/usr/sbin/apache oXA {
	/usr/share r
	/etc r
	/etc/grsec h
	/etc/ld.so.cache r
	/tmp rwx
	/lib rx
	/usr/lib rx
	/var/log/apache a
	/var/run/apache.pid w
	/var/run/mysqld/mysqld.sock rw
	/var/www rx
	/dev/null rw
	/bin/bash x
	/usr/sbin/apache x
	/

	-CAP_ALL
	+CAP_DAC_OVERRIDE
	+CAP_KILL
	+CAP_SETGID
	+CAP_SETUID
	+CAP_NET_BIND_SERVICE

	RES_CRASH 1 10m

	connect {
		0.0.0.0/0:53 dgram udp
	}

	bind {
		0.0.0.0/0:80 stream tcp
	}
}

# apache suexec
# contributed by maximillian attems <debian@sternwelten.at>

/usr/lib/apache/suexec o {
       / h
       /var/log/apache/suexec.log a
       /var/log/apache
       /var/www rx
       /usr/share/zoneinfo r
       /usr/lib rx
       /proc/sys/kernel/version r
       /lib rx
       /etc/passwd r
       /etc/nsswitch.conf r
       /etc/ld.so.cache r
       /etc/group r
       /usr/lib/apache/suexec x

       -CAP_ALL
       +CAP_DAC_OVERRIDE
       +CAP_KILL
       +CAP_SETGID
       +CAP_SETUID
}
