Package including selinux

Move from dist-git

README-Fedora

@@ -0,0 +1,6 @@
+After installation edit the domain in /etc/httpd/conf.d/surrogator.config.php.
+Add avatar images to the /var/lib/surrogator folder and run /usr/bin/surrogator.
+Restart your httpd server.
+
+The surrogator.config.php.dist is the original project version of the
+config file.

surrogator.conf

@@ -0,0 +1,26 @@
+<VirtualHost 0.0.0.0:80>
+  ServerName avatars.example.com
+  Redirect / https://avatars.example.com
+</VirtualHost>
+
+<VirtualHost 0.0.0.0:443>
+  ServerName avatars.example.com
+
+  ErrorLog logs/avatars.example.com-error_log
+  TransferLog logs/avatars.example.com-access_log
+  LogLevel warn
+  CustomLog logs/avatars.example.com-request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+  DocumentRoot /usr/share/surrogator/www
+
+  <Location />
+    Require all granted
+    Options Indexes MultiViews FollowSymlinks
+  </Location>
+
+  <IfModule mod_rewrite.c>
+    RewriteEngine On
+    RewriteRule ^avatar/ avatar.php [L]
+  </IfModule>
+
+</VirtualHost>

surrogator.config.php

@@ -0,0 +1,62 @@
+<?php
+/**
+ * Directory where you source image files live
+ */
+$rawDir = '/var/lib/surrogator/';
+
+/**
+ * Directory in which all the image files get generated into.
+ * You could put that to /var/cached/avatars/ or so
+ */
+$varDir = '/var/cache/surrogator/';
+
+/**
+ * Document root of the web server host.
+ */
+$wwwDir = '/usr/share/surrogator/www/';
+
+/**
+ * Directory of default resource files.
+ * You probably do not want to change that.
+ */
+$resDir = '/usr/share/surrogator/res/';
+
+/**
+ * Array of image sizes to generate.
+ * Needs to be in ascending order.
+ */
+$sizes   = array(16, 32, 48, 64, 80, 96, 128, 256, 512);
+
+/**
+ * Maximum image size supported by the server
+ */
+$maxSize = 512;
+
+/**
+ * Default log level. 0 for no logging, 1 for important messages, 3 for all
+ */
+$logLevel = 1;
+
+/**
+ * By default, images are only generated if their source file (in raw/)
+ * is newer than the generated square file. If you set $forceUpdate
+ * to true, the images will always be regenerated.
+ */
+$forceUpdate = false;
+
+/**
+ * URL prefixes that may be used as "default" parameter.
+ *
+ * Taken from https://git.linux-kernel.at/oliver/ivatar/-/blob/master/config.py
+ */
+$trustedDefaultUrls = [
+    'http://gravatar.com/avatar/',
+    'http://www.planet-libre.org/themes/planetlibre/images/',
+    'https://avatars.dicebear.com/api/',
+    'https://badges.fedoraproject.org/static/img/',
+    'https://gravatar.com/avatar/',
+    'https://secure.gravatar.com/avatar/',
+    'https://ui-avatars.com/api/',
+    'https://www.azuracast.com/img/',
+];
+?>

surrogator.fc

@@ -0,0 +1,5 @@
+/usr/bin/surrogator		--	gen_context(system_u:object_r:surrogator_exec_t,s0)
+
+/var/cache/surrogator(/.*)?		gen_context(system_u:object_r:surrogator_cache_t,s0)
+
+/var/lib/surrogator(/.*)?		gen_context(system_u:object_r:surrogator_var_lib_t,s0)

surrogator.if

@@ -0,0 +1,237 @@
+
+## <summary>policy for surrogator</summary>
+
+########################################
+## <summary>
+##	Execute surrogator_exec_t in the surrogator domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`surrogator_domtrans',`
+	gen_require(`
+		type surrogator_t, surrogator_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, surrogator_exec_t, surrogator_t)
+')
+
+######################################
+## <summary>
+##	Execute surrogator in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`surrogator_exec',`
+	gen_require(`
+		type surrogator_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, surrogator_exec_t)
+')
+
+########################################
+## <summary>
+##	Search surrogator cache directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`surrogator_search_cache',`
+	gen_require(`
+		type surrogator_cache_t;
+	')
+
+	allow $1 surrogator_cache_t:dir search_dir_perms;
+	files_search_var($1)
+')
+
+########################################
+## <summary>
+##	Read surrogator cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`surrogator_read_cache_files',`
+	gen_require(`
+		type surrogator_cache_t;
+	')
+
+	files_search_var($1)
+	read_files_pattern($1, surrogator_cache_t, surrogator_cache_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	surrogator cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`surrogator_manage_cache_files',`
+	gen_require(`
+		type surrogator_cache_t;
+	')
+
+	files_search_var($1)
+	manage_files_pattern($1, surrogator_cache_t, surrogator_cache_t)
+')
+
+########################################
+## <summary>
+##	Manage surrogator cache dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`surrogator_manage_cache_dirs',`
+	gen_require(`
+		type surrogator_cache_t;
+	')
+
+	files_search_var($1)
+	manage_dirs_pattern($1, surrogator_cache_t, surrogator_cache_t)
+')
+
+
+########################################
+## <summary>
+##	Search surrogator lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`surrogator_search_lib',`
+	gen_require(`
+		type surrogator_var_lib_t;
+	')
+
+	allow $1 surrogator_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read surrogator lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`surrogator_read_lib_files',`
+	gen_require(`
+		type surrogator_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, surrogator_var_lib_t, surrogator_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage surrogator lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`surrogator_manage_lib_files',`
+	gen_require(`
+		type surrogator_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, surrogator_var_lib_t, surrogator_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage surrogator lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`surrogator_manage_lib_dirs',`
+	gen_require(`
+		type surrogator_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, surrogator_var_lib_t, surrogator_var_lib_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an surrogator environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`surrogator_admin',`
+	gen_require(`
+		type surrogator_t;
+		type surrogator_cache_t;
+		type surrogator_var_lib_t;
+	')
+
+	allow $1 surrogator_t:process { signal_perms };
+	ps_process_pattern($1, surrogator_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 surrogator_t:process ptrace;
+    ')
+
+	files_search_var($1)
+	admin_pattern($1, surrogator_cache_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, surrogator_var_lib_t)
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')

surrogator.spec

@@ -0,0 +1,160 @@
+%define relabel_files() \
+restorecon -R /usr/bin/surrogator; \
+restorecon -R /var/cache/surrogator; \
+restorecon -R /var/lib/surrogator; \
+
+%define selinux_policyver 39.6-1
+
+Name:       surrogator
+Summary:    Simple open source Libravatar compatible avatar image server written in PHP
+Version:    0.3.0
+Release:    8%{?dist}
+Group:      System Environment/Daemons
+License:    AGPL-3.0-or-later
+
+Source0:    surrogator-0.3.0.tar.bz2
+Source1:    surrogator.config.php
+Source2:    surrogator.conf
+Source3:    README-Fedora
+Source4:    surrogator.te
+Source5:    surrogator.if
+Source6:    surrogator.fc
+
+
+URL:        https://sourceforge.net/p/surrogator/wiki/Home/
+Requires:   php >= 5
+Requires:   webserver
+Requires:   surrogator
+BuildArch:  noarch
+
+%description
+Simple open source Libravatar compatible avatar image server written
+in PHP.
+
+Features:
+* Delivers images for email addresses
+* Very easy to setup.
+* No graphics processing is done on the server,
+  keeping the CPU load low. All avatar images get
+  pre-generated for a set of sizes
+* If no image at the user requested size is found,
+  the next larger image gets returned.
+* Supports the mm fallback image (mystery man)
+
+%package httpd
+Summary:            A htppd config to enable surrogator on an apache server
+Requires:           surrogator
+Requires:           httpd-core
+
+%description httpd
+Simple open source Libravatar compatible avatar image server written
+in PHP.
+This package contains an http config file that enables the service on
+an apache server.
+
+%package selinux
+Summary:            SELinux policy module for surrogator
+Group:              System Environment/Base
+
+Requires:           policycoreutils-python-utils, libselinux-utils
+Requires:           surrogator, surrogator-http
+Requires(post):     selinux-policy-base >= %{selinux_policyver}, policycoreutils-python-utils
+Requires(postun):   policycoreutils-python-utils
+Requires(post):     surrogator
+BuildRequires:      selinux-policy-devel
+BuildArch:          noarch
+
+%description selinux
+This package installs and sets up the  SELinux policy security module for surrogator.
+
+
+%prep
+%setup -q
+cp %{SOURCE1} surrogator.config.php
+cp %{SOURCE2} surrogator.conf
+cp %{SOURCE3} README-Fedora
+cp %{SOURCE4} surrogator.te
+cp %{SOURCE5} surrogator.if
+cp %{SOURCE6} surrogator.fc
+
+%build selinux
+make -f %{_datadir}/selinux/devel/Makefile %{name}.pp
+bzip2 -9 %{name}.pp
+
+%install
+install -dm 755 %{buildroot}
+install -Dm 644 -t %{buildroot}%{_sysconfdir} %{SOURCE1}
+install -Dm 644 -t %{buildroot}%{_docdir}/%{name} %{SOURCE3}
+install -Dm 644 -t %{buildroot}%{_sysconfdir}/httpd/conf.d %{SOURCE2}
+install -Dm 644 -t %{buildroot}%{_datadir}/%{name}/res res/*.png res/*.svg
+install -Dm 644 -t %{buildroot}%{_datadir}/%{name}/www www/avatar.php res/www/*
+install -dm 755 %{buildroot}%{_var}/cache/%{name}
+install -dm 755 %{buildroot}%{_sharedstatedir}/%{name}
+install -Dm 755 surrogator.php %{buildroot}%{_bindir}/%{name}
+install -Dm 644 -t %{buildroot}%{_datadir}/%{name}/www www/avatar.php res/www/*
+
+install -Dm 644 -t %{buildroot}%{_datadir}/selinux/packages %{name}.pp.bz2
+install -Dm 644 -t %{buildroot}%{_datadir}/selinux/devel/include/contrib/ %{SOURCE5}
+
+%post selinux
+semodule -n -i %{_datadir}/selinux/packages/surrogator.pp
+sepolicy manpage --domain surrogator_t
+if /usr/sbin/selinuxenabled ; then
+    /usr/sbin/load_policy
+    %relabel_files
+
+fi;
+exit 0
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    semodule -n -r surrogator
+    if /usr/sbin/selinuxenabled ; then
+       /usr/sbin/load_policy
+       %relabel_files
+
+    fi;
+fi;
+exit 0
+
+
+%files
+%defattr(-,root,root)
+%{_datadir}/%{name}
+%{_var}/cache/%{name}
+%{_sharedstatedir}/%{name}
+%{_bindir}/%{name}
+%config(noreplace) %{_sysconfdir}/%{name}.config.php
+%doc README.rst
+%doc data/%{name}.config.php.dist
+%doc %{_docdir}/%{name}/*
+%license LICENSE
+
+%files httpd
+%config(noreplace) %{_sysconfdir}/httpd/conf.d/%{name}.conf
+%license LICENSE
+
+%files selinux
+%attr(0600,root,root) %{_datadir}/selinux/packages/surrogator.pp.bz2
+%{_datadir}/selinux/devel/include/contrib/surrogator.if
+%ghost %{_mandir}/man8/surrogator_selinux.8.gz
+
+%changelog
+* Mon May 20 2024 Daniel Demus <daniel@demus.dk> - 0.3.0-8
+- Add selinux targeted policy
+* Sat May 18 2024 Daniel Demus <daniel@demus.dk> - 0.3.0-7
+- Add final slash to cache directory path
+* Sun Nov 19 2023 Daniel Demus <daniel@demus.dk> - 0.3.0-6
+- Correct DocumentRoot
+* Sun Nov 19 2023 Daniel Demus <daniel@demus.dk> - 0.3.0-5
+- Add Location section to allow all in apache config
+* Wed Nov 15 2023 Daniel Demus <daniel@demus.dk> - 0.3.0-4
+- Correct license
+* Wed Nov 15 2023 Daniel Demus <daniel@demus.dk> - 0.3.0-3
+- Remove invalid RewriteBase directive from apache config
+* Wed Nov 15 2023 Daniel Demus <daniel@demus.dk> - 0.3.0-2
+- Require only webserver in the base package
+* Wed Nov 15 2023 Daniel Demus <daniel@demus.dk> - 0.3.0-1
+- Require base package in the httpd config package
+* Mon Oct 30 2023 Daniel Demus <daniel@demus.dk> - 0.3.0-0
+- First package

surrogator.te

@@ -0,0 +1,50 @@
+policy_module(surrogator, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type surrogator_t;
+type surrogator_exec_t;
+init_daemon_domain(surrogator_t, surrogator_exec_t)
+
+permissive surrogator_t;
+
+type surrogator_cache_t;
+files_type(surrogator_cache_t)
+
+type surrogator_var_lib_t;
+files_type(surrogator_var_lib_t)
+
+########################################
+#
+# surrogator local policy
+#
+allow surrogator_t self:fifo_file rw_fifo_file_perms;
+allow surrogator_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(surrogator_t, surrogator_cache_t, surrogator_cache_t)
+manage_files_pattern(surrogator_t, surrogator_cache_t, surrogator_cache_t)
+manage_lnk_files_pattern(surrogator_t, surrogator_cache_t, surrogator_cache_t)
+files_var_filetrans(surrogator_t, surrogator_cache_t, { dir file lnk_file })
+
+manage_dirs_pattern(surrogator_t, surrogator_var_lib_t, surrogator_var_lib_t)
+manage_files_pattern(surrogator_t, surrogator_var_lib_t, surrogator_var_lib_t)
+manage_lnk_files_pattern(surrogator_t, surrogator_var_lib_t, surrogator_var_lib_t)
+files_var_lib_filetrans(surrogator_t, surrogator_var_lib_t, { dir file lnk_file })
+
+domain_use_interactive_fds(surrogator_t)
+
+files_read_etc_files(surrogator_t)
+
+miscfiles_read_localization(surrogator_t)
+
+#============= httpd_t ==============
+require {
+	type httpd_t;
+	class file { getattr read open };
+}
+
+allow httpd_t surrogator_cache_t:file { getattr read open map };
+