manage_lnk_files_pattern(httpd_t, radicale_var_lib_t, radicale_var_lib_t)
|
||||
#files_var_lib_filetrans(httpd_t, radicale_var_lib_t, { dir file lnk_file })
|
||||
|
||||
#domain_use_interactive_fds(httpd_t)
|
||||
|
||||
#files_read_etc_files(radicale_t)
|
||||
read_files_pattern(httpd_t, radicale_etc_t, radicale_etc_t)
|
||||
}
|
||||
|
||||
miscfiles_read_localization(radicale_t)
|
||||
dev_read_urand(radicale_t)
|
||||
dev_read_rand(radicale_t)
|
||||
auth_use_nsswitch(radicale_t)
|
||||
corecmd_exec_shell(radicale_t)
|
||||
corecmd_exec_bin(radicale_t)
|
||||
libs_exec_ldconfig(radicale_t)
|
||||
kernel_read_system_state(radicale_t)
|
||||
apache_search_config(radicale_t)
|
||||
Loading…
Reference in New Issue