policy_module(crossfire,1.0.0)

########################################
#
# Declarations
#

gen_require(`
    type port_t;
    type games_data_t;
    attribute port_type;
')

type crossfire_port_t, port_type;

type crossfire_t;
type crossfire_exec_t;
domain_type(crossfire_t)
# To disable the transition to the protected domain (which
# effectively disables the policy), use:
# setsebool crossfire_disable_trans 1
init_daemon_domain(crossfire_t, crossfire_exec_t)



# pid files
type crossfire_var_run_t;
files_pid_file(crossfire_var_run_t)

# log files
type crossfire_var_log_t;
logging_log_file(crossfire_var_log_t)

# Game data files
type crossfire_variable_data_t;
files_type(crossfire_variable_data_t);

########################################
#
# crossfire local policy
#
# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
# Note: /usr/share/selinux/devel/include/support/obj_perm_sets.spt contains
# the definitions of many permissions, such as 'rw_dir_perms'

# Some common macros (you might be able to remove some)
files_read_usr_files(crossfire_t)
files_read_etc_files(crossfire_t)
libs_use_ld_so(crossfire_t)
libs_use_shared_libs(crossfire_t)
miscfiles_read_localization(crossfire_t)
## internal communication is often done using fifo and unix sockets.
allow crossfire_t self:fifo_file { read write };
allow crossfire_t self:unix_stream_socket create_stream_socket_perms;

# pid file
allow crossfire_t crossfire_var_run_t:file manage_file_perms;
allow crossfire_t crossfire_var_run_t:sock_file manage_sock_file_perms;
allow crossfire_t crossfire_var_run_t:dir rw_dir_perms;
files_pid_filetrans(crossfire_t,crossfire_var_run_t, { file sock_file })

# log files
allow crossfire_t crossfire_var_log_t:file create_file_perms;
allow crossfire_t crossfire_var_log_t:file append;
allow crossfire_t crossfire_var_log_t:sock_file create_sock_file_perms;
allow crossfire_t crossfire_var_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(crossfire_t,crossfire_var_log_t,{ sock_file file dir })

## Networking basics (adjust to your needs!)
sysnet_dns_name_resolve(crossfire_t)
corenet_tcp_sendrecv_all_if(crossfire_t)
corenet_tcp_sendrecv_all_nodes(crossfire_t)
corenet_all_recvfrom_unlabeled(crossfire_t)
corenet_tcp_bind_all_nodes(crossfire_t)
allow crossfire_t self:tcp_socket { listen accept };
# The application expects crossfire_port_t to be port 13327.
# The port is defined using semanage:
# semanage port -a -t crossfire_port_t -p tcp 13327
allow crossfire_t crossfire_port_t:tcp_socket { name_bind };
corenet_tcp_sendrecv_all_ports(crossfire_t)

# TODO: What does the application use UDP for?  And which ports
# need to be allowed?
allow crossfire_t port_t:udp_socket send_msg;

# Init script handling
init_use_fds(crossfire_t)
init_use_script_ptys(crossfire_t)
domain_use_interactive_fds(crossfire_t)


# Game data files
allow crossfire_t crossfire_variable_data_t:file { manage_file_perms };
allow crossfire_t crossfire_variable_data_t:dir { manage_dir_perms };
allow crossfire_t games_data_t:dir search;
allow crossfire_t games_data_t:dir getattr;


# Misc rules that are needed.  I don't understand the meaning of some
# of these, and for others I don't yet understand why the game needs
# them

corecmd_getattr_bin_files(crossfire_t)
corecmd_search_bin(crossfire_t)
kernel_read_kernel_sysctls(crossfire_t)
term_dontaudit_use_generic_ptys(crossfire_t)
kernel_read_system_state(crossfire_t)
allow crossfire_t tmp_t:dir getattr;