add content

sec-policy/selinux-nextcloud/files/nextcloud.te

@@ -0,0 +1,57 @@
+policy_module(nextcloud, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+########################################
+#
+# lego local policy
+#
+
+gen_require(`
+       type phpfpm_t;
+       type phpfpm_tmp_t;
+       type etc_t;
+       type cert_t;
+       type httpd_sys_content_t;
+       type httpd_sys_rw_content_t;
+       class file { map open read };
+       class process sigkill;
+       class shm { create destroy read unix_read unix_write write };
+')
+
+optional_policy(`
+    gen_require(`
+       type system_cronjob_t;
+       type phpfpm_exec_t;
+    ')
+    cron_system_entry(phpfpm_t, phpfpm_exec_t)
+')
+
+corenet_udp_bind_generic_node(phpfpm_t)
+corenet_tcp_connect_http_port(phpfpm_t)
+# Allow to connect to IMAP/SMTP
+corenet_tcp_connect_pop_port(phpfpm_t)
+corenet_tcp_connect_smtp_port(phpfpm_t)
+
+fs_rw_hugetlbfs_files(phpfpm_t)
+allow phpfpm_t hugetlbfs_t:file map;
+
+allow phpfpm_t etc_t:file map;
+allow phpfpm_t phpfpm_tmp_t:file map;
+allow phpfpm_t httpd_sys_content_t:file map;
+allow phpfpm_t httpd_sys_rw_content_t:file map;
+
+allow phpfpm_t cert_t:file { open read };
+
+allow phpfpm_t self:process sigkill;
+allow phpfpm_t self:shm { create_shm_perms r_shm_perms };
+
+files_search_var(phpfpm_t)
+userdom_list_user_home_content(phpfpm_t)
+userdom_read_user_home_content_files(phpfpm_t)
+files_search_mnt(phpfpm_t)
+
+files_dontaudit_list_var(phpfpm_t)