module fail2ban-allowhttpd 1.1;

require {
	type httpd_sys_rw_content_t;
        type fail2ban_t;
        type syslogd_var_run_t;
        type fail2ban_client_t;
        class capability dac_override;
        class dir { read getattr search ioctl };
        class file { getattr read open search ioctl };
}

#============= fail2ban_client_t ==============
allow fail2ban_client_t httpd_sys_rw_content_t:file getattr;
allow fail2ban_client_t self:capability dac_override;

#============= fail2ban_t ==============
allow fail2ban_t httpd_sys_rw_content_t:dir { read getattr search ioctl };
allow fail2ban_t httpd_sys_rw_content_t:file { read getattr open search ioctl };
allow fail2ban_t syslogd_var_run_t:dir read;
allow fail2ban_t syslogd_var_run_t:file { read getattr open };