1 files changed, 50 insertions, 0 deletions

diff --git a/profiles/usr.sbin.kopano-search b/profiles/usr.sbin.kopano-search
new file mode 100644
index 0000000..6ee700b
--- /dev/null
+++ b/profiles/usr.sbin.kopano-search
@@ -0,0 +1,50 @@
+# Last Modified: Fri Sep  8 14:49:47 2017
+#include <tunables/global>
+
+/usr/sbin/kopano-search {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/python>
+  #include <abstractions/user-tmp>
+
+  capability chown,
+  capability dac_override,
+  capability dac_read_search,
+  capability setgid,
+  capability setuid,
+
+  @{PROC}/@{pid}/cmdline r,
+  @{PROC}/@{pid}/mounts r,
+  @{PROC}/@{pid}/status r,
+  @{PROC}/@{pid}/task/@{tid}/comm rw,
+
+  deny /usr/lib/python2.7/dist-packages/kopano_search/*.pyc w,
+
+  # FIXME: it would be nice if search would use search- like pa
+  /dev/shm/* rwl,
+
+  /etc/gss/mech.d/ r,
+  /etc/gss/mech.d/*.conf r,
+
+  /lib/x86_64-linux-gnu/ld-*.so mr,
+  /usr/bin/python2.7 ix,
+  /usr/sbin/kopano-search r,
+
+  /etc/kopano/search.cfg r,
+
+  /bin/dash Pix,
+  /bin/rm Pix,
+  /sbin/ldconfig Pix,
+
+  /etc/mapi/ r,
+  /etc/mapi/kopano.inf r,
+  /etc/mapi/zcontacts.inf r,
+
+  /run/kopano/search.pid rw,
+  /run/kopano/search.pid.lock lrw,
+  /run/kopano/search.sock rw,
+  /run/kopano/*.*-* rw,
+
+  /var/lib/kopano/search/** rwlk,
+  /var/log/kopano/search.log rw,
+}