tf2/tf2.te

   1 policy_module(tf2, 0.1.14)
   2
   3 # File context for the executable process
   4 type tf2_t;
   5 type tf2_exec_t;
   6
   7 # File type for writable files
   8 type tf2_rw_t;
   9 files_type(tf2_rw_t)
  10
  11 # File type for readable files
  12 type tf2_ro_t;
  13 files_type(tf2_ro_t)
  14
  15 # type tf2_tmp_t;
  16 # files_tmp_file(tf2_tmp_t)
  17
  18 init_daemon_domain(tf2_t, tf2_exec_t)
  19
  20 allow tf2_t self:process { setsched signal signull };
  21 allow tf2_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
  22
  23 corenet_udp_sendrecv_generic_port(tf2_t)
  24 corenet_udp_bind_generic_port(tf2_t)
  25 corenet_udp_bind_generic_node(tf2_t)
  26 corenet_tcp_sendrecv_generic_port(tf2_t)
  27 corenet_tcp_bind_generic_port(tf2_t)
  28 corenet_tcp_bind_generic_node(tf2_t)
  29
  30 allow tf2_t tf2_ro_t:dir list_dir_perms;
  31 allow tf2_t tf2_ro_t:file read_file_perms;
  32 #allow tf2_t tf2_tmp_t:file manage_file_perms;
  33 #allow tf2_t tf2_tmp_t:dir manage_dir_perms;
  34
  35 manage_files_pattern(tf2_t, tf2_rw_t, tf2_rw_t)
  36 manage_dirs_pattern(tf2_t, tf2_rw_t, tf2_rw_t)
  37 setattr_files_pattern(tf2_t, tf2_rw_t, tf2_rw_t)
  38
  39 sysnet_dns_name_resolve(tf2_t)
  40 # files_tmp_filetrans(tf2_t, tf2_tmp_t, { file dir})
  41
  42 # Needed to load shared libs
  43 allow tf2_t tf2_exec_t:file execmod;
  44
  45 dev_read_urand(tf2_t)
  46
  47 # TF2 wants to read /proc/cpuinfo
  48 kernel_read_system_state(tf2_t)
  49 # dev_read_sysfs(tf2_t)
  50
  51 # TF2 needs to read the network state
  52 kernel_read_network_state(tf2_t)