policy_module(owncloud, 0.0.7)

require {
  type httpd_sys_content_t;
  type etc_t;
}

########################################
#
# Declarations
#

attribute_role owncloud_roles;

type owncloud_t;
type owncloud_exec_t;
init_system_domain(owncloud_t, owncloud_exec_t)

allow owncloud_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow owncloud_t self:tcp_socket { connect create getattr getopt read setopt shutdown write };
allow owncloud_t self:udp_socket { connect create getattr read write setopt };
allow owncloud_t self:unix_stream_socket { connect create read write };
allow owncloud_t self:fifo_file { getattr ioctl read };

corecmd_exec_bin(owncloud_t)
corecmd_exec_shell(owncloud_t)

files_read_etc_files(owncloud_t)
files_manage_generic_tmp_dirs(owncloud_t)
files_search_pids(owncloud_t)
files_search_var(owncloud_t)

corenet_tcp_connect_http_port(owncloud_t)
corenet_tcp_connect_ldap_port(owncloud_t)

apache_manage_sys_content(owncloud_t)
allow owncloud_t httpd_sys_content_t:file map;

miscfiles_read_localization(owncloud_t)
miscfiles_read_all_certs(owncloud_t)

mysql_stream_connect(owncloud_t)

sysnet_read_config(owncloud_t)

allow owncloud_t etc_t:file map;

files_manage_generic_tmp_files(owncloud_t)

kernel_read_system_state(owncloud_t)
kernel_read_kernel_sysctls(owncloud_t)

optional_policy(`
        cron_system_entry(owncloud_t, owncloud_exec_t)
')