tf2/tf2.te

   1 policy_module(tf2, 0.1.30)
   2
   3 require {
   4     type default_t;
   5     type games_data_t;
   6 }
   7
   8 # File context for the executable process
   9 type tf2_t;
  10 type tf2_exec_t;
  11
  12 # File type for writable files
  13 type tf2_rw_t;
  14 files_type(tf2_rw_t)
  15
  16 # File type for readable files
  17 type tf2_ro_t;
  18 files_type(tf2_ro_t)
  19
  20
  21 init_domain(tf2_t, tf2_exec_t)
  22 init_daemon_domain(tf2_t, tf2_exec_t)
  23
  24 allow tf2_t self:process { setsched signal signull };
  25 allow tf2_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
  26
  27 corenet_udp_sendrecv_generic_port(tf2_t)
  28 corenet_udp_bind_generic_port(tf2_t)
  29 corenet_udp_bind_generic_node(tf2_t)
  30 corenet_tcp_sendrecv_generic_port(tf2_t)
  31 corenet_tcp_bind_generic_port(tf2_t)
  32 corenet_tcp_bind_generic_node(tf2_t)
  33
  34 read_files_pattern(tf2_t, tf2_ro_t, tf2_ro_t)
  35 read_lnk_files_pattern(tf2_t, tf2_ro_t, tf2_ro_t)
  36 list_dirs_pattern(tf2_t, tf2_ro_t, tf2_ro_t)
  37 mmap_files_pattern(tf2_t, tf2_ro_t, tf2_ro_t)
  38
  39 manage_files_pattern(tf2_t, tf2_rw_t, tf2_rw_t)
  40 manage_dirs_pattern(tf2_t, tf2_rw_t, tf2_rw_t)
  41 setattr_files_pattern(tf2_t, tf2_rw_t, tf2_rw_t)
  42
  43 # TF2 wants to create /tmp/dumps
  44 files_manage_generic_tmp_dirs(tf2_t)
  45
  46 sysnet_dns_name_resolve(tf2_t)
  47
  48 # Needed to load shared libs
  49 allow tf2_t tf2_exec_t:file execmod;
  50
  51 dev_read_urand(tf2_t)
  52
  53 # TF2 wants to read /proc/cpuinfo
  54 kernel_read_system_state(tf2_t)
  55 # dev_read_sysfs(tf2_t)
  56
  57 # TF2 needs to read the network state
  58 kernel_read_network_state(tf2_t)
  59
  60 # There's a lot of noise from these accesses
  61 dontaudit tf2_t default_t:dir read;
  62
  63 allow init_t tf2_t:process { noatsecure };
  64 allow tf2_t self:process execmem;
  65
  66 list_dirs_pattern(tf2_t, games_data_t, games_data_t)