include <tunables/global>
include <abi/4.0>

@{RAILS_ROOT}=/srv/www/webapps/routenbuch

profile /routenbuch/appserver {
  include <abstractions/routenbuch>
  /usr/bin/puma.ruby[0-9].[0-9]-* r,

  owner @{RAILS_ROOT}/log/puma.log w,
  owner @{RAILS_ROOT}/log/puma.err.log w,

  owner @{RAILS_ROOT}/public/uploads/** rw,
  owner @{RAILS_ROOT}/storage/** rw,

  owner /tmp/** rwlk,
  owner /tmp/orcexec.* mr,
}

profile /routenbuch/sidekiq {
  include <abstractions/routenbuch>
  /usr/bin/sidekiq.ruby[0-9].[0-9]-* r,

  owner @{RAILS_ROOT}/public/uploads/** rw,
  owner @{RAILS_ROOT}/storage/** rw,

  owner /tmp/** rwlk,

        signal send set=(term) peer=/routenbuch//*,
  audit signal send set=(term) peer=unconfined,
}

profile /routenbuch {
  profile bash {
    include <abstractions/base>
    include <abstractions/consoles>
    include <abstractions/nameservice>
    /bin/bash rm,

    /usr/sbin/sendmail Px,
  }

  profile magick {
    include <abstractions/base>
    include <abstractions/imagemagick>

    deny network,

    deny @{RAILS_ROOT}/.cache/ w,
    deny @{RAILS_ROOT}/.fontconfig/ w,

    @{RAILS_ROOT}/vendor/data/RT_sRGB.icm r,

    owner @{RAILS_ROOT}/public/uploads/** rw,
    owner @{RAILS_ROOT}/tmp/** rw,

    owner /tmp/** rw,

    /usr/bin/magick rm,
  }
}
