# $Id$
# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2005 Novell/SUSE
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim:syntax=apparmor

#include <tunables/global>

/usr/sbin/lighttpd {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/web-data>

  # needed to change max file descriptors
  capability sys_resource,

  # network service ;)
  capability net_bind_service,

  # changing the uid/gid on startup
  capability setgid,
  capability setuid,

  /proc/sys/kernel/ngroups_max r,

  /etc/lighttpd r,
  /etc/lighttpd/*.conf r,
  /etc/lighttpd/conf.d/*.conf r,
  /etc/lighttpd/auth.d/* r,
  /etc/lighttpd/vhosts.d r,
  /etc/lighttpd/vhosts.d/* r,
  /usr/sbin/lighttpd ix,

  /usr/lib/lighttpd/*.so r,
  /usr/lib64/lighttpd/*.so r,

  /etc/ssl/private/*.pem r,
  # home dir. e.g. used for sockets.
  /var/lib/lighttpd/ r,
  /var/lib/lighttpd/** rwl,
  # mod_compress cache
  /var/cache/lighttpd/ r,
  /var/cache/lighttpd/** rwl,
  # pid
  /var/run/lighttpd.pid rwl,
  # log files
  /var/log/lighttpd/*.log rw,
  # include_shell
  /bin/bash ix,
  /bin/zsh ix,
  /bin/cat ix,
}