EPrints Documentation - User contributions [en-gb]

Shibboleth Debug Logging

2025-11-17T11:28:06Z

LukeWallin:

As described on the main [[Shibboleth]] page. EPrints uses the Shibboleth Service Provider (SP) provided by shibboleth.net. This includes a logger that can be configured at '''/etc/shibboleth/shibd.logger''' and which logs to '''/var/log/shibboleth/shibd.log'''. This typically only logs errors and warnings and the occasionally informationl log message, typically when starting or stopping. However, if you are having problems with the Shibboleth SP, particularly when setting up, it may be useful to enable debug. To do this

1. Edit the '''/etc/shibboleth/shibd.logger''' and uncomment the following lines:
# tracing of SAML messages and security policies
#log4j.category.OpenSAML.MessageDecoder=DEBUG
#log4j.category.OpenSAML.MessageEncoder=DEBUG
#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
#log4j.category.XMLTooling.SOAPClient=DEBUG
# interprocess message remoting
#log4j.category.Shibboleth.Listener=DEBUG
# mapping of requests to applicationId
#log4j.category.Shibboleth.RequestMapper=DEBUG
# high level session cache operations
#log4j.category.Shibboleth.SessionCache=DEBUG
# persistent storage and caching
#log4j.category.XMLTooling.StorageService=DEBUG
So they look like
# tracing of SAML messages and security policies
log4j.category.OpenSAML.MessageDecoder=DEBUG
log4j.category.OpenSAML.MessageEncoder=DEBUG
log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
log4j.category.XMLTooling.SOAPClient=DEBUG
# interprocess message remoting
log4j.category.Shibboleth.Listener=DEBUG
# mapping of requests to applicationId
log4j.category.Shibboleth.RequestMapper=DEBUG
# high level session cache operations
log4j.category.Shibboleth.SessionCache=DEBUG
# persistent storage and caching
log4j.category.XMLTooling.StorageService=DEBUG

2. Test the Shibboleth SP is correctly configured
shibd -t

3. Restart the Shibboleth SP
systemctl restart shibd

There is various debugging that has been enabled by these changes. Particularly useful are the first two line:
log4j.category.OpenSAML.MessageDecoder=DEBUG
log4j.category.OpenSAML.MessageEncoder=DEBUG
This will allow you to see the XML messages sent to and from the Shibboleth Identity Provider (IdP), such as MicroSoft Entra or OpenAthens.

== Debugging User Attributes Mapping Issues ==
This debugging can be particularly useful if you are trying to work attributes in your attribute-map.xml are not being mapped as expected. If you tail the log file '''/var/log/shibboleth/shibd.log''' and then try to login using the Shibboleth, you should see a line in the logs that starts:
<samlp:Response ...
If you copy the whole of that line into a text file in /tmp/ and save it. Then you can run xmllint on it to format the output. E.g.
xmllint --format /tmp/saml-response.xml
If attributes are being mapped, in the formatted output you should be able to see section that starts with an '''AttributeStatment''' XML tag. E.g.
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
<AttributeValue>01234567-89ab-cdef-0123-456789abcdef</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
<AttributeValue>fedcba98-7654-3210-fedc-ba9876543210</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
<AttributeValue>https://sts.windows.net/89abcdef-0123-4567-89ab-cdef01234567/</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
<AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
<AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
</Attribute>
<Attribute Name="urn:oid:0.9.2342.19200300.100.1.3">
<AttributeValue>j.bloggs@example.org</AttributeValue>
</Attribute>
<Attribute Name="urn:oid:2.5.4.4">
<AttributeValue>Bloggs</AttributeValue>
</Attribute>
<Attribute Name="urn:oid:2.5.4.42">
<AttributeValue>Joe</AttributeValue>
</Attribute>
</AttributeStatement>
If you cannot find users attributes you are expecting to see based on what you have configurured in your Shibboleth SP's attribute-map.xml, then you will need to get the maintainer of Shibboleth IdP to make sure these attributes are released or otherwise release attributes that store the sane user metadata. At this point you can re-run this debugging to see what user attributes you are now getting and update your Shibboleth SP's attribute-map.xml as appropriate.

'''When you have finished debugging. It is sensible to comment out the debug lines in '''/etc/shibboleth/shibd.logger''' again and restart the Shibboleth SP.'''

Branding with confidence

2025-05-01T13:44:58Z

LukeWallin: /* Changing the theme */

[[Category:Branding]]

One of the most common EPrints customisations is to add your own institution's branding and "look and feel" to the interface - this may include logos, page layouts, stylesheets and colour schemes.

It is generally advised that you have command line access to the server so you can add/edit these files for branding directly. Alternatively you may have some means of mapping EPrints on a network drive so you can edit these files with a graphical text editor or your own computer. It is possible to use the ''Config. Tools -> View Configuration'' section of the EPrints Admin web interface. However, this is discouraged, as anything beyond minor changes runs the risk of breaking EPrints in a way where you can no longer access these ''View Configuration'' pages to revert the changes you have made.

__TOC__

==Branding fast track==

This section describes techniques for very quickly changing the appearance of your EPrints repository. These techniques could be useful, for example, to quickly brand a demonstration repository so that your audience can identify with it.

===Adding a logo===

'''Example 1'''

The simplest approach, (which will require command line access to the server, as this cannot be done safely through the ''Config. Tools -> View Configuration'' section of the EPrints Admin web interface), is to overwrite the default EPrints logo with a copy of your own logo. Copy your logo (e.g. using SCP or SFTP) to:

EPRINTS_PATH/archives/ARCHIVEID/cfg/static/images/sitelogo.png

And refresh the web page. Your logo should now be displayed in place of the default EPrints logo.

'''Example 2'''

The image that EPrints uses for the site logo is defined in the branding configuration file. You can change this setting to point to the logo image on your institution's Web page.

Open the branding configuration file in a text editor (e.g. Vim or Nano) if you are editing it from the command line:

EPRINTS_PATH/archives/ARCHIVEID/cfg/cfg.d/branding.pl

You can alternatively edit this file via the '''Config. Tools -> View Configuration''' section of the EPrints Admin web interface, under just:

cfg/cfg.d/branding.pl

Find the site_logo configuration setting:

<source lang="perl">
$c->{site_logo} = "/images/sitelogo.png";
</source>

Change the setting to point to your own logo image:

<source lang="perl">
$c->{site_logo} = "http://www.soton.ac.uk/img/furniture/royal/corp_logo.gif";
</source>

Reload the EPrints configuration by typing:

EPRINTS_PATH/bin/epadmin reload ARCHIVEID

If you are doing this via the EPrints Admin web interface click on the '''Reload Configuration''' button under the '''Config. Tools''' tab.

'''Example 3'''

You can also adjust the <tt>site_logo</tt> configuration setting to point any local image file using a text editor at the command line. Place a copy (e.g. using SCP of SFTP) of your logo image somewhere in the <tt>EPRINTS_PATH/archives/ARCHIVEID/cfg/static/images/</tt> directory and then update the branding configuration file to point to it.

<source lang="perl">
$c->{site_logo} = "/images/mylogo.gif";
</source>

Reload the EPrints configuration by typing:

EPRINTS_PATH/bin/epadmin reload ARCHIVEID

===Changing the theme===

Open the branding configuration file in a text editor:
(Note if this file does not exist, copy it from lib/cfg.d/branding.pl)

archives/ARCHIVEID/cfg/cfg.d/branding.pl

Find the theme configuration setting:

<source lang="perl">
# $c->{theme} = "green";
</source>

Change the setting to use the chosen theme.

<source lang="perl">
$c->{theme} = "green";
</source>

''Currently EPrints 3 only includes the default and "green" theme, but look out for more themes in future versions of EPrints and on the http://files.eprints.org/ community repository.

==Taking control==

This section describes techniques for taking complete control of the appearance of your repository.

===Changing the page layout===

Every page in your repository is displayed using a single template. A custom layout can be applied to your repository pages by editing this template.

Copy the default layout to your repository:

cp lib/templates/default.xml archives/ARCHIVEID/cfg/templates/default.xml

Open the template file for your repository:

archives/ARCHIVEID/cfg/templates/default.xml

The template is an XHTML file with some additional syntax (see [[API:EPrints/Apache/Template]]).

====Pins====

You will notice a number of epc:pin elements. These tell EPrints how to combine the template with page-specific content to build each individual page.

'''Example

<source lang="xml">
<div>
<div class="ep_tm_page_content">
<h1 class="ep_tm_pagetitle">
<epc:pin ref="title"/>
</h1>
<epc:pin ref="page"/>
</div>
</div>
</source>

This part of the template lays out the main content area of the page (the ''page'' pin) which is centered on the page.

You can incorporate the epc:pin elements however you like into your new layout (although note that the head pin should always be inside the head section of the template, and the pagetop pin should be at the start of the body section). You can also define new pins (see below).

====Configuration Strings====

There are also a number of epc:print elements in the default template which are useful for including configuration values in the template.

'''Example

<source lang="html4strict">
<style type="text/css" media="screen">@import url(<epc:print expr="$config{base_url}"/>/style/auto.css);</style>
</source>

This extract from the head section of the template shows how an epc:print element is used to refer to the base URL of the repository. This avoids hardcoding URLs into the template (which is good for maintainability - if the repository URL should change, you do not have to change the template).

Configuration values can also be used inside attributes, using the {...} syntax.

'''Example

<source lang="html4strict">
<a href="{$config{frontpage}}"><img alt="Logo" src="{$config{site_logo}}" /></a>
</source>

This extract shows how the URL of both the front page of the repository and the logo are derived from the configuration rather than being hard coded directly into the template.

====Template checklist====

A typical repository page layout will include:

# the correct XML declaration at the top of the file
# a head section (load default and custom stylesheets, ''title'' and ''head'' pins)
# a body section, containing:
## ''pagetop'' pin
## header (repository title and logo)
## navigation menu (links to browse, search etc.)
## quick search box
## toolbar (''login_status'' and ''toolbar'' pins)
## main content area (''title'' and ''page'' pins)
## footer (copyright notice etc.)

====Loading the new template====

Load your new template by running:

bin/epadmin reload ARCHIVEID

====Dealing with template errors====

A common cause of errors when loading a new template is that the template is not ''well formed''. The template is in XHTML syntax, and therefore must follow the rules for writing well-formed XML documents:

* http://en.wikipedia.org/wiki/XML#Well-formed_documents

'''Example

You get the following error when reloading the template:

parser error : Opening and ending tag mismatch: img line 25 and div

Open the template file, and look for an img tag on line 25:

<img src="/images/mylogo.gif">

The problem is that the img tag is opened, but there is no closing img tag. The img element is empty, so we can add a self-closing tag to make the eleemtn well formed:

<img src="/images/mylogo.gif" />

'''Example

parser error : Opening and ending tag mismatch: p line 60 and body

Open the template file and look for the p tag on line 60:

<pre>
<p>This repository is maintained by the <b>Library and Computing team</b>.
</pre>

There is no closing p tag. The p element is not empty, so we add a closing p tag at the end of the paragraph to make the element well formed:

<pre>
<p>This repository is maintained by the <b>Library and Computing team</b>.</p>
</pre>

===Adding extra images===

If your new layout requires additional images, or if you want to add additional images to the default layout, you need to place a copy of each image in your repository's image directory:

archives/ARCHIVEID/cfg/static/images/

'''Example

Place a copy of small_logo.gif in:

archives/ARCHIVEID/cfg/static/images/

Use the image in the template:

<source lang="html4strict">
<img src="{$config{base_url}}/images/small_logo.gif" />
</source>

===Working with stylesheets===

EPrints has [[EPrints_Directory_Structure/eprints3/lib/static/style/auto|several stylesheet files]], each of which contains style rules for a specific aspect of the repository. By default these stylesheets are applied to every repository page, in alphabetical order.

The default stylesheets can be found here:

lib/static/style/auto/

====Overriding default style rules====

You may decide that you want to override a particular rule in one of the default stylesheets. Rather than edit the default stylesheet directly (since the edited rule will then be applied to any other repositories running on the same server), you should override the rule in your repository's overrides file:

archives/ARCHIVEID/cfg/static/style/auto/zzz_local.css

Remember that the stylesheets are applied in alphabetical order, so this file will be applied last.

'''Example

<source lang="css">
h1 {
margin: 0px 0px 10px 0px;
font: bold 130% Arial,Sans-serif;
text-align: center;
color: #606060;
}
</source>

This rule is from general.css and defines how the h1 (heading level 1) element should be displayed (in the default template, h1 is used to display the title of the page).

Edit the local overrides file for your repository:

archives/ARCHIVEID/cfg/static/style/auto/zzz_local.css

Override the ''font'' part of the h1 style:

<source lang="css">
h1 {
font: bold 200% Arial,Sans-serif;
}
</source>

This renders the page title on each page in a larger font.

====Overriding default stylesheets====

If you want to override a default stylesheet in its entirety, you should copy it into your repository's stylesheet directory and edit it there.

'''Example

Make a copy of the default stylesheet general.css:

cp lib/static/style/auto/general.css archives/ARCHIVEID/cfg/static/style/auto/

Edit the repository copy:

archives/ARCHIVEID/cfg/static/style/auto/general.css

After making changes to the repository copy of general.css, apply the new stylesheet by running:

bin/generate_static ARCHIVEID

====Adding institutional stylesheets====

Your institutional Web site may already have a stylesheet or set of stylesheets that you want to apply to your repository.

Copy the institutional stylesheets into your repository stylesheet directory:

archives/ARCHIVEID/cfg/static/style/

Process the stylesheets by running:

bin/generate_static ARCHIVEID

The stylesheets are then available to use in the template file.

'''Example

<source lang="html4strict">
<head>
...
<style type="text/css" media="screen">@import url(<epc:print expr="$config{base_url}"/>/style/auto.css);</style>
<style type="text/css" media="screen">@import url(<epc:print expr="$config{base_url}"/>/style/my_inst.css);</style>
</source>

Here we add a stylesheet link to our institutional stylesheet my_inst.css to the head section of the template. Note that we apply my_inst.css ''after'' the repository stylesheets (applied in order by auto.css) so that the institutional style rules override the repository style rules.

====Adding extra style-related images====

If your new stylesheet requires additional images (eg. background images for tables or divs), you need to place a copy of each image in your repository style/image directory:

archives/ARCHIVEID/cfg/static/style/images/

Note that this keeps the style-related images separate from other images used by your repository pages, such as logos.

The images can then be used in your stylesheet.

===Adding dynamic content===

You can add dynamic content to the template by adding extra epc:pin elements.

Dynamic pins can be created in the dynamic template configuration file:

archives/ARCHIVEID/cfg/cfg.d/dynamic_template.pl

'''Example

Open the template file for your repository:

archives/ARCHIVEID/cfg/lang/en/templates/default.xml

Add a new pin called ''todays_date'' to the template; here we add the pin next to the user's login status:

<source lang="html4strict">
<div>
<div class="ep_tm_page_content">
<h1 class="ep_tm_pagetitle">
<epc:pin ref="title"/>
</h1>
<epc:pin ref="page"/>
<epc:pin ref="todays_date"/>
</div>
</div>
</source>

Open the dynamic template configuration file for your repository:

archives/ARCHIVEID/cfg/cfg.d/dynamic_template.pl

Find and uncomment the function that creates the content for the dynamic pins:

<source lang="perl">
$c->{dynamic_template}->{function} = sub {
my( $repository, $parts ) = @_;
};
</source>

Add a line which creates the content for the ''todays_date'' pin:

<source lang="perl">
$c->{dynamic_template}->{function} = sub {
my( $repository, $parts ) = @_;
$parts->{todays_date} = $repository->make_text( scalar localtime );
};
</source>

Reload the dynamic template configuration:

bin/epadmin reload ARCHIVEID

The date should now be displayed on your repository pages.

== See also ==
* [[Branding, the next level]]

User:LukeWallin

2025-02-18T15:21:50Z

LukeWallin:

Employee of EPrints Services.

EPrints and SELinux

2025-02-18T15:21:29Z

LukeWallin: /* Changing Directory Permissions and SELinux Contexts */

This page is intended to write a rough set of instructions for how to get a CentOS 7 system setup with SELinux enforcing so EPrints 3.4 (with site_lib) runs without any issues. This guidance will be applicable to other versions of CentOS as well as RHEL and Fedora. Furthermore, it may be applicable for enabling SELinux on other Linux operatings ystems.

'''N.B. All commands described below need to be run as the root user or using sudo.'''

== Apache Configuration ==
* Set the httpd user and group to Apache (rather than eprints like is currently used on our hosted CentOS 7 VMs) in '''/etc/httpd/conf/httpd.conf'''.
User apache
Group apache

== System Users and Groups ==
* Add eprints to the apache group and apache to the eprints group (so that '''/etc/group''' for these looks something like the following, order does not matter):
apache:x:48:eprints
eprints:x:1000:apache

== Changing Directory Permissions and SELinux Contexts ==
In general when a new EPrints root is deployed in /opt/eprints3/ this directory has been setup to have eprints as its owner and group with permissions set to 2775 (drwxrwsr-x). This should generally ensure that all subdirectories will share the same permissions when checked out from SVN/Git and all files will get the permissions 0664 (-rw-rw-r--). If directories of files to not have at least these permissions (with the exception of and SSL keys) then these permissions should be added. svn:executable should be set on appropriate files so when they are checked out they should have 0775 (-rwxrwxr-x) permissions.

What will need to be changed are the SELinux contexts of various directory. This is the list compiled so far for the changes required. It is assumed the command are run from the /opt/eprints3/ directory:

(if the directory does not exist, there is no need to run that line)

chcon -R -t httpd_sys_content_t archives/
chcon -R -t httpd_sys_content_t flavours/
chcon -R -t httpd_sys_content_t ingredients/
chcon -R -t httpd_sys_content_t site_lib/
chcon -R -t httpd_sys_rw_content_t archives/ARCHIVENAME/cfg/
chcon -R -t httpd_sys_rw_content_t archives/ARCHIVENAME/documents/
chcon -R -t httpd_sys_rw_content_t archives/ARCHIVENAME/html/
chcon -R -t httpd_sys_rw_content_t archives/ARCHIVENAME/var/
chcon -R -t httpd_sys_rw_content_t lib/
chcon -R -t httpd_sys_rw_content_t tmp/
chcon -R -t httpd_sys_rw_content_t var/

== Setting SELinux Booleans ==
You will definitely need to modify the SELinux boolean so that Apache (httpd) to be able to send email:
setsebool -P httpd_can_sendmail 1
Unless you are running an absolutely vanilla repository you will almost certainly need to allow APache (httpd) to connect to the network:
setsebool -P httpd_can_network_connect 1
In particular this should allow EPrints to connect to LDAP to authenticate user login and allow connecting to remote detabases. There are also the following options for these two things but ''httpd_can_network_connect'' should be sufficient.
setsebool -P httpd_can_connect_ldap 1
setsebool -P httpd_can_network_connect_db 1
By default the following booleans for httpd should be set on:
httpd_enable_cgi
httpd_builtin_scripting
httpd_graceful_shutdown
There is no need to turn any of these off. However, the ''httpd_builtin_scripting'' is probably not needed as ModPerl uses ''httpd_enable_cgi'', which definitely should not be turned off. Having ''httpd_graceful_shutdown'' is useful for reloading Apache after making changes to EPrints configuration.

== Extra settings for OpenOffice/Coversheets ==
'''This assumes switching to use packaged LibreOffice and UNO converter as detailed [[Coversheets#LibreOffice|here]].'''

* The following changes are need so that httpd can execute things for coversheets:

chcon -t httpd_sys_script_exec_t "/PATH/TO/stitchPDFs"
setsebool -P httpd_execmem 1

* Ensure the httpd can manage TCP port 2002 that OpenOffice listens on:
semanage port -a -t http_port_t -p tcp 2002

* Add executables and invocation lines for openoffice to /opt/eptints3/EPrints/SystemSettings.pm
# invocation
openoffice' => '/usr/lib64/libreoffice/program/soffice.bin',
# executable
openoffice' => '$(openoffice) "-accept=socket,host=localhost,port=2002;urp;StarOffice.ServiceManager" -norestore -nofirststartwizard -nologo -headless',

* Make sure $ENV{'HOME'} as well as $ENV{'TMPDIR'} is set to /opt/eprints3/tmp/ in the appropriate session.pl

== Extra settings for MePrints ==
chcon -t httpd_sys_rw_content_t "/opt/eprints3/archives/ARCHIVENAME/meprints"

== Testing ==
I have tested and have been able to successfully install the following Bazaar plugin:
* Dates, Dates, Dates
* Generic Reporting Framework
* IRStats2
* RIOXX2
* REFCC (hefce_oa)
* Coversheets
* OpenOffice
* MePrints
However there are some issue with OpenOffice saying it is running when it is not and not being able to get soffice.bin actually running as a result. You can upload and frontfile.odt file as a coversheet and this will get stored under cfg/static/coversheets/ in the archive.

If you install MePrints you subsequently need to create archives/ARCHIVENAME/meprints directory and then run:

chcon -R -t httpd_sys_rw_content_t archives/ARCHIVENAME/meprints/

Otherwise, the above Bazaar plugins need to be tested to make sure they are full functional along with other functionality of the repository like: the phrase editor, "edit this page", storage manger, subjects editor, send test email, etc.

== Policy file ==
First install the following packages:
yum install checkpolicy policycoreutils-python
Then put all these files under /home/eprints/policy/ and run '''redeploy_policy.sh''' as the root user:
bash /home/eprints/policy/redeploy_policy.sh
After this be sure to run '''restorecon''' on your EPrints path
restorecon -R /opt/eprints3

=== eprints.fc ===
It is assumed that the the path for your EPrints installation is ''/opt/eprints3'' if that is not the case or even that you have symlinked ''/opt/eprints3'' to where EPrints is actually installed the file below will not work as intended. However you can fix this with a simple find and replace.
# SELinux file contexts for EPrints

/opt/eprints3/archives(/.*)? unconfined_u:object_r:httpd_sys_content_t:s0
/opt/eprints3/flavours(/.*)? unconfined_u:object_r:httpd_sys_content_t:s0
/opt/eprints3/ingredients(/.*)? unconfined_u:object_r:httpd_sys_content_t:s0
/opt/eprints3/site_lib(/.*)? unconfined_u:object_r:httpd_sys_content_t:s0
/opt/eprints3/archives/[^/]*/bin(/.*)? unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/archives/[^/]*/cfg(/.*)? unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/archives/[^/]*/cgi(/.*)? unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/archives/[^/]*/documents(/.*)? unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/archives/[^/]*/html(/.*)? unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/archives/[^/]*/var(/.*)? unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/lib(/.*)? unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/tmp(/.*)? unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/var(/.*)? unconfined_u:object_r:httpd_sys_rw_content_t:s0

=== eprints.te ===
module eprints 1.2;

require {
type cgroup_t;
type fusefs_t;
type http_port_t;
type httpd_sys_content_t;
type httpd_sys_rw_content_t;
type httpd_sys_script_exec_t;
type httpd_sys_script_t;
type httpd_t;
type init_t;
type modules_object_t;
type mysqld_db_t;
type mysqld_etc_t;
type mysqld_t;
type mysqld_var_run_t;
type nrpe_t;
type shadow_t;
type smtp_port_t;
type unconfined_service_t;
type var_run_t;
class dir { add_name create getattr open read remove_name rmdir search setattr write };
class file { create execute execute_no_trans getattr ioctl map open read rename unlink write };
class lnk_file { getattr read };
class sock_file { write };
class tcp_socket{ name_connect };
class unix_stream_socket { connectto };
}

# Required by the HTTP webserver
allow httpd_t http_port_t:tcp_socket { name_connect };
allow httpd_t httpd_sys_content_t:dir { add_name create remove_name setattr write };
allow httpd_t httpd_sys_content_t:file { create rename unlink write };
allow httpd_t smtp_port_t:tcp_socket { name_connect };
allow httpd_t unconfined_service_t:dir { getattr };

# Requiired by init processes
allow init_t httpd_sys_content_t:file { create execute execute_no_trans ioctl open read };
allow init_t httpd_sys_rw_content_t:dir { add_name remove_name };
allow init_t httpd_sys_rw_content_t:file { ioctl open read unlink write };
allow init_t mysqld_t:unix_stream_socket { connectto };

# Required for Icinga NRPE checks
allow nrpe_t httpd_sys_content_t:dir { read };
allow nrpe_t httpd_sys_content_t:file { getattr };
allow nrpe_t httpd_sys_rw_content_t:dir { search };
allow nrpe_t httpd_sys_rw_content_t:file { getattr open read };
allow nrpe_t modules_object_t:dir { search };
allow nrpe_t modules_object_t:file { getattr };
allow nrpe_t modules_object_t:lnk_file { getattr read };
allow nrpe_t mysqld_t:unix_stream_socket { connectto };
allow nrpe_t mysqld_db_t:dir { search };
allow nrpe_t mysqld_etc_t:dir { getattr open read search };
allow nrpe_t mysqld_etc_t:file { getattr open read };
allow nrpe_t mysqld_var_run_t:sock_file { write };

# Only needed for coversheets, considering commenting out otherwise.
allow httpd_t shadow_t:file { getattr open read };

# Only needed for Shibboleth authentication, consider commenting out otherwise.
allow httpd_t var_run_t:sock_file { write };

# Only needed for SSH FuseFS, consider commeting out otherwise.
allow httpd_t fusefs_t:dir { add_name create read remove_name rmdir setattr write };
allow httpd_t fusefs_t:file { create getattr ioctl map open read rename unlink write };

=== redeploy_policy.sh ===
#!/bin/bash

rm -f eprints.mod eprints.pp

# Build the policy package (.pp) file from type enforcement (.te) and file contexts (.fc) files.
checkmodule -M -m -o eprints.mod eprints.te
semodule_package -o eprints.pp -m eprints.mod -f eprints.fc

# Install it.
semodule -i eprints.pp