policy_module(ttrss, 0.0.5)

require {
  type etc_t;
  type httpd_sys_content_t;
  type shell_exec_t;
}

########################################
#
# Declarations
#

attribute_role ttrss_roles;

type ttrss_t;
type ttrss_exec_t;
init_system_domain(ttrss_t, ttrss_exec_t)



########################################
#
# Local policy
#

allow ttrss_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow ttrss_t self:tcp_socket { connect create getattr getopt read setopt write };
allow ttrss_t self:udp_socket { connect create getattr read write setopt };
allow ttrss_t self:unix_stream_socket { connect create read write };


corenet_tcp_connect_generic_port(ttrss_t)
corenet_tcp_connect_http_port(ttrss_t)
files_read_etc_files(ttrss_t)
miscfiles_read_generic_certs(ttrss_t)

apache_manage_sys_content(ttrss_t)

corecmd_check_exec_shell(ttrss_t)
corecmd_exec_bin(ttrss_t)

sysnet_read_config(ttrss_t)
miscfiles_read_localization(ttrss_t)

mysql_tcp_connect(ttrss_t)
mysql_stream_connect(ttrss_t)

allow ttrss_t etc_t:file map;
allow ttrss_t httpd_sys_content_t:file map;

corecmd_exec_shell(ttrss_t)
allow ttrss_t shell_exec_t:file map;
optional_policy(`
        cron_system_entry(ttrss_t, ttrss_exec_t)
')