include <tunables/global>
include <abi/4.0>

@{RAILS_ROOT}=/srv/www/webapps/zammad

profile /zammad/web {
  include <abstractions/zammad>
  /usr/bin/bundler.ruby[0-9].[0-9]-* r,

  owner @{RAILS_ROOT}/log/production.log w,

  owner @{RAILS_ROOT}/tmp/cache/** rwlk,
  owner @{RAILS_ROOT}/tmp/pids/** rwlk,

  owner @{RAILS_ROOT}/public/uploads/** rw,
  owner @{RAILS_ROOT}/storage/** rw,

  owner /tmp/** rwlk,
  owner /tmp/orcexec.* mr,
}

profile /zammad/websocket {
  include <abstractions/zammad>
  /usr/bin/bundler.ruby[0-9].[0-9]-* r,

  owner @{RAILS_ROOT}/log/websocket-server_out.log w,
  owner @{RAILS_ROOT}/log/websocket-server_err.log w,

  owner @{RAILS_ROOT}/tmp/pids/websocket.pid rwlk,
  owner @{RAILS_ROOT}/tmp/websocket_production/** rwlk,

  owner /tmp/** rwlk,
  owner /tmp/orcexec.* mr,
}

profile /zammad/worker {
  include <abstractions/zammad>
  /usr/bin/bundler.ruby[0-9].[0-9]-* r,

  owner @{RAILS_ROOT}/log/** w,

  owner @{RAILS_ROOT}/public/uploads/** rw,
  owner @{RAILS_ROOT}/storage/** rw,

  owner @{RAILS_ROOT}/tmp/** rwlk,

  owner /tmp/** rwlk,
  owner /tmp/orcexec.* mr,

  signal send set=(term, kill) peer=/zammad//*,
  audit signal send set=(term, kill) peer=unconfined,
}

# Namespace container for child profiles (/zammad/web, /zammad/websocket,
# /zammad/worker, /zammad//bash). No rules needed in the parent itself.
profile /zammad {
  profile bash {
    include <abstractions/base>
    include <abstractions/consoles>
    include <abstractions/nameservice>
    /bin/bash rm,

    /usr/sbin/sendmail Px,
  }
}
