|
Michael Thomas |
4469892 |
policy_module(crossfire,1.0.0)
|
|
Michael Thomas |
4469892 |
|
|
Michael Thomas |
4469892 |
########################################
|
|
Michael Thomas |
4469892 |
#
|
|
Michael Thomas |
4469892 |
# Declarations
|
|
Michael Thomas |
4469892 |
#
|
|
Michael Thomas |
4469892 |
|
|
Michael Thomas |
4469892 |
gen_require(`
|
|
Michael Thomas |
4469892 |
type port_t;
|
|
Michael Thomas |
6bd651a |
type games_data_t;
|
|
Michael Thomas |
4469892 |
attribute port_type;
|
|
Michael Thomas |
4469892 |
')
|
|
Michael Thomas |
4469892 |
|
|
Michael Thomas |
4469892 |
type crossfire_port_t, port_type;
|
|
Michael Thomas |
4469892 |
|
|
Michael Thomas |
4469892 |
type crossfire_t;
|
|
Michael Thomas |
4469892 |
type crossfire_exec_t;
|
|
Michael Thomas |
4469892 |
domain_type(crossfire_t)
|
|
Michael Thomas |
4469892 |
# To disable the transition to the protected domain (which
|
|
Michael Thomas |
4469892 |
# effectively disables the policy), use:
|
|
Michael Thomas |
4469892 |
# setsebool crossfire_disable_trans 1
|
|
Michael Thomas |
4469892 |
init_daemon_domain(crossfire_t, crossfire_exec_t)
|
|
Michael Thomas |
4469892 |
|
|
Michael Thomas |
4469892 |
|
|
Michael Thomas |
4469892 |
|
|
Michael Thomas |
4469892 |
# pid files
|
|
Michael Thomas |
4469892 |
type crossfire_var_run_t;
|
|
Michael Thomas |
4469892 |
files_pid_file(crossfire_var_run_t)
|
|
Michael Thomas |
4469892 |
|
|
Michael Thomas |
4469892 |
# log files
|
|
Michael Thomas |
4469892 |
type crossfire_var_log_t;
|
|
Michael Thomas |
4469892 |
logging_log_file(crossfire_var_log_t)
|
|
Michael Thomas |
4469892 |
|
|
Michael Thomas |
4469892 |
# Game data files
|
|
Michael Thomas |
4469892 |
type crossfire_variable_data_t;
|
|
Michael Thomas |
4469892 |
files_type(crossfire_variable_data_t);
|
|
Michael Thomas |
4469892 |
|
|
Michael Thomas |
4469892 |
########################################
|
|
Michael Thomas |
4469892 |
#
|
|
Michael Thomas |
4469892 |
# crossfire local policy
|
|
Michael Thomas |
4469892 |
#
|
|
Michael Thomas |
4469892 |
# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
|
|
Michael Thomas |
4469892 |
# Note: /usr/share/selinux/devel/include/support/obj_perm_sets.spt contains
|
|
Michael Thomas |
4469892 |
# the definitions of many permissions, such as 'rw_dir_perms'
|
|
Michael Thomas |
4469892 |
|
|
Michael Thomas |
4469892 |
# Some common macros (you might be able to remove some)
|
|
Michael Thomas |
4469892 |
files_read_usr_files(crossfire_t)
|
|
Michael Thomas |
4469892 |
files_read_etc_files(crossfire_t)
|
|
Michael Thomas |
4469892 |
libs_use_ld_so(crossfire_t)
|
|
Michael Thomas |
4469892 |
libs_use_shared_libs(crossfire_t)
|
|
Michael Thomas |
4469892 |
miscfiles_read_localization(crossfire_t)
|
|
Michael Thomas |
4469892 |
## internal communication is often done using fifo and unix sockets.
|
|
Michael Thomas |
4469892 |
allow crossfire_t self:fifo_file { read write };
|
|
Michael Thomas |
4469892 |
allow crossfire_t self:unix_stream_socket create_stream_socket_perms;
|
|
Michael Thomas |
4469892 |
|
|
Michael Thomas |
4469892 |
# pid file
|
|
Michael Thomas |
4469892 |
allow crossfire_t crossfire_var_run_t:file manage_file_perms;
|
|
Michael Thomas |
a6f8cb2 |
allow crossfire_t crossfire_var_run_t:sock_file manage_sock_file_perms;
|
|
Michael Thomas |
4469892 |
allow crossfire_t crossfire_var_run_t:dir rw_dir_perms;
|
|
Michael Thomas |
4469892 |
files_pid_filetrans(crossfire_t,crossfire_var_run_t, { file sock_file })
|
|
Michael Thomas |
4469892 |
|
|
Michael Thomas |
4469892 |
# log files
|
|
Michael Thomas |
4469892 |
allow crossfire_t crossfire_var_log_t:file create_file_perms;
|
|
Michael Thomas |
6bd651a |
allow crossfire_t crossfire_var_log_t:file append;
|
|
Michael Thomas |
a6f8cb2 |
allow crossfire_t crossfire_var_log_t:sock_file create_sock_file_perms;
|
|
Michael Thomas |
4469892 |
allow crossfire_t crossfire_var_log_t:dir { rw_dir_perms setattr };
|
|
Michael Thomas |
4469892 |
logging_log_filetrans(crossfire_t,crossfire_var_log_t,{ sock_file file dir })
|
|
Michael Thomas |
4469892 |
|
|
Michael Thomas |
4469892 |
## Networking basics (adjust to your needs!)
|
|
Michael Thomas |
4469892 |
sysnet_dns_name_resolve(crossfire_t)
|
|
Michael Thomas |
4469892 |
corenet_tcp_sendrecv_all_if(crossfire_t)
|
|
Michael Thomas |
4469892 |
corenet_tcp_sendrecv_all_nodes(crossfire_t)
|
|
Michael Thomas |
6bd651a |
corenet_all_recvfrom_unlabeled(crossfire_t)
|
|
Michael Thomas |
4469892 |
corenet_tcp_bind_all_nodes(crossfire_t)
|
|
Michael Thomas |
4469892 |
allow crossfire_t self:tcp_socket { listen accept };
|
|
Michael Thomas |
4469892 |
# The application expects crossfire_port_t to be port 13327.
|
|
Michael Thomas |
4469892 |
# The port is defined using semanage:
|
|
Michael Thomas |
4469892 |
# semanage port -a -t crossfire_port_t -p tcp 13327
|
|
Michael Thomas |
4469892 |
allow crossfire_t crossfire_port_t:tcp_socket { name_bind };
|
|
Michael Thomas |
4469892 |
corenet_tcp_sendrecv_all_ports(crossfire_t)
|
|
Michael Thomas |
4469892 |
|
|
Michael Thomas |
4469892 |
# TODO: What does the application use UDP for? And which ports
|
|
Michael Thomas |
4469892 |
# need to be allowed?
|
|
Michael Thomas |
4469892 |
allow crossfire_t port_t:udp_socket send_msg;
|
|
Michael Thomas |
4469892 |
|
|
Michael Thomas |
4469892 |
# Init script handling
|
|
Michael Thomas |
4469892 |
init_use_fds(crossfire_t)
|
|
Michael Thomas |
4469892 |
init_use_script_ptys(crossfire_t)
|
|
Michael Thomas |
4469892 |
domain_use_interactive_fds(crossfire_t)
|
|
Michael Thomas |
4469892 |
|
|
Michael Thomas |
4469892 |
|
|
Michael Thomas |
4469892 |
# Game data files
|
|
Michael Thomas |
6bd651a |
allow crossfire_t crossfire_variable_data_t:file { manage_file_perms };
|
|
Michael Thomas |
6bd651a |
allow crossfire_t crossfire_variable_data_t:dir { manage_dir_perms };
|
|
Michael Thomas |
6bd651a |
allow crossfire_t games_data_t:dir search;
|
|
Michael Thomas |
6bd651a |
allow crossfire_t games_data_t:dir getattr;
|
|
Michael Thomas |
6bd651a |
|
|
Michael Thomas |
4469892 |
|
|
Michael Thomas |
4469892 |
# Misc rules that are needed. I don't understand the meaning of some
|
|
Michael Thomas |
4469892 |
# of these, and for others I don't yet understand why the game needs
|
|
Michael Thomas |
4469892 |
# them
|
|
Michael Thomas |
4469892 |
|
|
Michael Thomas |
4469892 |
corecmd_getattr_bin_files(crossfire_t)
|
|
Michael Thomas |
4469892 |
corecmd_search_bin(crossfire_t)
|
|
Michael Thomas |
4469892 |
kernel_read_kernel_sysctls(crossfire_t)
|
|
Michael Thomas |
4469892 |
term_dontaudit_use_generic_ptys(crossfire_t)
|
|
Michael Thomas |
4469892 |
kernel_read_system_state(crossfire_t)
|
|
Michael Thomas |
6bd651a |
allow crossfire_t tmp_t:dir getattr;
|