module rocci_server 1.0;

require {
	type anon_inodefs_t;
	type home_root_t;
	type httpd_t;
	type hwdata_t;
	type lib_t;
	type locale_t;
	type memcache_port_t;
	type passenger_t;
	type passenger_tmp_t;
	type passenger_var_run_t;
	type sysfs_t;
	type var_log_t;
	type man_t;

	class capability2 block_suspend;
	class dir { open read search };
	class file { execute execute_no_trans getattr open read write };
	class lnk_file read;
	class sock_file write;
	class tcp_socket { name_connect listen };
	class unix_stream_socket { getattr read write };
	class process { getsession signull };
}

#============= httpd_t ==============
allow httpd_t passenger_tmp_t:sock_file write;

#============= passenger_t ==============
allow passenger_t anon_inodefs_t:file { write read };
allow passenger_t home_root_t:dir search;
allow passenger_t httpd_t:unix_stream_socket getattr;
allow passenger_t lib_t:file execute_no_trans;
allow passenger_t locale_t:file { read getattr open };
allow passenger_t man_t:dir { read open };
# there exists httpd_can_network_memcache boolean, but that's not intended for passenger
allow passenger_t memcache_port_t:tcp_socket name_connect;
allow passenger_t self:process { getsession signull };
allow passenger_t self:tcp_socket listen;
allow passenger_t var_log_t:lnk_file read;

# compiling and using passenger_native_support.so
# (not needed for rOCCI-server package in Fedora/EPEL)
allow passenger_t passenger_var_run_t:file execute;

# not audited rules :-(
# needed for #1029132
# fixed since selinux-policy-3.12.1-183.fc20
allow passenger_t httpd_t:unix_stream_socket { read write };

# handling exceptions
allow passenger_t hwdata_t:dir search;
allow passenger_t hwdata_t:file getattr;
allow passenger_t hwdata_t:file open;
allow passenger_t hwdata_t:file read;
allow passenger_t self:capability2 block_suspend;
allow passenger_t sysfs_t:dir read;
allow passenger_t sysfs_t:file getattr;
allow passenger_t sysfs_t:file open;
allow passenger_t sysfs_t:file read;
allow passenger_t sysfs_t:lnk_file read;