#include <tunables/global>

@{RAILS_ROOT}=/srv/www/webapps/routenbuch

profile /routenbuch/appserver {
  #include <abstractions/routenbuch>
  /usr/bin/puma.ruby[0-9].[0-9]-* r,

  owner @{RAILS_ROOT}/public/uploads/** rw,
  owner @{RAILS_ROOT}/storage/** rw,

  owner /tmp/** rwlk,
  owner /tmp/orcexec.* mr,
}

profile /routenbuch/sidekiq {
  #include <abstractions/routenbuch>
  /usr/bin/sidekiq.ruby[0-9].[0-9]-* r,

  owner @{RAILS_ROOT}/public/uploads/** rw,
  owner @{RAILS_ROOT}/storage/** rw,

  owner /tmp/** rwlk,

        signal send set=(term) peer=/routenbuch//*,
  audit signal send set=(term) peer=unconfined,
}

profile /routenbuch {
  profile bash {
    #include <abstractions/base>
    #include <abstractions/consoles>
    #include <abstractions/nameservice>
    /bin/bash rm,

    /usr/sbin/sendmail Px,
  }

  profile magick {
    #include <abstractions/base>
    #include <abstractions/imagemagick>
    #include <abstractions/discourse-puma-logs>

    deny network,

    deny @{RAILS_ROOT}/.cache/ w,
    deny @{RAILS_ROOT}/.fontconfig/ w,

    @{RAILS_ROOT}/vendor/data/RT_sRGB.icm r,

    owner @{RAILS_ROOT}/public/uploads/** rw,
    owner @{RAILS_ROOT}/tmp/** rw,

    owner /tmp/** rw,

    /usr/bin/magick rm,
  }
}
