Add Team Fortress 2

[selinux.git] / tf2 / tf2.te

diff --git a/tf2/tf2.te b/tf2/tf2.te
new file mode 100644 (file)
index 0000000..a33950b
--- /dev/null
+++ b/tf2/tf2.te
@@ -0,0 +1,52 @@
+policy_module(tf2, 0.1.13)
+
+# File context for the executable process
+type tf2_t;
+type tf2_exec_t;
+
+# File type for writable files
+type tf2_rw_t;
+files_type(tf2_rw_t)
+
+# File type for readable files
+type tf2_ro_t;
+files_type(tf2_ro_t)
+
+# type tf2_tmp_t;
+# files_tmp_file(tf2_tmp_t)
+
+init_daemon_domain(tf2_t, tf2_exec_t)
+
+allow tf2_t self:process { setsched signal signull };
+allow tf2_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
+
+corenet_udp_sendrecv_generic_port(tf2_t)
+corenet_udp_bind_generic_port(tf2_t)
+corenet_udp_bind_generic_node(tf2_t)
+corenet_tcp_sendrecv_generic_port(tf2_t)
+corenet_tcp_bind_generic_port(tf2_t)
+corenet_tcp_bind_generic_node(tf2_t)
+
+allow tf2_t tf2_ro_t:dir list_dir_perms;
+allow tf2_t tf2_ro_t:file read_file_perms;
+#allow tf2_t tf2_tmp_t:file manage_file_perms;
+#allow tf2_t tf2_tmp_t:dir manage_dir_perms;
+
+manage_files_pattern(tf2_t, tf2_rw_t, tf2_rw_t)
+manage_dirs_pattern(tf2_t, tf2_rw_t, tf2_rw_t)
+setattr_files_pattern(tf2_t, tf2_rw_t, tf2_rw_t)
+
+sysnet_dns_name_resolve(tf2_t)
+# files_tmp_filetrans(tf2_t, tf2_tmp_t, { file dir})
+
+# Needed to load shared libs
+allow tf2_t tf2_exec_t:file execmod;
+
+dev_read_urand(tf2_t)
+
+# TF2 wants to read /proc/cpuinfo
+kernel_read_system_state(tf2_t)
+# dev_read_sysfs(tf2_t)
+
+# TF2 needs to read the network state
+kernel_read_network_state(tf2_t)