rpms/crossfire/devel crossfire.fc, NONE, 1.1 crossfire.if, NONE, 1.1 crossfire.te, NONE, 1.1

Michael Thomas (wart) fedora-extras-commits at redhat.com
Thu Aug 31 15:13:57 UTC 2006 

Author: wart

Update of /cvs/extras/rpms/crossfire/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv7376

Added Files:
	crossfire.fc crossfire.if crossfire.te 
Log Message:
Adding selinux policy files



--- NEW FILE crossfire.fc ---
# crossfire executable will have:
# label: system_u:object_r:crossfire_exec_t
# MLS sensitivity: s0
# MCS categories: <none>

/usr/bin/crossfire		--	gen_context(system_u:object_r:crossfire_exec_t,s0)
/var/run/crossfire.pid			gen_context(system_u:object_r:crossfire_var_run_t,s0)
/var/log/crossfire(/.*)?		gen_context(system_u:object_r:crossfire_var_log_t,s0)
/var/games/crossfire(/.*)?		gen_context(system_u:object_r:crossfire_variable_data_t,s0)


--- NEW FILE crossfire.if ---
## <summary>policy for crossfire</summary>

########################################
## <summary>
##	Execute a domain transition to run crossfire.
## </summary>
## <param name="domain">
## <summary>
##	Domain allowed to transition.
## </summary>
## </param>
#
interface(`crossfire_domtrans',`
	gen_require(`
		type crossfire_t, crossfire_exec_t;
	')

	domain_auto_trans($1,crossfire_exec_t,crossfire_t)

	allow $1 crossfire_t:fd use;
	allow crossfire_t $1:fd use;
	allow crossfire_t $1:fifo_file rw_file_perms;
	allow crossfire_t $1:process sigchld;
')


--- NEW FILE crossfire.te ---
policy_module(crossfire,1.0.0)

########################################
#
# Declarations
#

gen_require(`
    type port_t;
    attribute port_type;
')

type crossfire_port_t, port_type;

type crossfire_t;
type crossfire_exec_t;
domain_type(crossfire_t)
# To disable the transition to the protected domain (which
# effectively disables the policy), use:
# setsebool crossfire_disable_trans 1
init_daemon_domain(crossfire_t, crossfire_exec_t)



# pid files
type crossfire_var_run_t;
files_pid_file(crossfire_var_run_t)

# log files
type crossfire_var_log_t;
logging_log_file(crossfire_var_log_t)

# Game data files
type crossfire_variable_data_t;
files_type(crossfire_variable_data_t);

########################################
#
# crossfire local policy
#
# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
# Note: /usr/share/selinux/devel/include/support/obj_perm_sets.spt contains
# the definitions of many permissions, such as 'rw_dir_perms'

# Some common macros (you might be able to remove some)
files_read_usr_files(crossfire_t)
files_read_etc_files(crossfire_t)
libs_use_ld_so(crossfire_t)
libs_use_shared_libs(crossfire_t)
miscfiles_read_localization(crossfire_t)
## internal communication is often done using fifo and unix sockets.
allow crossfire_t self:fifo_file { read write };
allow crossfire_t self:unix_stream_socket create_stream_socket_perms;

# pid file
allow crossfire_t crossfire_var_run_t:file manage_file_perms;
allow crossfire_t crossfire_var_run_t:sock_file manage_file_perms;
allow crossfire_t crossfire_var_run_t:dir rw_dir_perms;
files_pid_filetrans(crossfire_t,crossfire_var_run_t, { file sock_file })

# log files
allow crossfire_t crossfire_var_log_t:file create_file_perms;
allow crossfire_t crossfire_var_log_t:sock_file create_file_perms;
allow crossfire_t crossfire_var_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(crossfire_t,crossfire_var_log_t,{ sock_file file dir })

## Networking basics (adjust to your needs!)
sysnet_dns_name_resolve(crossfire_t)
corenet_tcp_sendrecv_all_if(crossfire_t)
corenet_tcp_sendrecv_all_nodes(crossfire_t)
corenet_non_ipsec_sendrecv(crossfire_t)
corenet_tcp_bind_all_nodes(crossfire_t)
allow crossfire_t self:tcp_socket { listen accept };
# The application expects crossfire_port_t to be port 13327.
# The port is defined using semanage:
# semanage port -a -t crossfire_port_t -p tcp 13327
allow crossfire_t crossfire_port_t:tcp_socket { name_bind };
corenet_tcp_sendrecv_all_ports(crossfire_t)

# TODO: What does the application use UDP for?  And which ports
# need to be allowed?
allow crossfire_t port_t:udp_socket send_msg;

# Init script handling
init_use_fds(crossfire_t)
init_use_script_ptys(crossfire_t)
domain_use_interactive_fds(crossfire_t)


# Game data files
allow crossfire_t crossfire_variable_data_t:file { create_file_perms };
allow crossfire_t crossfire_variable_data_t:dir { create_dir_perms };

# Misc rules that are needed.  I don't understand the meaning of some
# of these, and for others I don't yet understand why the game needs
# them

corecmd_getattr_bin_files(crossfire_t)
corecmd_search_bin(crossfire_t)
kernel_read_kernel_sysctls(crossfire_t)
term_dontaudit_use_generic_ptys(crossfire_t)
kernel_read_system_state(crossfire_t)

More information about the fedora-extras-commits mailing list