module ironic_policy 1.0;

require {
        type httpd_t;
        type root_t;
        type default_t;
        class file open;
        class file read;
        class file getattr;
        class lnk_file read;
}


#============= httpd_t ==============

allow httpd_t root_t:file open;
allow httpd_t default_t:file open;
allow httpd_t root_t:file { read getattr };
allow httpd_t default_t:file { read getattr };
allow httpd_t root_t:lnk_file read;
allow httpd_t default_t:lnk_file read;