## showgraph needs to flush rrd pipes (handled via sendto on the rrdctl sockets)
## httpd_cache_t is for /rep and /snap in /var/cache/xymon/
## ping_t is for fping input/output tmp files
#  
## see also: http://fportase.wordpress.com/selinux-policies/nagios-and-rhel-5-xx-and-6-xx-working-with-selinux-enabled/
## 

module xymon VERSION;

require {
	type var_lib_t;
	type ping_t;
	type initrc_t;
	type tmp_t;
	type var_run_t;
	type httpd_cache_t;
	type initrc_tmp_t;
	type initrc_var_run_t;
	type httpd_sys_script_t;
	class unix_dgram_socket sendto;
	class sock_file write;
	class lnk_file create;
	class file { write getattr };
	class file create_file_perms;
	class dir list_dir_perms;
	class dir manage_dir_perms;
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t { var_run_t initrc_var_run_t }:dir list_dir_perms;
allow httpd_sys_script_t initrc_t:unix_dgram_socket sendto;
allow httpd_sys_script_t initrc_var_run_t:sock_file write;
allow httpd_sys_script_t httpd_cache_t:dir manage_dir_perms;
allow httpd_sys_script_t httpd_cache_t:file create_file_perms;
allow httpd_sys_script_t httpd_cache_t:lnk_file create;

#============= ping_t ==============
allow ping_t { tmp_t initrc_tmp_t var_lib_t }:file { write getattr };