module local_zoneminder 1.1;

require {
        type afs_ka_port_t;
        type netsupport_port_t;
        type port_t;
        type presence_port_t;
        type postfix_pickup_t;
        type httpd_t;
        type var_lib_t;
        type ionixnetmon_port_t;
        type glance_port_t;
        type mmcc_port_t;
        type postfix_master_t;
        type commplex_port_t;
        type syslogd_port_t;
        type dcc_port_t;
        type sip_port_t;
        type amqp_port_t;
        type condor_port_t;
        type afs_fs_port_t;
        type nodejs_debug_port_t;
        type httpd_var_lib_t;
        type websm_port_t;
        type afs_pt_port_t;
        type postfix_qmgr_t;
        type git_port_t;
        type ipp_port_t;
        type aol_port_t;
	type unconfined_t;
	type kernel_t;
	type init_t;
	type auditd_t;
	type mysqld_t;
	type httpd_log_t;
	type syslogd_t;
	type httpd_t;
	type initrc_state_t;
	type initrc_t;
	type var_lib_t;
	type udev_t;
	type mysqld_safe_t;
	type sshd_t;
	type crond_t;
	type getty_t;
	type httpd_var_lib_t;
	type initrc_var_run_t;
	type tmpfs_t;
	type dhcpc_t;
	type v4l_device_t;
	type file_t;
	class sock_file { write create unlink };
	class unix_stream_socket { read connectto };
	class lnk_file { write create getattr read lock unlink };
	class dir search;
        class udp_socket name_bind;
	class file { write getattr read lock unlink open };
	class shm { unix_read unix_write associate read write getattr };
	class chr_file getattr;
}

#============= httpd_t ==============
allow httpd_t auditd_t:dir search;
allow httpd_t auditd_t:file { read getattr open };
allow httpd_t crond_t:dir search;
allow httpd_t crond_t:file { read getattr open };
allow httpd_t dhcpc_t:dir search;
allow httpd_t dhcpc_t:file { read getattr open };
allow httpd_t getty_t:dir search;
allow httpd_t getty_t:file { read getattr open };
allow httpd_t httpd_log_t:file write;
allow httpd_t httpd_var_lib_t:lnk_file { write getattr read lock unlink };
allow httpd_t init_t:dir search;
allow httpd_t init_t:file { read getattr open };
#!!!! The source type 'httpd_t' can write to a 'file' of the following types:
# squirrelmail_spool_t, dirsrvadmin_config_t, httpd_lock_t, dirsrv_config_t, httpd_tmp_t, dirsrvadmin_tmp_t, httpd_cache_t, httpd_tmpfs_t, httpd_squirrelmail_t, dirsrv_var_log_t, zarafa_var_lib_t, dirsrv_var_run_t, httpd_var_lib_t, httpd_var_run_t, passenger_tmp_t, httpd_nutups_cgi_rw_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_dspam_rw_content_t, httpd_mediawiki_rw_content_t, httpd_squid_rw_content_t, httpd_prewikka_rw_content_t, httpd_smokeping_cgi_rw_content_t, passenger_var_run_t, httpd_openshift_rw_content_t, httpd_dirsrvadmin_rw_content_t, httpd_w3c_validator_rw_content_t, httpd_user_rw_content_t, httpd_awstats_rw_content_t, httpdcontent, httpd_cobbler_rw_content_t, root_t, httpd_munin_rw_content_t, httpd_bugzilla_rw_content_t, httpd_cvs_rw_content_t, httpd_git_rw_content_t, httpd_sys_rw_content_t, httpd_sys_rw_content_t, httpd_nagios_rw_content_t

allow httpd_t initrc_state_t:file { read write getattr unlink open };
allow httpd_t initrc_t:unix_stream_socket connectto;
allow httpd_t initrc_t:shm { unix_read unix_write associate read write getattr };
allow httpd_t initrc_var_run_t:file { read lock open };
allow httpd_t kernel_t:dir search;
allow httpd_t kernel_t:file { read getattr open };
allow httpd_t mysqld_safe_t:dir search;
allow httpd_t mysqld_safe_t:file { read getattr open };
allow httpd_t mysqld_t:dir search;
allow httpd_t mysqld_t:file { read getattr open };
allow httpd_t sshd_t:dir search;
allow httpd_t sshd_t:file { read getattr open };
allow httpd_t syslogd_t:dir search;
allow httpd_t syslogd_t:file { read getattr open };
allow httpd_t tmpfs_t:sock_file write;
allow httpd_t udev_t:dir search;
allow httpd_t udev_t:file { read getattr open };
allow httpd_t unconfined_t:dir search;
allow httpd_t unconfined_t:file { read getattr open };
allow httpd_t var_lib_t:lnk_file { write getattr read lock unlink };
allow httpd_t v4l_device_t:chr_file getattr;
allow httpd_t afs_fs_port_t:udp_socket name_bind;
allow httpd_t afs_ka_port_t:udp_socket name_bind;
allow httpd_t afs_pt_port_t:udp_socket name_bind;
allow httpd_t amqp_port_t:udp_socket name_bind;
allow httpd_t aol_port_t:udp_socket name_bind;
allow httpd_t commplex_port_t:udp_socket name_bind;
allow httpd_t condor_port_t:udp_socket name_bind;
allow httpd_t dcc_port_t:udp_socket name_bind;
allow httpd_t git_port_t:udp_socket name_bind;
allow httpd_t glance_port_t:udp_socket name_bind;
allow httpd_t httpd_var_lib_t:lnk_file create;
allow httpd_t ionixnetmon_port_t:udp_socket name_bind;
allow httpd_t ipp_port_t:udp_socket name_bind;
allow httpd_t mmcc_port_t:udp_socket name_bind;
allow httpd_t netsupport_port_t:udp_socket name_bind;
allow httpd_t nodejs_debug_port_t:udp_socket name_bind;
allow httpd_t port_t:udp_socket name_bind;
allow httpd_t postfix_master_t:dir search;
allow httpd_t postfix_master_t:file { read getattr open };
allow httpd_t postfix_pickup_t:dir search;
allow httpd_t postfix_pickup_t:file { read getattr open };
allow httpd_t postfix_qmgr_t:dir search;
allow httpd_t postfix_qmgr_t:file { read getattr open };
allow httpd_t presence_port_t:udp_socket name_bind;