# ------------------------------------------------------------------
#
#    Copyright (C) 2020 SUSE LLC
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

include <tunables/global>

profile haproxy /usr/sbin/haproxy {
  include <abstractions/base>
  include <abstractions/nameservice>
  capability net_admin,
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability kill,
  capability sys_resource,
  capability sys_chroot,

  # those are needed for the stats socket creation
  capability chown,
  capability fowner,
  capability fsetid,

  network inet  tcp,
  network inet6 tcp,

  /etc/haproxy/* r,

  /usr/sbin/haproxy rmix,

  /var/lib/haproxy/stats rwl,
  /var/lib/haproxy/stats.*.bak rwl,
  /var/lib/haproxy/stats.*.tmp rwl,
  /{,var/}run/haproxy.pid rw,
  /{,var/}run/haproxy-master.sock* rwlk,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/usr.sbin.haproxy>
}