Package including selinux
Move from dist-git
This commit is contained in:
parent
3e166852ae
commit
f5bd20b9e0
6
README-Fedora
Normal file
6
README-Fedora
Normal file
@ -0,0 +1,6 @@
|
||||
After installation edit the domain in /etc/httpd/conf.d/surrogator.config.php.
|
||||
Add avatar images to the /var/lib/surrogator folder and run /usr/bin/surrogator.
|
||||
Restart your httpd server.
|
||||
|
||||
The surrogator.config.php.dist is the original project version of the
|
||||
config file.
|
26
surrogator.conf
Normal file
26
surrogator.conf
Normal file
@ -0,0 +1,26 @@
|
||||
<VirtualHost 0.0.0.0:80>
|
||||
ServerName avatars.example.com
|
||||
Redirect / https://avatars.example.com
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost 0.0.0.0:443>
|
||||
ServerName avatars.example.com
|
||||
|
||||
ErrorLog logs/avatars.example.com-error_log
|
||||
TransferLog logs/avatars.example.com-access_log
|
||||
LogLevel warn
|
||||
CustomLog logs/avatars.example.com-request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
|
||||
|
||||
DocumentRoot /usr/share/surrogator/www
|
||||
|
||||
<Location />
|
||||
Require all granted
|
||||
Options Indexes MultiViews FollowSymlinks
|
||||
</Location>
|
||||
|
||||
<IfModule mod_rewrite.c>
|
||||
RewriteEngine On
|
||||
RewriteRule ^avatar/ avatar.php [L]
|
||||
</IfModule>
|
||||
|
||||
</VirtualHost>
|
62
surrogator.config.php
Normal file
62
surrogator.config.php
Normal file
@ -0,0 +1,62 @@
|
||||
<?php
|
||||
/**
|
||||
* Directory where you source image files live
|
||||
*/
|
||||
$rawDir = '/var/lib/surrogator/';
|
||||
|
||||
/**
|
||||
* Directory in which all the image files get generated into.
|
||||
* You could put that to /var/cached/avatars/ or so
|
||||
*/
|
||||
$varDir = '/var/cache/surrogator/';
|
||||
|
||||
/**
|
||||
* Document root of the web server host.
|
||||
*/
|
||||
$wwwDir = '/usr/share/surrogator/www/';
|
||||
|
||||
/**
|
||||
* Directory of default resource files.
|
||||
* You probably do not want to change that.
|
||||
*/
|
||||
$resDir = '/usr/share/surrogator/res/';
|
||||
|
||||
/**
|
||||
* Array of image sizes to generate.
|
||||
* Needs to be in ascending order.
|
||||
*/
|
||||
$sizes = array(16, 32, 48, 64, 80, 96, 128, 256, 512);
|
||||
|
||||
/**
|
||||
* Maximum image size supported by the server
|
||||
*/
|
||||
$maxSize = 512;
|
||||
|
||||
/**
|
||||
* Default log level. 0 for no logging, 1 for important messages, 3 for all
|
||||
*/
|
||||
$logLevel = 1;
|
||||
|
||||
/**
|
||||
* By default, images are only generated if their source file (in raw/)
|
||||
* is newer than the generated square file. If you set $forceUpdate
|
||||
* to true, the images will always be regenerated.
|
||||
*/
|
||||
$forceUpdate = false;
|
||||
|
||||
/**
|
||||
* URL prefixes that may be used as "default" parameter.
|
||||
*
|
||||
* Taken from https://git.linux-kernel.at/oliver/ivatar/-/blob/master/config.py
|
||||
*/
|
||||
$trustedDefaultUrls = [
|
||||
'http://gravatar.com/avatar/',
|
||||
'http://www.planet-libre.org/themes/planetlibre/images/',
|
||||
'https://avatars.dicebear.com/api/',
|
||||
'https://badges.fedoraproject.org/static/img/',
|
||||
'https://gravatar.com/avatar/',
|
||||
'https://secure.gravatar.com/avatar/',
|
||||
'https://ui-avatars.com/api/',
|
||||
'https://www.azuracast.com/img/',
|
||||
];
|
||||
?>
|
5
surrogator.fc
Normal file
5
surrogator.fc
Normal file
@ -0,0 +1,5 @@
|
||||
/usr/bin/surrogator -- gen_context(system_u:object_r:surrogator_exec_t,s0)
|
||||
|
||||
/var/cache/surrogator(/.*)? gen_context(system_u:object_r:surrogator_cache_t,s0)
|
||||
|
||||
/var/lib/surrogator(/.*)? gen_context(system_u:object_r:surrogator_var_lib_t,s0)
|
237
surrogator.if
Normal file
237
surrogator.if
Normal file
@ -0,0 +1,237 @@
|
||||
|
||||
## <summary>policy for surrogator</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute surrogator_exec_t in the surrogator domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`surrogator_domtrans',`
|
||||
gen_require(`
|
||||
type surrogator_t, surrogator_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, surrogator_exec_t, surrogator_t)
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Execute surrogator in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`surrogator_exec',`
|
||||
gen_require(`
|
||||
type surrogator_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1, surrogator_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search surrogator cache directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`surrogator_search_cache',`
|
||||
gen_require(`
|
||||
type surrogator_cache_t;
|
||||
')
|
||||
|
||||
allow $1 surrogator_cache_t:dir search_dir_perms;
|
||||
files_search_var($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read surrogator cache files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`surrogator_read_cache_files',`
|
||||
gen_require(`
|
||||
type surrogator_cache_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
read_files_pattern($1, surrogator_cache_t, surrogator_cache_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete
|
||||
## surrogator cache files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`surrogator_manage_cache_files',`
|
||||
gen_require(`
|
||||
type surrogator_cache_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
manage_files_pattern($1, surrogator_cache_t, surrogator_cache_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage surrogator cache dirs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`surrogator_manage_cache_dirs',`
|
||||
gen_require(`
|
||||
type surrogator_cache_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
manage_dirs_pattern($1, surrogator_cache_t, surrogator_cache_t)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search surrogator lib directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`surrogator_search_lib',`
|
||||
gen_require(`
|
||||
type surrogator_var_lib_t;
|
||||
')
|
||||
|
||||
allow $1 surrogator_var_lib_t:dir search_dir_perms;
|
||||
files_search_var_lib($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read surrogator lib files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`surrogator_read_lib_files',`
|
||||
gen_require(`
|
||||
type surrogator_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
read_files_pattern($1, surrogator_var_lib_t, surrogator_var_lib_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage surrogator lib files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`surrogator_manage_lib_files',`
|
||||
gen_require(`
|
||||
type surrogator_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
manage_files_pattern($1, surrogator_var_lib_t, surrogator_var_lib_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage surrogator lib directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`surrogator_manage_lib_dirs',`
|
||||
gen_require(`
|
||||
type surrogator_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
manage_dirs_pattern($1, surrogator_var_lib_t, surrogator_var_lib_t)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an surrogator environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`surrogator_admin',`
|
||||
gen_require(`
|
||||
type surrogator_t;
|
||||
type surrogator_cache_t;
|
||||
type surrogator_var_lib_t;
|
||||
')
|
||||
|
||||
allow $1 surrogator_t:process { signal_perms };
|
||||
ps_process_pattern($1, surrogator_t)
|
||||
|
||||
tunable_policy(`deny_ptrace',`',`
|
||||
allow $1 surrogator_t:process ptrace;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
admin_pattern($1, surrogator_cache_t)
|
||||
|
||||
files_search_var_lib($1)
|
||||
admin_pattern($1, surrogator_var_lib_t)
|
||||
optional_policy(`
|
||||
systemd_passwd_agent_exec($1)
|
||||
systemd_read_fifo_file_passwd_run($1)
|
||||
')
|
||||
')
|
BIN
surrogator.pp
Normal file
BIN
surrogator.pp
Normal file
Binary file not shown.
160
surrogator.spec
Normal file
160
surrogator.spec
Normal file
@ -0,0 +1,160 @@
|
||||
%define relabel_files() \
|
||||
restorecon -R /usr/bin/surrogator; \
|
||||
restorecon -R /var/cache/surrogator; \
|
||||
restorecon -R /var/lib/surrogator; \
|
||||
|
||||
%define selinux_policyver 39.6-1
|
||||
|
||||
Name: surrogator
|
||||
Summary: Simple open source Libravatar compatible avatar image server written in PHP
|
||||
Version: 0.3.0
|
||||
Release: 8%{?dist}
|
||||
Group: System Environment/Daemons
|
||||
License: AGPL-3.0-or-later
|
||||
|
||||
Source0: surrogator-0.3.0.tar.bz2
|
||||
Source1: surrogator.config.php
|
||||
Source2: surrogator.conf
|
||||
Source3: README-Fedora
|
||||
Source4: surrogator.te
|
||||
Source5: surrogator.if
|
||||
Source6: surrogator.fc
|
||||
|
||||
|
||||
URL: https://sourceforge.net/p/surrogator/wiki/Home/
|
||||
Requires: php >= 5
|
||||
Requires: webserver
|
||||
Requires: surrogator
|
||||
BuildArch: noarch
|
||||
|
||||
%description
|
||||
Simple open source Libravatar compatible avatar image server written
|
||||
in PHP.
|
||||
|
||||
Features:
|
||||
* Delivers images for email addresses
|
||||
* Very easy to setup.
|
||||
* No graphics processing is done on the server,
|
||||
keeping the CPU load low. All avatar images get
|
||||
pre-generated for a set of sizes
|
||||
* If no image at the user requested size is found,
|
||||
the next larger image gets returned.
|
||||
* Supports the mm fallback image (mystery man)
|
||||
|
||||
%package httpd
|
||||
Summary: A htppd config to enable surrogator on an apache server
|
||||
Requires: surrogator
|
||||
Requires: httpd-core
|
||||
|
||||
%description httpd
|
||||
Simple open source Libravatar compatible avatar image server written
|
||||
in PHP.
|
||||
This package contains an http config file that enables the service on
|
||||
an apache server.
|
||||
|
||||
%package selinux
|
||||
Summary: SELinux policy module for surrogator
|
||||
Group: System Environment/Base
|
||||
|
||||
Requires: policycoreutils-python-utils, libselinux-utils
|
||||
Requires: surrogator, surrogator-http
|
||||
Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils-python-utils
|
||||
Requires(postun): policycoreutils-python-utils
|
||||
Requires(post): surrogator
|
||||
BuildRequires: selinux-policy-devel
|
||||
BuildArch: noarch
|
||||
|
||||
%description selinux
|
||||
This package installs and sets up the SELinux policy security module for surrogator.
|
||||
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
cp %{SOURCE1} surrogator.config.php
|
||||
cp %{SOURCE2} surrogator.conf
|
||||
cp %{SOURCE3} README-Fedora
|
||||
cp %{SOURCE4} surrogator.te
|
||||
cp %{SOURCE5} surrogator.if
|
||||
cp %{SOURCE6} surrogator.fc
|
||||
|
||||
%build selinux
|
||||
make -f %{_datadir}/selinux/devel/Makefile %{name}.pp
|
||||
bzip2 -9 %{name}.pp
|
||||
|
||||
%install
|
||||
install -dm 755 %{buildroot}
|
||||
install -Dm 644 -t %{buildroot}%{_sysconfdir} %{SOURCE1}
|
||||
install -Dm 644 -t %{buildroot}%{_docdir}/%{name} %{SOURCE3}
|
||||
install -Dm 644 -t %{buildroot}%{_sysconfdir}/httpd/conf.d %{SOURCE2}
|
||||
install -Dm 644 -t %{buildroot}%{_datadir}/%{name}/res res/*.png res/*.svg
|
||||
install -Dm 644 -t %{buildroot}%{_datadir}/%{name}/www www/avatar.php res/www/*
|
||||
install -dm 755 %{buildroot}%{_var}/cache/%{name}
|
||||
install -dm 755 %{buildroot}%{_sharedstatedir}/%{name}
|
||||
install -Dm 755 surrogator.php %{buildroot}%{_bindir}/%{name}
|
||||
install -Dm 644 -t %{buildroot}%{_datadir}/%{name}/www www/avatar.php res/www/*
|
||||
|
||||
install -Dm 644 -t %{buildroot}%{_datadir}/selinux/packages %{name}.pp.bz2
|
||||
install -Dm 644 -t %{buildroot}%{_datadir}/selinux/devel/include/contrib/ %{SOURCE5}
|
||||
|
||||
%post selinux
|
||||
semodule -n -i %{_datadir}/selinux/packages/surrogator.pp
|
||||
sepolicy manpage --domain surrogator_t
|
||||
if /usr/sbin/selinuxenabled ; then
|
||||
/usr/sbin/load_policy
|
||||
%relabel_files
|
||||
|
||||
fi;
|
||||
exit 0
|
||||
|
||||
%postun selinux
|
||||
if [ $1 -eq 0 ]; then
|
||||
semodule -n -r surrogator
|
||||
if /usr/sbin/selinuxenabled ; then
|
||||
/usr/sbin/load_policy
|
||||
%relabel_files
|
||||
|
||||
fi;
|
||||
fi;
|
||||
exit 0
|
||||
|
||||
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
%{_datadir}/%{name}
|
||||
%{_var}/cache/%{name}
|
||||
%{_sharedstatedir}/%{name}
|
||||
%{_bindir}/%{name}
|
||||
%config(noreplace) %{_sysconfdir}/%{name}.config.php
|
||||
%doc README.rst
|
||||
%doc data/%{name}.config.php.dist
|
||||
%doc %{_docdir}/%{name}/*
|
||||
%license LICENSE
|
||||
|
||||
%files httpd
|
||||
%config(noreplace) %{_sysconfdir}/httpd/conf.d/%{name}.conf
|
||||
%license LICENSE
|
||||
|
||||
%files selinux
|
||||
%attr(0600,root,root) %{_datadir}/selinux/packages/surrogator.pp.bz2
|
||||
%{_datadir}/selinux/devel/include/contrib/surrogator.if
|
||||
%ghost %{_mandir}/man8/surrogator_selinux.8.gz
|
||||
|
||||
%changelog
|
||||
* Mon May 20 2024 Daniel Demus <daniel@demus.dk> - 0.3.0-8
|
||||
- Add selinux targeted policy
|
||||
* Sat May 18 2024 Daniel Demus <daniel@demus.dk> - 0.3.0-7
|
||||
- Add final slash to cache directory path
|
||||
* Sun Nov 19 2023 Daniel Demus <daniel@demus.dk> - 0.3.0-6
|
||||
- Correct DocumentRoot
|
||||
* Sun Nov 19 2023 Daniel Demus <daniel@demus.dk> - 0.3.0-5
|
||||
- Add Location section to allow all in apache config
|
||||
* Wed Nov 15 2023 Daniel Demus <daniel@demus.dk> - 0.3.0-4
|
||||
- Correct license
|
||||
* Wed Nov 15 2023 Daniel Demus <daniel@demus.dk> - 0.3.0-3
|
||||
- Remove invalid RewriteBase directive from apache config
|
||||
* Wed Nov 15 2023 Daniel Demus <daniel@demus.dk> - 0.3.0-2
|
||||
- Require only webserver in the base package
|
||||
* Wed Nov 15 2023 Daniel Demus <daniel@demus.dk> - 0.3.0-1
|
||||
- Require base package in the httpd config package
|
||||
* Mon Oct 30 2023 Daniel Demus <daniel@demus.dk> - 0.3.0-0
|
||||
- First package
|
50
surrogator.te
Normal file
50
surrogator.te
Normal file
@ -0,0 +1,50 @@
|
||||
policy_module(surrogator, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type surrogator_t;
|
||||
type surrogator_exec_t;
|
||||
init_daemon_domain(surrogator_t, surrogator_exec_t)
|
||||
|
||||
permissive surrogator_t;
|
||||
|
||||
type surrogator_cache_t;
|
||||
files_type(surrogator_cache_t)
|
||||
|
||||
type surrogator_var_lib_t;
|
||||
files_type(surrogator_var_lib_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# surrogator local policy
|
||||
#
|
||||
allow surrogator_t self:fifo_file rw_fifo_file_perms;
|
||||
allow surrogator_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
manage_dirs_pattern(surrogator_t, surrogator_cache_t, surrogator_cache_t)
|
||||
manage_files_pattern(surrogator_t, surrogator_cache_t, surrogator_cache_t)
|
||||
manage_lnk_files_pattern(surrogator_t, surrogator_cache_t, surrogator_cache_t)
|
||||
files_var_filetrans(surrogator_t, surrogator_cache_t, { dir file lnk_file })
|
||||
|
||||
manage_dirs_pattern(surrogator_t, surrogator_var_lib_t, surrogator_var_lib_t)
|
||||
manage_files_pattern(surrogator_t, surrogator_var_lib_t, surrogator_var_lib_t)
|
||||
manage_lnk_files_pattern(surrogator_t, surrogator_var_lib_t, surrogator_var_lib_t)
|
||||
files_var_lib_filetrans(surrogator_t, surrogator_var_lib_t, { dir file lnk_file })
|
||||
|
||||
domain_use_interactive_fds(surrogator_t)
|
||||
|
||||
files_read_etc_files(surrogator_t)
|
||||
|
||||
miscfiles_read_localization(surrogator_t)
|
||||
|
||||
#============= httpd_t ==============
|
||||
require {
|
||||
type httpd_t;
|
||||
class file { getattr read open };
|
||||
}
|
||||
|
||||
allow httpd_t surrogator_cache_t:file { getattr read open map };
|
||||
|
Loading…
Reference in New Issue
Block a user