#include <tunables/global>

/usr/sbin/nginx flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>
  #include <abstractions/ssl_certs>
  #include <abstractions/ssl_keys>

  # privilege drop
  capability dac_override,
  capability dac_read_search,
  capability net_bind_service,
  capability setgid,
  capability setuid,

  # abstractions/apache2-common
  @{PROC}/@{pid}/attr/current rw,

  # nginx operational
  /etc/letsencrypt/options-ssl-nginx.conf r,
  /etc/letsencrypt/ssl-dhparams.pem r,
  /etc/nginx/** r,
  /run/nginx.pid rw,
  /usr/lib/nginx/** r,
  /usr/sbin/nginx mr,
  /usr/share/nginx/** r,
  /var/lib/nginx/** rw,
  /var/log/nginx/error.log w,
  /var/log/nginx/access.log w,

  # data
  /var/xyzzy/html/** r,

}