policy_module(webadm, 1.1.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow webadm to manage files in users home directories
## </p>
## </desc>
gen_tunable(webadm_manage_user_files, false)
## <desc>
## <p>
## Allow webadm to read files in users home directories
## </p>
## </desc>
gen_tunable(webadm_read_user_files, false)
role webadm_r;
userdom_base_user_template(webadm)
########################################
#
# webadmin local policy
#
allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
files_dontaudit_search_all_dirs(webadm_t)
files_manage_generic_locks(webadm_t)
files_list_var(webadm_t)
selinux_get_enforce_mode(webadm_t)
seutil_domtrans_setfiles(webadm_t)
logging_send_syslog_msg(webadm_t)
userdom_dontaudit_search_user_home_dirs(webadm_t)
apache_admin(webadm_t, webadm_r)
tunable_policy(`webadm_manage_user_files',`
userdom_manage_user_home_content_files(webadm_t)
userdom_read_user_tmp_files(webadm_t)
userdom_write_user_tmp_files(webadm_t)
')
tunable_policy(`webadm_read_user_files',`
userdom_read_user_home_content_files(webadm_t)
userdom_read_user_tmp_files(webadm_t)
')