module baculum 1.0;

require {
	type postgresql_port_t;
	type mysqld_port_t;
	type httpd_t;
	type bacula_etc_t;
	type unreserved_port_t;
	type hplip_port_t;
	type sudo_exec_t;
	type httpd_cache_t;
	class tcp_socket { name_bind name_connect };
	class dir { search read write create getattr };
	class file { read write create getattr open execute };
	class netlink_audit_socket { write nlmsg_relay create read };
	class capability { audit_write sys_resource };
}

#============= httpd_t ==============

allow httpd_t mysqld_port_t:tcp_socket name_connect;
allow httpd_t postgresql_port_t:tcp_socket name_connect;
allow httpd_t unreserved_port_t:tcp_socket name_bind;
allow httpd_t unreserved_port_t:tcp_socket name_connect;
allow httpd_t hplip_port_t:tcp_socket name_connect;
allow httpd_t bacula_etc_t:dir search;
allow httpd_t bacula_etc_t:file getattr;
allow httpd_t bacula_etc_t:file { read open };
allow httpd_t sudo_exec_t:file { read execute open };
allow httpd_t httpd_cache_t:dir { read create };
allow httpd_t httpd_cache_t:file { read write create };
allow httpd_t self:netlink_audit_socket { write nlmsg_relay create read };
allow httpd_t self:capability { audit_write sys_resource };