
SElinux policy of calibre-server under /opt/ (created in CentOS 8)

Primary LanguageShell

INSTALLATION via repository

This git-repo contains the files needed to create accompanying RPM files for CentOS/RHEL8 (el8).

The compiled SElinux policy module should also work on Fedora, and maybe even earlier versions of CentOS.

A complete version of the resulting RPM file can be found in my technoholics-repo. It can be found here: https://dev.techno.holics.at/technoholics-repo/

Easy installation with technoholics-repo


This selinux policy module can be used in two modes:

  • more secure: calibre and its data runs in /opt/calibre/ and respectively /opt/home/calibre/; tmp files go into locked down calibre-only /opt/home/calibre/tmp/
  • much less secure: calibre runs in /home/calibre/ and respectively /home//Calibre Library; tmp files go into systemwide /tmp/

Setup for a "more secure" environment

  1. Setup directories:

    mkdir -p /opt/home/calibre/{.cache,.config,tmp,Calibre Library}/ /opt/calibre/

To use calibre-only temp files:

    mkdir -p /opt/home/calibre/tmp

Alternatively you can put these in /opt/calibre/tmp/ .

  1. Create environment file to include in Initscript / SystemD unit file, that points to the temp directory Calibre should use:

cat<<EOF >/etc/sysconfig/calibre-server

Setup for "much less secure" default environment

Nothing to do.

SystemD integration for calibre-server

Example SystemD unit file:

cat<<EOF > /etc/systemd/system/calibre-server.service
Description=Calibre server headless edition
After=network-online.target time-sync.target

#SuccessExitStatus=5 6
WorkingDirectory=/opt/home/calibre/Calibre Library/
ExecStart=/opt/calibre/calibre-server --port=9080 --log=/var/log/calibre-server.log "/opt/home/calibre/Calibre Library/"



Remember to adapt the WorkingDirectory and ExecStart parameter, if your Calibre Library is not in /opt/home/calibre/Calibre Library/.

.. and activate the new SystemD unit file by reloading the daemon:

 systemctl daemon-reload
  1. Reset SElinux contexts on the affected directories (can be used as debug, too, i.e. if something that should work doesn't work)

 restorecon -vR /opt/ /home/
  1. Restart calibre-server

 service calibre-server restart
  1. Test your calibre-server by heading your browser to: http://your.hostname:9080/ Calibre should be shown to you.

You can now be done with this.

Additional things

  1. Or you can alternatively hide your calibre-server from direct internet access by setting up a reverse proxy (Apache or NginX) in front of it.

For Apache your (presumably) configuration would have to be extended like so:

cat<<EOF >> yourconf.conf
     AllowEncodedSlashes     On
     ProxyPass               "/"     ""
     ProxyPassReverse        "/"     ""
  1. If you also want to password-protect the calibre instance, you can also add this to your virtualhost configuration.

cat<<EOF >> yourconf.conf
          Allow from all
          AuthType Basic
          AuthName "Calibre-auth"
          AuthUserFile /etc/httpd/.htpasswd.users
          Require user calibre

Remember to create a user in /etc/httpd/.htpasswd.users by using the htpasswd command:

htpasswd /etc/httpd/.htpasswd.users calibre

Congrats, you now should have a better secured calibre-server instance running with SElinux and HTTP Basic authentication behind a reverse proxy!


Do not put anything of value in /opt/calibre/ !

The default update script under https://download.calibre-ebook.com/linux-installer.sh will happily delete /opt/calibre/ completely and start from scratch, even if it means killing the installer itself.

It is a mean script of the type "let's hope noone ever roots my webserver and adds stuff to the installer script.. or edits calibre files manually".

Creating an rpm, deb, etc. would have been much better.. or if everything else fails, at least they could have used npm.

Thus for now, be very wary of using thge original calibre-update script on any machine, you still want to use lateron.

Slightly safer calibre-update.sh script

The following script MIGHT do things a little more safely.

This file should be at /opt/calibre/calibre-update.sh after installing the SElinux module.

Patch file needed for said update script

This file should be at /opt/calibre/calibre_safer_installer.patch after installing the SElinux module.
