policy_module(cyphesis,1.0.0)

########################################

#

# Declarations

#

gen_require(`

    type port_t;

    type system_dbusd_var_run_t;

    type urandom_device_t;

    type krb5_conf_t;

    attribute port_type;

')

type cyphesis_port_t, port_type;

type cyphesis_t;

type cyphesis_exec_t;

domain_type(cyphesis_t)

# To disable the transition to the protected domain (which

# effectively disables the policy), use:

# setsebool cyphesis_disable_trans 1

init_daemon_domain(cyphesis_t, cyphesis_exec_t)

# pid files

type cyphesis_var_run_t;

files_pid_file(cyphesis_var_run_t)

# log files

type cyphesis_var_log_t;

logging_log_file(cyphesis_var_log_t)

########################################

#

# cyphesis local policy

#

# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.

# Note: /usr/share/selinux/devel/include/support/obj_perm_sets.spt contains

# the definitions of many permissions, such as 'rw_dir_perms'

# Some common macros (you might be able to remove some)

corecmd_dontaudit_search_sbin(cyphesis_t)

corecmd_search_bin(cyphesis_t)

corecmd_getattr_bin_files(cyphesis_t)

files_read_usr_files(cyphesis_t)

files_read_etc_files(cyphesis_t)

libs_use_ld_so(cyphesis_t)

libs_use_shared_libs(cyphesis_t)

miscfiles_read_localization(cyphesis_t)

## internal communication is often done using fifo and unix sockets.

allow cyphesis_t self:fifo_file { read write };

allow cyphesis_t self:unix_stream_socket create_stream_socket_perms;

# pid file

allow cyphesis_t cyphesis_var_run_t:file manage_file_perms;

allow cyphesis_t cyphesis_var_run_t:sock_file manage_file_perms;

allow cyphesis_t cyphesis_var_run_t:dir rw_dir_perms;

files_pid_filetrans(cyphesis_t,cyphesis_var_run_t, { file sock_file })

# log files

allow cyphesis_t cyphesis_var_log_t:file create_file_perms;

allow cyphesis_t cyphesis_var_log_t:sock_file create_file_perms;

allow cyphesis_t cyphesis_var_log_t:dir { rw_dir_perms setattr };

logging_log_filetrans(cyphesis_t,cyphesis_var_log_t,{ sock_file file dir })

logging_send_syslog_msg(cyphesis_t)

## Networking basics (adjust to your needs!)

sysnet_dns_name_resolve(cyphesis_t)

corenet_tcp_sendrecv_all_if(cyphesis_t)

corenet_tcp_sendrecv_all_nodes(cyphesis_t)

corenet_non_ipsec_sendrecv(cyphesis_t)

corenet_tcp_bind_all_nodes(cyphesis_t)

allow cyphesis_t self:tcp_socket { listen accept };

# The application expects cyphesis_port_t to be port 13327.

# The port is defined using semanage:

# semanage port -a -t cyphesis_port_t -p tcp 6767

# semanage port -a -t cyphesis_port_t -p tcp 6769

# semanage port -a -t cyphesis_port_t -p udp 32771

allow cyphesis_t cyphesis_port_t:tcp_socket { name_bind };

corenet_tcp_sendrecv_all_ports(cyphesis_t)

# ??

allow cyphesis_t self:netlink_route_socket { bind create getattr nlmsg_read read write };

allow cyphesis_t self:unix_dgram_socket { connect create write };

# Init script handling

init_use_fds(cyphesis_t)

init_use_script_ptys(cyphesis_t)

domain_use_interactive_fds(cyphesis_t)

# Misc rules that are needed.  I don't understand the meaning of some

# of these, and for others I don't yet understand why the game needs

# them

kernel_read_kernel_sysctls(cyphesis_t)

term_dontaudit_use_generic_ptys(cyphesis_t)

# cyphesis wants to talk to avahi via dbus

avahi_dbus_chat(avahi_t)

avahi_dbus_chat(cyphesis_t)

dbus_send_system_bus(cyphesis_t)

postgresql_stream_connect(cyphesis_t)

allow cyphesis_t system_dbusd_t:unix_stream_socket connectto;

allow cyphesis_t system_dbusd_var_run_t:dir search;

allow cyphesis_t system_dbusd_var_run_t:sock_file write;

allow cyphesis_t self:process { setsched signal };

files_manage_generic_tmp_files(cyphesis_t)

allow cyphesis_t tmp_t:sock_file create;

allow cyphesis_t urandom_device_t:chr_file { getattr ioctl read };

allow cyphesis_t krb5_conf_t:file { getattr read };

allow cyphesis_t proc_t:file { getattr read };