#include <tunables/global>

/usr/lib64/rstudio-server/bin/rserver {
  

  # #################################################################
  # startup mode
  # #################################################################

  # Allow everything during startup 
  #include <abstractions/nameservice>
  capability setgid,
  capability setuid,
  capability sys_resource,
  capability kill,
  capability chown,
  capability fowner,
  capability fsetid,
  capability dac_override,
  capability dac_read_search,
  /** rwixmkl,


  # #################################################################
  # restricted mode (transitioned into at the end of startup)  
  # #################################################################

  ^restricted {

     #include <abstractions/base>
     #include <abstractions/nameservice>
     #include <abstractions/ssl_certs>

     capability setgid,
     capability setuid,
     capability sys_resource,
     capability kill,
    
     owner @{HOME}/** rw,
     owner /tmp/** rw,
     /tmp/rstudio-rsession/** rw,
     /tmp/rstudio-rserver/** rw,
     /etc/rstudio/** r,

     /usr/lib64/rstudio-server/metrics/rserver-* Ux,

     /usr/lib64/rstudio-server/bin/rserver-* Ux,

     /usr/lib64/rstudio-server/bin/rsession* ux,
     /usr/lib64/rstudio-server/www/** r,
     /usr/lib64/rstudio-server/www-symbolmaps/** r,
  }   
}


