# Last modified 2021-01-30
module gallery 1.0;

require {
	type faillog_t;
	type security_t;
	type httpd_config_t;
	type init_t;
	type sssd_t;
	type mnt_t;
	type lastlog_t;
	type systemd_logind_sessions_t;
	type initrc_var_run_t;
	type tmpfs_t;
	type gconf_home_t;
	type chkpwd_t;
	type systemd_logind_t;
	type unconfined_t;
	type shadow_t;
	type httpd_sys_script_t;
	type sssd_selinux_manager_t;
	type sssd_conf_t;
	type var_t;
	type httpd_t;
	class capability { audit_write dac_read_search net_admin setgid setuid sys_resource };
	class process { noatsecure rlimitinh setrlimit siginh };
	class netlink_audit_socket { create nlmsg_relay read write };
	class netlink_selinux_socket { bind create };
	class passwd rootok;
	class dir { add_name read remove_name search write };
	class file { create execute execute_no_trans setattr getattr link lock map open read unlink write ioctl };
	class dbus send_msg;
	class fifo_file write;
	class security compute_av;
	class lnk_file read;
	class filesystem getattr;
	class process setfscreate;
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t faillog_t:file { open read };
allow httpd_sys_script_t var_t:file { create ioctl setattr unlink write };
allow httpd_sys_script_t var_t:dir { read add_name remove_name write };

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow httpd_sys_script_t gconf_home_t:file map;
allow httpd_sys_script_t gconf_home_t:file { execute execute_no_trans };
allow httpd_sys_script_t httpd_config_t:dir search;
allow httpd_sys_script_t initrc_var_run_t:file { lock open read };
allow httpd_sys_script_t lastlog_t:file { open read write };
allow httpd_sys_script_t mnt_t:lnk_file read;
allow httpd_sys_script_t security_t:dir read;
allow httpd_sys_script_t security_t:file { getattr open read write };
allow httpd_sys_script_t security_t:security compute_av;
allow httpd_sys_script_t self:capability { audit_write dac_read_search net_admin setgid setuid sys_resource };
allow httpd_sys_script_t self:netlink_audit_socket { create nlmsg_relay read write };
allow httpd_sys_script_t self:netlink_selinux_socket { bind create };
allow httpd_sys_script_t self:passwd rootok;
allow httpd_sys_script_t self:process setrlimit;
allow httpd_sys_script_t shadow_t:file { getattr open read };
allow httpd_sys_script_t sssd_conf_t:dir search;
allow httpd_sys_script_t sssd_conf_t:file { getattr open read };
allow httpd_sys_script_t systemd_logind_sessions_t:fifo_file write;
allow httpd_sys_script_t systemd_logind_t:dbus send_msg;
allow httpd_sys_script_t tmpfs_t:dir { add_name remove_name write };

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow httpd_sys_script_t tmpfs_t:file map;
allow httpd_sys_script_t tmpfs_t:file { create getattr link open read unlink write };
allow httpd_sys_script_t tmpfs_t:filesystem getattr;
allow httpd_sys_script_t self:process setfscreate;

#============= init_t ==============
allow init_t chkpwd_t:process siginh;
allow init_t unconfined_t:process siginh;

#============= sssd_t ==============
allow sssd_t sssd_selinux_manager_t:process { noatsecure rlimitinh siginh };

#============= systemd_logind_t ==============
allow systemd_logind_t httpd_sys_script_t:dbus send_msg;

#============= httpd_t ==============
allow httpd_t var_t:file { getattr map open read };