module rocci_server 1.0.1;

require {
	type anon_inodefs_t;
	type home_root_t;
	type httpd_t;
	type hwdata_t;
	type lib_t;
	type locale_t;
	type memcache_port_t;
	type passenger_t;
        type passenger_log_t;
        type passenger_var_lib_t;
	type passenger_tmp_t;
	type passenger_var_run_t;
	type pki_ocsp_port_t;
	type sysfs_t;
	type var_log_t;
	type man_t;

        class capability { fowner fsetid sys_resource sys_ptrace };
	class capability2 block_suspend;
	class dir { add_name open read search write };
	class file { create execute execute_no_trans getattr open read write };
	class lnk_file read;
	class sock_file write;
	class tcp_socket { name_bind name_connect listen };
	class unix_stream_socket { getattr read write };
	class process { getsession signull };
}

#============= httpd_t ==============
allow httpd_t passenger_tmp_t:sock_file write;

# Fedora >= 22
allow httpd_t pki_ocsp_port_t:tcp_socket name_bind;
allow httpd_t passenger_log_t:dir add_name;
allow httpd_t passenger_log_t:dir write;
allow httpd_t passenger_log_t:file create;
allow httpd_t passenger_log_t:file open;
# This avc can be allowed using the boolean 'httpd_run_stickshift' (if anybody
# knows what that boolean does :-))
allow httpd_t passenger_var_lib_t:dir read;
# This avc can be allowed using one of the these booleans:
# httpd_run_stickshift, httpd_setrlimit
allow httpd_t self:capability { fowner sys_resource };
# This avc can be allowed using the boolean 'httpd_run_stickshift'
allow httpd_t self:capability fsetid;
# This avc can be allowed using one of the these booleans:
# httpd_can_network_relay, httpd_can_network_memcache, httpd_can_network_connect
allow httpd_t memcache_port_t:tcp_socket name_connect;
allow httpd_t self:capability sys_ptrace;


#============= passenger_t ==============
allow passenger_t anon_inodefs_t:file { write read };
allow passenger_t home_root_t:dir search;
allow passenger_t httpd_t:unix_stream_socket getattr;
allow passenger_t lib_t:file execute_no_trans;
allow passenger_t locale_t:file { read getattr open };
allow passenger_t man_t:dir { read open };
# there exists httpd_can_network_memcache boolean, but that's not intended for passenger
allow passenger_t memcache_port_t:tcp_socket name_connect;
allow passenger_t self:process { getsession signull };
allow passenger_t self:tcp_socket listen;
allow passenger_t var_log_t:lnk_file read;

# compiling and using passenger_native_support.so
# (not needed for rOCCI-server package in Fedora/EPEL)
allow passenger_t passenger_var_run_t:file execute;

# not audited rules :-(
# needed for #1029132
# fixed since selinux-policy-3.12.1-183.fc20
allow passenger_t httpd_t:unix_stream_socket { read write };

# handling exceptions
allow passenger_t hwdata_t:dir search;
allow passenger_t hwdata_t:file getattr;
allow passenger_t hwdata_t:file open;
allow passenger_t hwdata_t:file read;
allow passenger_t self:capability2 block_suspend;
allow passenger_t sysfs_t:dir read;
allow passenger_t sysfs_t:file getattr;
allow passenger_t sysfs_t:file open;
allow passenger_t sysfs_t:file read;
allow passenger_t sysfs_t:lnk_file read;