## <summary>Passenger policy</summary>

######################################
## <summary>
##	Execute passenger in the passenger domain.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`passenger_domtrans',`
	gen_require(`
		type passenger_t;
		type passenger_exec_t;
	')

	allow $1 self:capability { fowner fsetid };

	allow $1 passenger_t:process signal;

	domtrans_pattern($1, passenger_exec_t, passenger_t)
	allow $1 passenger_t:unix_stream_socket { read write shutdown };
	allow passenger_t $1:unix_stream_socket { read write };
')

######################################
## <summary>
##	Manage passenger var_run content.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`passenger_manage_pid_content',`
	gen_require(`
		type passenger_var_run_t;
	')

	files_search_pids($1)
	manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t)
	manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
	manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
	manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
')

########################################
## <summary>
##	Read passenger lib files
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`passenger_read_lib_files',`
	gen_require(`
		type passenger_var_lib_t;
	')

	files_search_var_lib($1)
	read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
	read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
')