webbuilder_pel7x64builder0
4 years ago
4 changed files with 392 additions and 0 deletions
@ -0,0 +1,13 @@ |
|||||||
|
/usr/bin/radicale -- gen_context(system_u:object_r:radicale_exec_t,s0) |
||||||
|
|
||||||
|
/usr/lib/systemd/system/radicale.service -- gen_context(system_u:object_r:radicale_unit_file_t,s0) |
||||||
|
|
||||||
|
/var/lib/radicale(/.*)? gen_context(system_u:object_r:radicale_var_lib_t,s0) |
||||||
|
|
||||||
|
/var/log/radicale(/.*)? gen_context(system_u:object_r:radicale_log_t,s0) |
||||||
|
|
||||||
|
/var/run/radicale(/.*)? gen_context(system_u:object_r:radicale_var_run_t,s0) |
||||||
|
|
||||||
|
/etc/radicale(/.*)? gen_context(system_u:object_r:radicale_etc_t,s0) |
||||||
|
|
||||||
|
#portcon tcp 5232 gen_context(system_u:object_r:radicale_port_t,s0) |
@ -0,0 +1,265 @@ |
|||||||
|
|
||||||
|
## <summary>policy for radicale</summary> |
||||||
|
|
||||||
|
######################################## |
||||||
|
## <summary> |
||||||
|
## Execute TEMPLATE in the radicale domin. |
||||||
|
## </summary> |
||||||
|
## <param name="domain"> |
||||||
|
## <summary> |
||||||
|
## Domain allowed to transition. |
||||||
|
## </summary> |
||||||
|
## </param> |
||||||
|
# |
||||||
|
interface(`radicale_domtrans',` |
||||||
|
gen_require(` |
||||||
|
type radicale_t, radicale_exec_t; |
||||||
|
') |
||||||
|
|
||||||
|
corecmd_search_bin($1) |
||||||
|
domtrans_pattern($1, radicale_exec_t, radicale_t) |
||||||
|
') |
||||||
|
######################################## |
||||||
|
## <summary> |
||||||
|
## Read radicale's log files. |
||||||
|
## </summary> |
||||||
|
## <param name="domain"> |
||||||
|
## <summary> |
||||||
|
## Domain allowed access. |
||||||
|
## </summary> |
||||||
|
## </param> |
||||||
|
## <rolecap/> |
||||||
|
# |
||||||
|
interface(`radicale_read_log',` |
||||||
|
gen_require(` |
||||||
|
type radicale_log_t; |
||||||
|
') |
||||||
|
|
||||||
|
logging_search_logs($1) |
||||||
|
read_files_pattern($1, radicale_log_t, radicale_log_t) |
||||||
|
') |
||||||
|
|
||||||
|
######################################## |
||||||
|
## <summary> |
||||||
|
## Append to radicale log files. |
||||||
|
## </summary> |
||||||
|
## <param name="domain"> |
||||||
|
## <summary> |
||||||
|
## Domain allowed access. |
||||||
|
## </summary> |
||||||
|
## </param> |
||||||
|
# |
||||||
|
interface(`radicale_append_log',` |
||||||
|
gen_require(` |
||||||
|
type radicale_log_t; |
||||||
|
') |
||||||
|
|
||||||
|
logging_search_logs($1) |
||||||
|
append_files_pattern($1, radicale_log_t, radicale_log_t) |
||||||
|
') |
||||||
|
|
||||||
|
######################################## |
||||||
|
## <summary> |
||||||
|
## Manage radicale log files |
||||||
|
## </summary> |
||||||
|
## <param name="domain"> |
||||||
|
## <summary> |
||||||
|
## Domain allowed access. |
||||||
|
## </summary> |
||||||
|
## </param> |
||||||
|
# |
||||||
|
interface(`radicale_manage_log',` |
||||||
|
gen_require(` |
||||||
|
type radicale_log_t; |
||||||
|
') |
||||||
|
|
||||||
|
logging_search_logs($1) |
||||||
|
manage_dirs_pattern($1, radicale_log_t, radicale_log_t) |
||||||
|
manage_files_pattern($1, radicale_log_t, radicale_log_t) |
||||||
|
manage_lnk_files_pattern($1, radicale_log_t, radicale_log_t) |
||||||
|
') |
||||||
|
|
||||||
|
######################################## |
||||||
|
## <summary> |
||||||
|
## Search radicale lib directories. |
||||||
|
## </summary> |
||||||
|
## <param name="domain"> |
||||||
|
## <summary> |
||||||
|
## Domain allowed access. |
||||||
|
## </summary> |
||||||
|
## </param> |
||||||
|
# |
||||||
|
interface(`radicale_search_lib',` |
||||||
|
gen_require(` |
||||||
|
type radicale_var_lib_t; |
||||||
|
') |
||||||
|
|
||||||
|
allow $1 radicale_var_lib_t:dir search_dir_perms; |
||||||
|
files_search_var_lib($1) |
||||||
|
') |
||||||
|
|
||||||
|
######################################## |
||||||
|
## <summary> |
||||||
|
## Read radicale lib files. |
||||||
|
## </summary> |
||||||
|
## <param name="domain"> |
||||||
|
## <summary> |
||||||
|
## Domain allowed access. |
||||||
|
## </summary> |
||||||
|
## </param> |
||||||
|
# |
||||||
|
interface(`radicale_read_lib_files',` |
||||||
|
gen_require(` |
||||||
|
type radicale_var_lib_t; |
||||||
|
') |
||||||
|
|
||||||
|
files_search_var_lib($1) |
||||||
|
read_files_pattern($1, radicale_var_lib_t, radicale_var_lib_t) |
||||||
|
') |
||||||
|
|
||||||
|
######################################## |
||||||
|
## <summary> |
||||||
|
## Manage radicale lib files. |
||||||
|
## </summary> |
||||||
|
## <param name="domain"> |
||||||
|
## <summary> |
||||||
|
## Domain allowed access. |
||||||
|
## </summary> |
||||||
|
## </param> |
||||||
|
# |
||||||
|
interface(`radicale_manage_lib_files',` |
||||||
|
gen_require(` |
||||||
|
type radicale_var_lib_t; |
||||||
|
') |
||||||
|
|
||||||
|
files_search_var_lib($1) |
||||||
|
manage_files_pattern($1, radicale_var_lib_t, radicale_var_lib_t) |
||||||
|
') |
||||||
|
|
||||||
|
######################################## |
||||||
|
## <summary> |
||||||
|
## Manage radicale lib directories. |
||||||
|
## </summary> |
||||||
|
## <param name="domain"> |
||||||
|
## <summary> |
||||||
|
## Domain allowed access. |
||||||
|
## </summary> |
||||||
|
## </param> |
||||||
|
# |
||||||
|
interface(`radicale_manage_lib_dirs',` |
||||||
|
gen_require(` |
||||||
|
type radicale_var_lib_t; |
||||||
|
') |
||||||
|
|
||||||
|
files_search_var_lib($1) |
||||||
|
manage_dirs_pattern($1, radicale_var_lib_t, radicale_var_lib_t) |
||||||
|
') |
||||||
|
|
||||||
|
##################################### |
||||||
|
## <summary> |
||||||
|
## Read radicale pid files. |
||||||
|
## </summary> |
||||||
|
## <param name="domain"> |
||||||
|
## <summary> |
||||||
|
## Domain allowed access. |
||||||
|
## </summary> |
||||||
|
## </param> |
||||||
|
# |
||||||
|
interface(`radicale_read_pid_files',` |
||||||
|
gen_require(` |
||||||
|
type radicale_var_run_t; |
||||||
|
') |
||||||
|
files_search_pids($1) |
||||||
|
read_files_pattern($1, radicale_var_run_t, radicale_var_run_t) |
||||||
|
') |
||||||
|
|
||||||
|
##################################### |
||||||
|
## <summary> |
||||||
|
## Search radicale pid files. |
||||||
|
## </summary> |
||||||
|
## <param name="domain"> |
||||||
|
## <summary> |
||||||
|
## Domain allowed access. |
||||||
|
## </summary> |
||||||
|
## </param> |
||||||
|
## |
||||||
|
# |
||||||
|
interface(`radicale_search_pid_files',` |
||||||
|
gen_require(` |
||||||
|
type radicale_var_run_t; |
||||||
|
') |
||||||
|
files_search_pids($1) |
||||||
|
search_dirs_pattern($1, radicale_var_run_t, radicale_var_run_t) |
||||||
|
') |
||||||
|
|
||||||
|
######################################## |
||||||
|
## <summary> |
||||||
|
## Execute radicale server in the radicale domain. |
||||||
|
## </summary> |
||||||
|
## <param name="domain"> |
||||||
|
## <summary> |
||||||
|
## Domain allowed to transition. |
||||||
|
## </summary> |
||||||
|
## </param> |
||||||
|
# |
||||||
|
interface(`radicale_systemctl',` |
||||||
|
gen_require(` |
||||||
|
type radicale_t; |
||||||
|
type radicale_unit_file_t; |
||||||
|
') |
||||||
|
|
||||||
|
systemd_exec_systemctl($1) |
||||||
|
systemd_read_fifo_file_password_run($1) |
||||||
|
allow $1 radicale_unit_file_t:file read_file_perms; |
||||||
|
allow $1 radicale_unit_file_t:service manage_service_perms; |
||||||
|
|
||||||
|
ps_process_pattern($1, radicale_t) |
||||||
|
') |
||||||
|
|
||||||
|
|
||||||
|
######################################## |
||||||
|
## <summary> |
||||||
|
## All of the rules required to administrate |
||||||
|
## an radicale environment |
||||||
|
## </summary> |
||||||
|
## <param name="domain"> |
||||||
|
## <summary> |
||||||
|
## Domain allowed access. |
||||||
|
## </summary> |
||||||
|
## </param> |
||||||
|
## <param name="role"> |
||||||
|
## <summary> |
||||||
|
## Role allowed access. |
||||||
|
## </summary> |
||||||
|
## </param> |
||||||
|
## <rolecap/> |
||||||
|
# |
||||||
|
interface(`radicale_admin',` |
||||||
|
gen_require(` |
||||||
|
type radicale_t; |
||||||
|
type radicale_log_t; |
||||||
|
type radicale_var_lib_t; |
||||||
|
type radicale_var_run_t; |
||||||
|
type radicale_unit_file_t; |
||||||
|
') |
||||||
|
|
||||||
|
allow $1 radicale_t:process { ptrace signal_perms }; |
||||||
|
ps_process_pattern($1, radicale_t) |
||||||
|
|
||||||
|
logging_search_logs($1) |
||||||
|
admin_pattern($1, radicale_log_t) |
||||||
|
|
||||||
|
files_search_var_lib($1) |
||||||
|
admin_pattern($1, radicale_var_lib_t) |
||||||
|
|
||||||
|
radicale_search_pid_files($1) |
||||||
|
radicale_read_pid_files($1) |
||||||
|
|
||||||
|
radicale_systemctl($1) |
||||||
|
admin_pattern($1, radicale_unit_file_t) |
||||||
|
allow $1 radicale_unit_file_t:service all_service_perms; |
||||||
|
optional_policy(` |
||||||
|
systemd_passwd_agent_exec($1) |
||||||
|
systemd_read_fifo_file_passwd_run($1) |
||||||
|
') |
||||||
|
') |
@ -0,0 +1,22 @@ |
|||||||
|
[Unit] |
||||||
|
Description=Radicale CalDAV and CardDAV server |
||||||
|
Documentation=http://radicale.org/documentation/ |
||||||
|
After=network-online.target |
||||||
|
Requires=network-online.target |
||||||
|
|
||||||
|
[Service] |
||||||
|
Type=forking |
||||||
|
WorkingDirectory=/var/lib/radicale |
||||||
|
User=radicale |
||||||
|
Group=radicale |
||||||
|
UMask=0027 |
||||||
|
PIDFile=/var/run/radicale/radicale.pid |
||||||
|
ExecStart=/usr/bin/radicale --daemon --pid=/var/run/radicale/radicale.pid |
||||||
|
PrivateTmp=true |
||||||
|
CapabilityBoundingSet= |
||||||
|
ProtectSystem=full |
||||||
|
ProtectHome=true |
||||||
|
Restart=on-abnormal |
||||||
|
|
||||||
|
[Install] |
||||||
|
WantedBy=multi-user.target |
@ -0,0 +1,92 @@ |
|||||||
|
policy_module(radicale, 1.0.8) |
||||||
|
|
||||||
|
gen_require(` |
||||||
|
type httpd_t; |
||||||
|
type pop_port_t; |
||||||
|
') |
||||||
|
|
||||||
|
######################################## |
||||||
|
# |
||||||
|
# Declarations |
||||||
|
# |
||||||
|
|
||||||
|
type radicale_t; |
||||||
|
type radicale_exec_t; |
||||||
|
init_daemon_domain(radicale_t, radicale_exec_t) |
||||||
|
|
||||||
|
type radicale_log_t; |
||||||
|
logging_log_file(radicale_log_t) |
||||||
|
|
||||||
|
type radicale_var_lib_t; |
||||||
|
files_type(radicale_var_lib_t) |
||||||
|
|
||||||
|
type radicale_var_run_t; |
||||||
|
files_pid_file(radicale_var_run_t) |
||||||
|
|
||||||
|
type radicale_etc_t; |
||||||
|
files_config_file(radicale_etc_t); |
||||||
|
|
||||||
|
type radicale_unit_file_t; |
||||||
|
systemd_unit_file(radicale_unit_file_t) |
||||||
|
|
||||||
|
type radicale_port_t; |
||||||
|
corenet_port(radicale_port_t) |
||||||
|
|
||||||
|
######################################## |
||||||
|
# |
||||||
|
# radicale local policy |
||||||
|
# |
||||||
|
allow radicale_t self:fifo_file rw_fifo_file_perms; |
||||||
|
allow radicale_t self:unix_stream_socket create_stream_socket_perms; |
||||||
|
allow radicale_t self:tcp_socket create_stream_socket_perms; |
||||||
|
allow radicale_t self:unix_dgram_socket create_stream_socket_perms; |
||||||
|
|
||||||
|
allow radicale_t radicale_port_t:tcp_socket name_bind; |
||||||
|
allow radicale_t pop_port_t:tcp_socket name_connect; |
||||||
|
|
||||||
|
manage_dirs_pattern(radicale_t, radicale_log_t, radicale_log_t) |
||||||
|
manage_files_pattern(radicale_t, radicale_log_t, radicale_log_t) |
||||||
|
manage_lnk_files_pattern(radicale_t, radicale_log_t, radicale_log_t) |
||||||
|
logging_log_filetrans(radicale_t, radicale_log_t, { dir file lnk_file }) |
||||||
|
|
||||||
|
manage_dirs_pattern(radicale_t, radicale_var_lib_t, radicale_var_lib_t) |
||||||
|
manage_files_pattern(radicale_t, radicale_var_lib_t, radicale_var_lib_t) |
||||||
|
manage_lnk_files_pattern(radicale_t, radicale_var_lib_t, radicale_var_lib_t) |
||||||
|
files_var_lib_filetrans(radicale_t, radicale_var_lib_t, { dir file lnk_file }) |
||||||
|
|
||||||
|
manage_files_pattern(radicale_t, radicale_var_run_t, radicale_var_run_t) |
||||||
|
files_pid_filetrans(radicale_t, radicale_var_lib_t, file) |
||||||
|
|
||||||
|
domain_use_interactive_fds(radicale_t) |
||||||
|
|
||||||
|
files_read_etc_files(radicale_t) |
||||||
|
read_files_pattern(radicale_t, radicale_etc_t, radicale_etc_t) |
||||||
|
|
||||||
|
bool httpd_can_read_write_radicale false; |
||||||
|
|
||||||
|
if (httpd_can_read_write_radicale) { |
||||||
|
manage_dirs_pattern(httpd_t, radicale_log_t, radicale_log_t) |
||||||
|
manage_files_pattern(httpd_t, radicale_log_t, radicale_log_t) |
||||||
|
manage_lnk_files_pattern(httpd_t, radicale_log_t, radicale_log_t) |
||||||
|
#logging_log_filetrans(httpd_t, radicale_log_t, { dir file lnk_file }) |
||||||
|
|
||||||
|
manage_dirs_pattern(httpd_t, radicale_var_lib_t, radicale_var_lib_t) |
||||||
|
manage_files_pattern(httpd_t, radicale_var_lib_t, radicale_var_lib_t) |
||||||
|
manage_lnk_files_pattern(httpd_t, radicale_var_lib_t, radicale_var_lib_t) |
||||||
|
#files_var_lib_filetrans(httpd_t, radicale_var_lib_t, { dir file lnk_file }) |
||||||
|
|
||||||
|
#domain_use_interactive_fds(httpd_t) |
||||||
|
|
||||||
|
#files_read_etc_files(radicale_t) |
||||||
|
read_files_pattern(httpd_t, radicale_etc_t, radicale_etc_t) |
||||||
|
} |
||||||
|
|
||||||
|
miscfiles_read_localization(radicale_t) |
||||||
|
dev_read_urand(radicale_t) |
||||||
|
dev_read_rand(radicale_t) |
||||||
|
auth_use_nsswitch(radicale_t) |
||||||
|
corecmd_exec_shell(radicale_t) |
||||||
|
corecmd_exec_bin(radicale_t) |
||||||
|
libs_exec_ldconfig(radicale_t) |
||||||
|
kernel_read_system_state(radicale_t) |
||||||
|
apache_search_config(radicale_t) |
Loading…
Reference in new issue