policy_module(nextcloud, 1.0.0)

########################################
#
# Declarations
#

########################################
#
# lego local policy
#

gen_require(`
       type phpfpm_t;
       type phpfpm_tmp_t;
       type etc_t;
       type cert_t;
       type httpd_sys_content_t;
       type httpd_sys_rw_content_t;
       class file { map open read };
       class process sigkill;
       class shm { create destroy read unix_read unix_write write };
')

optional_policy(`
    gen_require(`
       type system_cronjob_t;
       type phpfpm_exec_t;
    ')
    cron_system_entry(phpfpm_t, phpfpm_exec_t)
')

corenet_udp_bind_generic_node(phpfpm_t)
corenet_tcp_connect_http_port(phpfpm_t)
# Allow to connect to IMAP/SMTP
corenet_tcp_connect_pop_port(phpfpm_t)
corenet_tcp_connect_smtp_port(phpfpm_t)

fs_rw_hugetlbfs_files(phpfpm_t)
allow phpfpm_t hugetlbfs_t:file map;

allow phpfpm_t etc_t:file map;
allow phpfpm_t phpfpm_tmp_t:file map;
allow phpfpm_t httpd_sys_content_t:file map;
allow phpfpm_t httpd_sys_rw_content_t:file map;

allow phpfpm_t cert_t:file { open read };

allow phpfpm_t self:process sigkill;
allow phpfpm_t self:shm { create_shm_perms r_shm_perms };

files_search_var(phpfpm_t)
userdom_list_user_home_content(phpfpm_t)
userdom_read_user_home_content_files(phpfpm_t)
files_search_mnt(phpfpm_t)

files_dontaudit_list_var(phpfpm_t)