policy_module(tf2, 0.1.30)

require {
    type default_t;
    type games_data_t;
}

# File context for the executable process
type tf2_t;
type tf2_exec_t;

# File type for writable files
type tf2_rw_t;
files_type(tf2_rw_t)

# File type for readable files
type tf2_ro_t;
files_type(tf2_ro_t)


init_domain(tf2_t, tf2_exec_t)
init_daemon_domain(tf2_t, tf2_exec_t)

allow tf2_t self:process { setsched signal signull };
allow tf2_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };

corenet_udp_sendrecv_generic_port(tf2_t)
corenet_udp_bind_generic_port(tf2_t)
corenet_udp_bind_generic_node(tf2_t)
corenet_tcp_sendrecv_generic_port(tf2_t)
corenet_tcp_bind_generic_port(tf2_t)
corenet_tcp_bind_generic_node(tf2_t)

read_files_pattern(tf2_t, tf2_ro_t, tf2_ro_t)
read_lnk_files_pattern(tf2_t, tf2_ro_t, tf2_ro_t)
list_dirs_pattern(tf2_t, tf2_ro_t, tf2_ro_t)
mmap_files_pattern(tf2_t, tf2_ro_t, tf2_ro_t)

manage_files_pattern(tf2_t, tf2_rw_t, tf2_rw_t)
manage_dirs_pattern(tf2_t, tf2_rw_t, tf2_rw_t)
setattr_files_pattern(tf2_t, tf2_rw_t, tf2_rw_t)

# TF2 wants to create /tmp/dumps
files_manage_generic_tmp_dirs(tf2_t)

sysnet_dns_name_resolve(tf2_t)

# Needed to load shared libs
allow tf2_t tf2_exec_t:file execmod;

dev_read_urand(tf2_t)

# TF2 wants to read /proc/cpuinfo
kernel_read_system_state(tf2_t)
# dev_read_sysfs(tf2_t)

# TF2 needs to read the network state
kernel_read_network_state(tf2_t)

# There's a lot of noise from these accesses
dontaudit tf2_t default_t:dir read;

allow init_t tf2_t:process { noatsecure };
allow tf2_t self:process execmem;

list_dirs_pattern(tf2_t, games_data_t, games_data_t)