policy_module(tf2, 0.1.13)

# File context for the executable process
type tf2_t;
type tf2_exec_t;

# File type for writable files
type tf2_rw_t;
files_type(tf2_rw_t)

# File type for readable files
type tf2_ro_t;
files_type(tf2_ro_t)

# type tf2_tmp_t;
# files_tmp_file(tf2_tmp_t)

init_daemon_domain(tf2_t, tf2_exec_t)

allow tf2_t self:process { setsched signal signull };
allow tf2_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };

corenet_udp_sendrecv_generic_port(tf2_t)
corenet_udp_bind_generic_port(tf2_t)
corenet_udp_bind_generic_node(tf2_t)
corenet_tcp_sendrecv_generic_port(tf2_t)
corenet_tcp_bind_generic_port(tf2_t)
corenet_tcp_bind_generic_node(tf2_t)

allow tf2_t tf2_ro_t:dir list_dir_perms;
allow tf2_t tf2_ro_t:file read_file_perms;
#allow tf2_t tf2_tmp_t:file manage_file_perms;
#allow tf2_t tf2_tmp_t:dir manage_dir_perms;

manage_files_pattern(tf2_t, tf2_rw_t, tf2_rw_t)
manage_dirs_pattern(tf2_t, tf2_rw_t, tf2_rw_t)
setattr_files_pattern(tf2_t, tf2_rw_t, tf2_rw_t)

sysnet_dns_name_resolve(tf2_t)
# files_tmp_filetrans(tf2_t, tf2_tmp_t, { file dir})

# Needed to load shared libs
allow tf2_t tf2_exec_t:file execmod;

dev_read_urand(tf2_t)

# TF2 wants to read /proc/cpuinfo
kernel_read_system_state(tf2_t)
# dev_read_sysfs(tf2_t)

# TF2 needs to read the network state
kernel_read_network_state(tf2_t)