policy_module(webadm)

########################################
#
# Declarations
#

## <desc>
##	<p>
##	Determine whether webadm can
##	manage generic user files.
##	</p>
## </desc>
gen_tunable(webadm_manage_user_files, false)

## <desc>
##	<p>
##	Determine whether webadm can
##	read generic user files.
##	</p>
## </desc>
gen_tunable(webadm_read_user_files, false)

role webadm_r;

userdom_base_user_template(webadm)

########################################
#
# Local policy
#

allow webadm_t self:capability { dac_override dac_read_search kill sys_nice };

files_dontaudit_search_all_dirs(webadm_t)
files_list_var(webadm_t)

selinux_get_enforce_mode(webadm_t)
seutil_domtrans_setfiles(webadm_t)

logging_send_audit_msgs(webadm_t)
logging_send_syslog_msg(webadm_t)

userdom_dontaudit_search_user_home_dirs(webadm_t)

apache_admin(webadm_t, webadm_r)

tunable_policy(`webadm_manage_user_files',`
	userdom_manage_user_home_content_files(webadm_t)
	userdom_read_user_tmp_files(webadm_t)
	userdom_write_user_tmp_files(webadm_t)
')

tunable_policy(`webadm_read_user_files',`
	userdom_read_user_home_content_files(webadm_t)
	userdom_read_user_tmp_files(webadm_t)
')

optional_policy(`
	dbus_role_template(webadm, webadm_r, webadm_t)
')