diff options
author | Guido Günther <agx@sigxcpu.org> | 2017-09-25 19:22:15 +0200 |
---|---|---|
committer | Guido Günther <agx@sigxcpu.org> | 2017-09-28 20:08:42 +0200 |
commit | bfdeaac7ef5c4816759acb0dddc299a58bf27755 (patch) | |
tree | 2138fd1c305406159652fb38b7d1f608cf5c02b6 /profiles/usr.sbin.kopano-server |
Diffstat (limited to 'profiles/usr.sbin.kopano-server')
-rw-r--r-- | profiles/usr.sbin.kopano-server | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/profiles/usr.sbin.kopano-server b/profiles/usr.sbin.kopano-server new file mode 100644 index 0000000..0f3648c --- /dev/null +++ b/profiles/usr.sbin.kopano-server @@ -0,0 +1,43 @@ +#include <tunables/global> + +/usr/sbin/kopano-server { + #include <abstractions/base> + #include <abstractions/nameservice> + #include <abstractions/user-tmp> + #include <abstractions/mysql> + + capability chown, + capability dac_override, + capability dac_read_search, + capability setgid, + capability setuid, + + network tcp, + + /etc/kopano/debian-db.cfg r, + /etc/kopano/server.cfg r, + + @{PROC}/@{pid}/task/@{tid}/comm rw, + + /run/kopano/prio.sock rw, + /run/kopano/server.pid rw, + /run/kopano/server.sock rw, + + /usr/lib/x86_64-linux-gnu/kopano/*.so m, + + /var/lib/kopano/attachments/ r, + /var/lib/kopano/attachments/** rw, + /var/log/kopano/server.log rw, + + /etc/kopano/userscripts/* Cxr -> kopano_userscripts, + + # There's little we can do if the server is allowed to run + # arbitrary scripts + profile kopano_userscripts { + file, + network, + } + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.sbin.kopano-server> +} |