From: Ralf Ertzinger Date: Sun, 27 Apr 2014 17:59:13 +0000 (+0000) Subject: Add Team Fortress 2 X-Git-Url: https://git.camperquake.de/gitweb.cgi?p=selinux.git;a=commitdiff_plain;h=c62e18163afbd2b6df7fb002c873196a4f653e12 Add Team Fortress 2 --- diff --git a/tf2/tf2.fc b/tf2/tf2.fc new file mode 100644 index 0000000..6f42eae --- /dev/null +++ b/tf2/tf2.fc @@ -0,0 +1,8 @@ +/etank/games/tf2/tf2/bin(/.*)? -- gen_context(system_u:object_r:tf2_exec_t,s0) +/etank/games/tf2/tf2/srcds_linux -- gen_context(system_u:object_r:tf2_exec_t,s0) +/etank/games/tf2/tf2/tf/bin/server_srv.so -- gen_context(system_u:object_r:tf2_exec_t,s0) +/etank/games/tf2(/.*)? gen_context(system_u:object_r:tf2_ro_t,s0) +/etank/games/tf2/tf2/steam_appid.txt gen_context(system_u:object_r:tf2_rw_t,s0) +/etank/games/tf2/tf2/tf/downloadlists(/.*)? gen_context(system_u:object_r:tf2_rw_t,s0) +/etank/games/tf2/Steam/config(/.*)? gen_context(system_u:object_r:tf2_rw_t,s0) +/etank/games/tf2/Steam/logs(/.*)? gen_context(system_u:object_r:tf2_rw_t,s0) diff --git a/tf2/tf2.if b/tf2/tf2.if new file mode 100644 index 0000000..3eb6a30 --- /dev/null +++ b/tf2/tf2.if @@ -0,0 +1 @@ +## diff --git a/tf2/tf2.te b/tf2/tf2.te new file mode 100644 index 0000000..a33950b --- /dev/null +++ b/tf2/tf2.te @@ -0,0 +1,52 @@ +policy_module(tf2, 0.1.13) + +# File context for the executable process +type tf2_t; +type tf2_exec_t; + +# File type for writable files +type tf2_rw_t; +files_type(tf2_rw_t) + +# File type for readable files +type tf2_ro_t; +files_type(tf2_ro_t) + +# type tf2_tmp_t; +# files_tmp_file(tf2_tmp_t) + +init_daemon_domain(tf2_t, tf2_exec_t) + +allow tf2_t self:process { setsched signal signull }; +allow tf2_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms }; + +corenet_udp_sendrecv_generic_port(tf2_t) +corenet_udp_bind_generic_port(tf2_t) +corenet_udp_bind_generic_node(tf2_t) +corenet_tcp_sendrecv_generic_port(tf2_t) +corenet_tcp_bind_generic_port(tf2_t) +corenet_tcp_bind_generic_node(tf2_t) + +allow tf2_t tf2_ro_t:dir list_dir_perms; +allow tf2_t tf2_ro_t:file read_file_perms; +#allow tf2_t tf2_tmp_t:file manage_file_perms; +#allow tf2_t tf2_tmp_t:dir manage_dir_perms; + +manage_files_pattern(tf2_t, tf2_rw_t, tf2_rw_t) +manage_dirs_pattern(tf2_t, tf2_rw_t, tf2_rw_t) +setattr_files_pattern(tf2_t, tf2_rw_t, tf2_rw_t) + +sysnet_dns_name_resolve(tf2_t) +# files_tmp_filetrans(tf2_t, tf2_tmp_t, { file dir}) + +# Needed to load shared libs +allow tf2_t tf2_exec_t:file execmod; + +dev_read_urand(tf2_t) + +# TF2 wants to read /proc/cpuinfo +kernel_read_system_state(tf2_t) +# dev_read_sysfs(tf2_t) + +# TF2 needs to read the network state +kernel_read_network_state(tf2_t)