#include <tunables/global>

profile haproxy /usr/sbin/haproxy {
  #include <abstractions/base>
  #include <abstractions/openssl>
  #include <abstractions/ssl_certs>
  #include <abstractions/ssl_keys>
  #include <abstractions/nameservice>
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability kill,
  capability sys_resource,
  capability sys_chroot,
  capability net_admin,

  # those are needed for the stats socket creation
  capability chown,
  capability fowner,
  capability fsetid,

  network inet,
  network inet6,

  /etc/haproxy/* r, 

  /usr/sbin/haproxy rmix,

  /dev/shm/haproxy_startup_logs_* rwlk,

  /var/lib/haproxy/stats rwl,
  /var/lib/haproxy/stats.*.bak rwl,
  /var/lib/haproxy/stats.*.tmp rwl,
  /{,var/}run/haproxy.pid rw,
  /{,var/}run/haproxy-master.sock* rwlk,

  /sys/devices/system/node/ r,

  # Site-specific additions and overrides. See local/README for details.
  #include if exists <local/haproxy>
  #include if exists <local/usr.sbin.haproxy>
}