# Last Modified: Fri Dec  5 13:59:51 2008
#include <tunables/global>
/usr/sbin/apache2 flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/mysql>
  #include <abstractions/nameservice>

  capability kill,
  capability net_bind_service,
  capability setgid,
  capability setuid,

  # Major libs
  /lib/ld-*.so mr,
  /lib/libc-*.so mr,
  /lib/libpthread-*.so mr,
  /lib/librt-*.so mr,

  # Generic Apache stuff & configuration
  /usr/sbin/apache2 mr,
  /usr/lib/apache2/modules/* mr,
  /etc/apache2/apache2.conf r,
  /usr/local/apache/conf/* r,
  /etc/mime.types r,
  /var/run/apache2.pid rw,
  /usr/share/file/magic.mime r,

  # PHP!
  /etc/php5/** r,
  /usr/lib/php5/*/*.so mr,
  /tmp/php* rw,

  # MediaWiki
  /usr/local/apache/common-local/** r,
  /usr/local/apache/common-local/php-1.5/cache/* rwk,
#  /usr/local/apache/common-local/php-1.5/extensions/TrustedXFF/trusted-xff.cdb rwk,
  /tmp/mediawiki/ w,
  /tmp/mediawiki/** rwk,

# !!!
/home/wikipedia/common/langlist r, 
/home/wikipedia/ExtensionDistributor/mw-snapshot/** r, 
/home/wikipedia/common/lockfiles/* r, 

  # For diff3
  /tmp/merge* rw,

  # Images
  /mnt/upload** rw,


  # Tidy and other external tools - needs separate profile eventualy
  /usr/bin/tidy rix,
  /bin/dash rix,
  /bin/hostname rix,
  /usr/bin/diff3 rix,
  /usr/bin/diff rix,

  # TeX
  /usr/local/bin/texvc ix,
  /usr/share/texmf-texlive/** r,
  /tmp/*.dvi rw,
  /tmp/*.aux rw,
  /tmp/*.log rw,
  /tmp/*.png rw,
  

  # SSMTP has separate way more secure profile
  /usr/sbin/ssmtp rpx,

}