X-Git-Url: https://git.camperquake.de/gitweb.cgi?a=blobdiff_plain;f=tf2%2Ftf2.te;h=bf69c5d3238e3ee4ffc1d2803f0d1327820869f8;hb=c226ce3ae21764ee6fabd754bc9a9cc567ba8b46;hp=714c73c82719d729f1d083f3dc3d9eb154150da5;hpb=c4c0773581a9e2a18f1946260355556216a65a4a;p=selinux.git

diff --git a/tf2/tf2.te b/tf2/tf2.te
index 714c73c..bf69c5d 100644
--- a/tf2/tf2.te
+++ b/tf2/tf2.te
@@ -1,4 +1,8 @@
-policy_module(tf2, 0.1.14)
+policy_module(tf2, 0.1.25)
+
+require {
+    type default_t;
+}
 
 # File context for the executable process
 type tf2_t;
@@ -12,8 +16,6 @@ files_type(tf2_rw_t)
 type tf2_ro_t;
 files_type(tf2_ro_t)
 
-# type tf2_tmp_t;
-# files_tmp_file(tf2_tmp_t)
 
 init_daemon_domain(tf2_t, tf2_exec_t)
 
@@ -27,17 +29,16 @@ corenet_tcp_sendrecv_generic_port(tf2_t)
 corenet_tcp_bind_generic_port(tf2_t)
 corenet_tcp_bind_generic_node(tf2_t)
 
-allow tf2_t tf2_ro_t:dir list_dir_perms;
-allow tf2_t tf2_ro_t:file read_file_perms;
-#allow tf2_t tf2_tmp_t:file manage_file_perms;
-#allow tf2_t tf2_tmp_t:dir manage_dir_perms;
+read_files_pattern(tf2_t, tf2_ro_t, tf2_ro_t)
+read_lnk_files_pattern(tf2_t, tf2_ro_t, tf2_ro_t)
+list_dirs_pattern(tf2_t, tf2_ro_t, tf2_ro_t)
+mmap_files_pattern(tf2_t, tf2_ro_t, tf2_ro_t)
 
 manage_files_pattern(tf2_t, tf2_rw_t, tf2_rw_t)
 manage_dirs_pattern(tf2_t, tf2_rw_t, tf2_rw_t)
 setattr_files_pattern(tf2_t, tf2_rw_t, tf2_rw_t)
 
 sysnet_dns_name_resolve(tf2_t)
-# files_tmp_filetrans(tf2_t, tf2_tmp_t, { file dir})
 
 # Needed to load shared libs
 allow tf2_t tf2_exec_t:file execmod;
@@ -50,3 +51,8 @@ kernel_read_system_state(tf2_t)
 
 # TF2 needs to read the network state
 kernel_read_network_state(tf2_t)
+
+# There's a lot of noise from these accesses
+dontaudit tf2_t default_t:dir read;
+
+allow init_t tf2_t:process { noatsecure };