From d17a1926fd5aff541f7df1e189dfa8c294a5e1f7 Mon Sep 17 00:00:00 2001 From: Ralf Ertzinger Date: Tue, 26 Mar 2024 19:52:22 +0000 Subject: [PATCH] Move base directories to /var/games --- bf1942/bf1942.fc | 12 ++++++------ bf1942/bf1942.te | 8 +++++++- cod4/cod4.fc | 10 +++++----- cod4/cod4.te | 8 +++++++- q3a/q3a.fc | 10 +++++----- q3a/q3a.te | 8 +++++++- quake2/quake2.fc | 14 +++++++------- quake2/quake2.te | 8 +++++++- tesseract/tesseract.fc | 4 ++-- tf2/tf2.fc | 28 ++++++++++++++-------------- tf2/tf2.te | 5 ++++- ut2004/ut2004.fc | 8 ++++---- 12 files changed, 75 insertions(+), 48 deletions(-) diff --git a/bf1942/bf1942.fc b/bf1942/bf1942.fc index f174979..f5d215a 100644 --- a/bf1942/bf1942.fc +++ b/bf1942/bf1942.fc @@ -1,6 +1,6 @@ -/etank/games/bf1942/bf1942/serverfiles/bf1942_lnxded.* -- gen_context(system_u:object_r:bf1942_exec_t,s0) -/etank/games/bf1942/bf1942/serverfiles/pb/.*\.so gen_context(system_u:object_r:bf1942_exec_t,s0) -/etank/games/bf1942/bf1942(/.*)? gen_context(system_u:object_r:bf1942_ro_t,s0) -/etank/games/bf1942/bf1942/serverfiles/mods/[^/]+/settings gen_context(system_u:object_r:bf1942_rw_t,s0) -/etank/games/bf1942/bf1942/serverfiles/mods/[^/]+/logs(/.*)? gen_context(system_u:object_r:bf1942_rw_t,s0) -/etank/games/bf1942/bf1942/serverfiles/mods/[^/]+/settings/maplist.con gen_context(system_u:object_r:bf1942_rw_t,s0) +/var/games/bf1942/bf1942/serverfiles/bf1942_lnxded.* -- gen_context(system_u:object_r:bf1942_exec_t,s0) +/var/games/bf1942/bf1942/serverfiles/pb/.*\.so gen_context(system_u:object_r:bf1942_exec_t,s0) +/var/games/bf1942/bf1942(/.*)? gen_context(system_u:object_r:bf1942_ro_t,s0) +/var/games/bf1942/bf1942/serverfiles/mods/[^/]+/settings gen_context(system_u:object_r:bf1942_rw_t,s0) +/var/games/bf1942/bf1942/serverfiles/mods/[^/]+/logs(/.*)? gen_context(system_u:object_r:bf1942_rw_t,s0) +/var/games/bf1942/bf1942/serverfiles/mods/[^/]+/settings/maplist.con gen_context(system_u:object_r:bf1942_rw_t,s0) diff --git a/bf1942/bf1942.te b/bf1942/bf1942.te index f3084c6..d7cd464 100644 --- a/bf1942/bf1942.te +++ b/bf1942/bf1942.te @@ -1,4 +1,8 @@ -policy_module(bf1942, 0.1.6) +policy_module(bf1942, 0.1.7) + +require { + type games_data_t; +} # File context for the executable process type bf1942_t; @@ -32,3 +36,5 @@ allow bf1942_t self:process execmem; # The BF1942 binary executes itself allow bf1942_t bf1942_exec_t:file execute_no_trans; + +list_dirs_pattern(bf1942_t, games_data_t, games_data_t) diff --git a/cod4/cod4.fc b/cod4/cod4.fc index 1028463..076a89b 100644 --- a/cod4/cod4.fc +++ b/cod4/cod4.fc @@ -1,6 +1,6 @@ # /opt/cod4/.+/log(/.*)? gen_context(system_u:object_r:cod4_rw_t,s0) -/etank/games/cod4/cod4_lnxded(-bin)? -- gen_context(system_u:object_r:cod4_exec_t,s0) -/etank/games/cod4/libstdc\+\+\.so\.6 -- gen_context(system_u:object_r:cod4_exec_t,s0) -/etank/games/cod4/libgcc_s\.so\.1 -- gen_context(system_u:object_r:cod4_exec_t,s0) -/etank/games/cod4(/.*)? gen_context(system_u:object_r:cod4_ro_t,s0) -/etank/games/cod4/.callofduty4(/.*)? gen_context(system_u:object_r:cod4_rw_t,s0) +/var/games/cod4/cod4_lnxded(-bin)? -- gen_context(system_u:object_r:cod4_exec_t,s0) +/var/games/cod4/libstdc\+\+\.so\.6 -- gen_context(system_u:object_r:cod4_exec_t,s0) +/var/games/cod4/libgcc_s\.so\.1 -- gen_context(system_u:object_r:cod4_exec_t,s0) +/var/games/cod4(/.*)? gen_context(system_u:object_r:cod4_ro_t,s0) +/var/games/cod4/.callofduty4(/.*)? gen_context(system_u:object_r:cod4_rw_t,s0) diff --git a/cod4/cod4.te b/cod4/cod4.te index 17885b6..bc833ab 100644 --- a/cod4/cod4.te +++ b/cod4/cod4.te @@ -1,4 +1,8 @@ -policy_module(cod4, 0.1.33) +policy_module(cod4, 0.1.38) + +require { + type games_data_t; +} # File context for the executable process type cod4_t; @@ -27,3 +31,5 @@ setattr_files_pattern(cod4_t, cod4_rw_t, cod4_rw_t) sysnet_dns_name_resolve(cod4_t) allow init_t cod4_t:process { noatsecure }; + +list_dirs_pattern(cod4_t, games_data_t, games_data_t) diff --git a/q3a/q3a.fc b/q3a/q3a.fc index a1c0178..43b0a21 100644 --- a/q3a/q3a.fc +++ b/q3a/q3a.fc @@ -1,5 +1,5 @@ -/etank/games/q3a/q3ded -- gen_context(system_u:object_r:q3a_exec_t,s0) -/etank/games/q3a/ioq3ded\.(x86_64|i386) -- gen_context(system_u:object_r:q3a_exec_t,s0) -/etank/games/q3a/.*/qagamei386.so -- gen_context(system_u:object_r:q3a_exec_t,s0) -/etank/games/q3a(/.*)? gen_context(system_u:object_r:q3a_ro_t,s0) -/etank/games/q3a/.q3a(/.*)? gen_context(system_u:object_r:q3a_rw_t,s0) +/var/games/q3a/q3ded -- gen_context(system_u:object_r:q3a_exec_t,s0) +/var/games/q3a/ioq3ded\.(x86_64|i386) -- gen_context(system_u:object_r:q3a_exec_t,s0) +/var/games/q3a/.*/qagamei386.so -- gen_context(system_u:object_r:q3a_exec_t,s0) +/var/games/q3a(/.*)? gen_context(system_u:object_r:q3a_ro_t,s0) +/var/games/q3a/.q3a(/.*)? gen_context(system_u:object_r:q3a_rw_t,s0) diff --git a/q3a/q3a.te b/q3a/q3a.te index 4872be1..9665023 100644 --- a/q3a/q3a.te +++ b/q3a/q3a.te @@ -1,4 +1,8 @@ -policy_module(q3a, 0.1.25) +policy_module(q3a, 0.1.26) + +require { + type games_data_t; +} # File context for the executable process type q3a_t; @@ -34,3 +38,5 @@ sysnet_dns_name_resolve(q3a_t) dev_read_urand(q3a_t) allow q3a_t self:process execmem; + +list_dirs_pattern(q3a_t, games_data_t, games_data_t) diff --git a/quake2/quake2.fc b/quake2/quake2.fc index eb03638..8ffc81d 100644 --- a/quake2/quake2.fc +++ b/quake2/quake2.fc @@ -1,7 +1,7 @@ -/etank/games/quake2/quake2/quake2ded([^/]*)? -- gen_context(system_u:object_r:quake2_exec_t,s0) -/etank/games/quake2/quake2/.*/game(x86_64|i386)\.so -- gen_context(system_u:object_r:quake2_exec_t,s0) -/etank/games/quake2/quake2(/.*)? gen_context(system_u:object_r:quake2_ro_t,s0) -/etank/games/quake2/quake2/lithium/save(/.*)? gen_context(system_u:object_r:quake2_rw_t,s0) -/etank/games/quake2/quake2/lithium/log(/.*)? gen_context(system_u:object_r:quake2_rw_t,s0) -/etank/games/quake2/quake2/lithium/.*log gen_context(system_u:object_r:quake2_rw_t,s0) -#/etank/games/quake2/.quake2(/.*)? gen_context(system_u:object_r:quake2_rw_t,s0) +/var/games/quake2/quake2/quake2ded([^/]*)? -- gen_context(system_u:object_r:quake2_exec_t,s0) +/var/games/quake2/quake2/.*/game(x86_64|i386)\.so -- gen_context(system_u:object_r:quake2_exec_t,s0) +/var/games/quake2/quake2(/.*)? gen_context(system_u:object_r:quake2_ro_t,s0) +/var/games/quake2/quake2/lithium/save(/.*)? gen_context(system_u:object_r:quake2_rw_t,s0) +/var/games/quake2/quake2/lithium/log(/.*)? gen_context(system_u:object_r:quake2_rw_t,s0) +/var/games/quake2/quake2/lithium/.*log gen_context(system_u:object_r:quake2_rw_t,s0) +#/var/games/quake2/.quake2(/.*)? gen_context(system_u:object_r:quake2_rw_t,s0) diff --git a/quake2/quake2.te b/quake2/quake2.te index 9f16e80..7ceaf03 100644 --- a/quake2/quake2.te +++ b/quake2/quake2.te @@ -1,4 +1,8 @@ -policy_module(quake2, 0.1.11) +policy_module(quake2, 0.1.12) + +require { + type games_data_t; +} # File context for the executable process type quake2_t; @@ -29,3 +33,5 @@ setattr_files_pattern(quake2_t, quake2_rw_t, quake2_rw_t) sysnet_dns_name_resolve(quake2_t) allow quake2_t self:process execmem; + +list_dirs_pattern(quake2_t, games_data_t, games_data_t) diff --git a/tesseract/tesseract.fc b/tesseract/tesseract.fc index 0ac201e..22d487c 100644 --- a/tesseract/tesseract.fc +++ b/tesseract/tesseract.fc @@ -1,2 +1,2 @@ -/etank/games/tesseract/tesseract/bin_unix/linux(_64)?_(server|client) -- gen_context(system_u:object_r:tesseract_exec_t,s0) -/etank/games/tesseract/tesseract(/.*)? gen_context(system_u:object_r:tesseract_ro_t,s0) +/var/games/tesseract/tesseract/bin_unix/linux(_64)?_(server|client) -- gen_context(system_u:object_r:tesseract_exec_t,s0) +/var/games/tesseract/tesseract(/.*)? gen_context(system_u:object_r:tesseract_ro_t,s0) diff --git a/tf2/tf2.fc b/tf2/tf2.fc index 998b811..bf5155f 100644 --- a/tf2/tf2.fc +++ b/tf2/tf2.fc @@ -1,14 +1,14 @@ -/etank/games/tf2/tf2/bin(/.*)? -- gen_context(system_u:object_r:tf2_exec_t,s0) -/etank/games/tf2/tf2/srcds_linux -- gen_context(system_u:object_r:tf2_exec_t,s0) -/etank/games/tf2/tf2/tf/bin/server_srv.so -- gen_context(system_u:object_r:tf2_exec_t,s0) -/etank/games/tf2/Steam/linux32/steamclient.so -- gen_context(system_u:object_r:tf2_exec_t,s0) -/etank/games/tf2(/.*)? gen_context(system_u:object_r:tf2_ro_t,s0) -/etank/games/tf2/Steam/update.sh gen_context(system_u:object_r:usr_t,s0) -/etank/games/tf2/tf2/steam_appid.txt gen_context(system_u:object_r:tf2_rw_t,s0) -/etank/games/tf2/tf2/tf/downloadlists(/.*)? gen_context(system_u:object_r:tf2_rw_t,s0) -/etank/games/tf2/Steam/config(/.*)? gen_context(system_u:object_r:tf2_rw_t,s0) -/etank/games/tf2/Steam/logs(/.*)? gen_context(system_u:object_r:tf2_rw_t,s0) -/etank/games/tf2/tf2/tf/modelsounds.cache gen_context(system_u:object_r:tf2_rw_t,s0) -/etank/games/tf2/tf2/tf/maps(/.*)? gen_context(system_u:object_r:tf2_ro_t,s0) -/etank/games/tf2/tf2/tf/maps -d gen_context(system_u:object_r:tf2_rw_t,s0) -/etank/games/tf2/tf2/tf/maps/(graphs|workshop)(/.*)? gen_context(system_u:object_r:tf2_rw_t,s0) +/var/games/tf2/tf2/bin(/.*)? -- gen_context(system_u:object_r:tf2_exec_t,s0) +/var/games/tf2/tf2/srcds_linux -- gen_context(system_u:object_r:tf2_exec_t,s0) +/var/games/tf2/tf2/tf/bin/server_srv.so -- gen_context(system_u:object_r:tf2_exec_t,s0) +/var/games/tf2/Steam/linux32/steamclient.so -- gen_context(system_u:object_r:tf2_exec_t,s0) +/var/games/tf2(/.*)? gen_context(system_u:object_r:tf2_ro_t,s0) +/var/games/tf2/Steam/update.sh gen_context(system_u:object_r:usr_t,s0) +/var/games/tf2/tf2/steam_appid.txt gen_context(system_u:object_r:tf2_rw_t,s0) +/var/games/tf2/tf2/tf/downloadlists(/.*)? gen_context(system_u:object_r:tf2_rw_t,s0) +/var/games/tf2/Steam/config(/.*)? gen_context(system_u:object_r:tf2_rw_t,s0) +/var/games/tf2/Steam/logs(/.*)? gen_context(system_u:object_r:tf2_rw_t,s0) +/var/games/tf2/tf2/tf/modelsounds.cache gen_context(system_u:object_r:tf2_rw_t,s0) +/var/games/tf2/tf2/tf/maps(/.*)? gen_context(system_u:object_r:tf2_ro_t,s0) +/var/games/tf2/tf2/tf/maps -d gen_context(system_u:object_r:tf2_rw_t,s0) +/var/games/tf2/tf2/tf/maps/(graphs|workshop)(/.*)? gen_context(system_u:object_r:tf2_rw_t,s0) diff --git a/tf2/tf2.te b/tf2/tf2.te index 3e6bcdc..024594e 100644 --- a/tf2/tf2.te +++ b/tf2/tf2.te @@ -1,7 +1,8 @@ -policy_module(tf2, 0.1.29) +policy_module(tf2, 0.1.30) require { type default_t; + type games_data_t; } # File context for the executable process @@ -61,3 +62,5 @@ dontaudit tf2_t default_t:dir read; allow init_t tf2_t:process { noatsecure }; allow tf2_t self:process execmem; + +list_dirs_pattern(tf2_t, games_data_t, games_data_t) diff --git a/ut2004/ut2004.fc b/ut2004/ut2004.fc index f287272..52b9a00 100644 --- a/ut2004/ut2004.fc +++ b/ut2004/ut2004.fc @@ -1,4 +1,4 @@ -/etank/games/ut2004/ut2004/System/(ucc-bin|ucc-bin-linux-amd64) -- gen_context(system_u:object_r:ut2004_exec_t,s0) -/etank/games/ut2004/ut2004(/.*)? gen_context(system_u:object_r:ut2004_ro_t,s0) -/etank/games/ut2004/ut2004/System/UCC.log gen_context(system_u:object_r:ut2004_rw_t,s0) -/etank/games/ut2004/ut2004/System/.*\.ini gen_context(system_u:object_r:ut2004_rw_t,s0) +/var/games/ut2004/ut2004/System/(ucc-bin|ucc-bin-linux-amd64) -- gen_context(system_u:object_r:ut2004_exec_t,s0) +/var/games/ut2004/ut2004(/.*)? gen_context(system_u:object_r:ut2004_ro_t,s0) +/var/games/ut2004/ut2004/System/UCC.log gen_context(system_u:object_r:ut2004_rw_t,s0) +/var/games/ut2004/ut2004/System/.*\.ini gen_context(system_u:object_r:ut2004_rw_t,s0) -- 1.8.3.1