tf2/tf2.te

   1 policy_module(tf2, 0.1.25)
   2
   3 require {
   4     type default_t;
   5 }
   6
   7 # File context for the executable process
   8 type tf2_t;
   9 type tf2_exec_t;
  10
  11 # File type for writable files
  12 type tf2_rw_t;
  13 files_type(tf2_rw_t)
  14
  15 # File type for readable files
  16 type tf2_ro_t;
  17 files_type(tf2_ro_t)
  18
  19
  20 init_daemon_domain(tf2_t, tf2_exec_t)
  21
  22 allow tf2_t self:process { setsched signal signull };
  23 allow tf2_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
  24
  25 corenet_udp_sendrecv_generic_port(tf2_t)
  26 corenet_udp_bind_generic_port(tf2_t)
  27 corenet_udp_bind_generic_node(tf2_t)
  28 corenet_tcp_sendrecv_generic_port(tf2_t)
  29 corenet_tcp_bind_generic_port(tf2_t)
  30 corenet_tcp_bind_generic_node(tf2_t)
  31
  32 read_files_pattern(tf2_t, tf2_ro_t, tf2_ro_t)
  33 read_lnk_files_pattern(tf2_t, tf2_ro_t, tf2_ro_t)
  34 list_dirs_pattern(tf2_t, tf2_ro_t, tf2_ro_t)
  35 mmap_files_pattern(tf2_t, tf2_ro_t, tf2_ro_t)
  36
  37 manage_files_pattern(tf2_t, tf2_rw_t, tf2_rw_t)
  38 manage_dirs_pattern(tf2_t, tf2_rw_t, tf2_rw_t)
  39 setattr_files_pattern(tf2_t, tf2_rw_t, tf2_rw_t)
  40
  41 sysnet_dns_name_resolve(tf2_t)
  42
  43 # Needed to load shared libs
  44 allow tf2_t tf2_exec_t:file execmod;
  45
  46 dev_read_urand(tf2_t)
  47
  48 # TF2 wants to read /proc/cpuinfo
  49 kernel_read_system_state(tf2_t)
  50 # dev_read_sysfs(tf2_t)
  51
  52 # TF2 needs to read the network state
  53 kernel_read_network_state(tf2_t)
  54
  55 # There's a lot of noise from these accesses
  56 dontaudit tf2_t default_t:dir read;
  57
  58 allow init_t tf2_t:process { noatsecure };