policy_module(phpfpm_additional, 0.0.7)

require {
  type phpfpm_t;
  type etc_t;
  type httpd_sys_content_t;
  type phpfpm_tmp_t;
  type usr_t;
  type httpd_sys_ra_content_t;
}

type phpfpm_initrc_exec_t;
init_script_file(phpfpm_initrc_exec_t)

type phpfpm_unit_t;
init_unit_file(phpfpm_unit_t)

allow phpfpm_t self:process sigkill;

allow phpfpm_t phpfpm_tmp_t:lnk_file { create unlink };

miscfiles_read_all_certs(phpfpm_t)
miscfiles_read_fonts(phpfpm_t)

corecmd_exec_shell(phpfpm_t)

corenet_tcp_connect_pop_port(phpfpm_t)
corenet_tcp_connect_http_port(phpfpm_t)
corenet_tcp_connect_sieve_port(phpfpm_t)
corenet_tcp_connect_smtp_port(phpfpm_t)

files_tmp_filetrans(phpfpm_t, phpfpm_tmp_t, lnk_file)

apache_manage_sys_content(phpfpm_t)
manage_dirs_pattern(phpfpm_t, httpd_sys_ra_content_t, httpd_sys_ra_content_t)
fs_mmap_rw_hugetlbfs_files(phpfpm_t)

allow phpfpm_t etc_t:file map;
allow phpfpm_t httpd_sys_content_t:file map;
allow phpfpm_t phpfpm_tmp_t:file map;
allow phpfpm_t usr_t:file map;

mta_sendmail_exec(phpfpm_t)
mta_send_mail(phpfpm_t)
mta_signal_system_mail(phpfpm_t)

logging_send_syslog_msg(phpfpm_t)