abi <abi/3.0>,

include <tunables/global>

profile tt-rss-update-daemon /srv/www/vhosts/tt-rss/public/update_daemon2.php {
  include <abstractions/base>
  include <abstractions/bash>
  include <abstractions/consoles>
  include <abstractions/nameservice>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
  include <abstractions/php>
  include <abstractions/php-fixes>

  capability kill,

  /usr/bin/php rmix,
  /{usr/,}bin/bash rmix,

  /srv/www/vhosts/tt-rss/public/lock/update_daemon*.lock rwlk,
  /srv/www/vhosts/tt-rss/public/lock/*stamp rwlk,
  /srv/www/vhosts/tt-rss/public/cache/** rw,
  /srv/www/vhosts/tt-rss/public/feed-icons/** rw,
  /srv/www/vhosts/tt-rss/public/** r,
  /var/log/tt-rss/updater.log rwlk,

  deny /dev/null.*.tmp rw,
}
