policy_module(cyphesis,1.0.0) ######################################## # # Declarations # gen_require(` type port_t; type system_dbusd_var_run_t; type urandom_device_t; type initrc_su_t; type krb5_conf_t; attribute port_type; ') type cyphesis_port_t, port_type; type cyphesis_t; type cyphesis_exec_t; domain_type(cyphesis_t) # To disable the transition to the protected domain (which # effectively disables the policy), use: # setsebool cyphesis_disable_trans 1 init_daemon_domain(cyphesis_t, cyphesis_exec_t) # pid files type cyphesis_var_run_t; files_pid_file(cyphesis_var_run_t) # log files type cyphesis_var_log_t; logging_log_file(cyphesis_var_log_t) ######################################## # # cyphesis local policy # # Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules. # Note: /usr/share/selinux/devel/include/support/obj_perm_sets.spt contains # the definitions of many permissions, such as 'rw_dir_perms' # Some common macros (you might be able to remove some) corecmd_dontaudit_search_bin(cyphesis_t) corecmd_search_bin(cyphesis_t) corecmd_getattr_bin_files(cyphesis_t) files_read_usr_files(cyphesis_t) files_read_etc_files(cyphesis_t) libs_use_ld_so(cyphesis_t) libs_use_shared_libs(cyphesis_t) miscfiles_read_localization(cyphesis_t) ## internal communication is often done using fifo and unix sockets. allow cyphesis_t self:fifo_file { read write }; allow cyphesis_t self:unix_stream_socket create_stream_socket_perms; # pid file allow cyphesis_t cyphesis_var_run_t:file manage_file_perms; allow cyphesis_t cyphesis_var_run_t:sock_file manage_file_perms; allow cyphesis_t cyphesis_var_run_t:dir rw_dir_perms; files_pid_filetrans(cyphesis_t,cyphesis_var_run_t, { file sock_file }) # log files allow cyphesis_t cyphesis_var_log_t:file create_file_perms; allow cyphesis_t cyphesis_var_log_t:sock_file create_file_perms; allow cyphesis_t cyphesis_var_log_t:dir { rw_dir_perms setattr }; logging_log_filetrans(cyphesis_t,cyphesis_var_log_t,{ sock_file file dir }) logging_send_syslog_msg(cyphesis_t) ## Networking basics (adjust to your needs!) sysnet_dns_name_resolve(cyphesis_t) corenet_tcp_sendrecv_all_if(cyphesis_t) corenet_tcp_sendrecv_all_nodes(cyphesis_t) corenet_all_recvfrom_unlabeled(cyphesis_t) corenet_tcp_bind_all_nodes(cyphesis_t) allow cyphesis_t self:tcp_socket { listen accept }; # The application expects cyphesis_port_t to be port 13327. # The port is defined using semanage: # semanage port -a -t cyphesis_port_t -p tcp 6767 # semanage port -a -t cyphesis_port_t -p tcp 6769 # semanage port -a -t cyphesis_port_t -p udp 32771 allow cyphesis_t cyphesis_port_t:tcp_socket { name_bind }; corenet_tcp_sendrecv_all_ports(cyphesis_t) # For communication with the metaserver allow cyphesis_t port_t:udp_socket { recv_msg send_msg }; # ?? allow cyphesis_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; allow cyphesis_t self:unix_dgram_socket { connect create write }; # Init script handling init_use_fds(cyphesis_t) init_use_script_ptys(cyphesis_t) domain_use_interactive_fds(cyphesis_t) # Misc rules that are needed. I don't understand the meaning of some # of these, and for others I don't yet understand why the game needs # them kernel_read_kernel_sysctls(cyphesis_t) term_dontaudit_use_generic_ptys(cyphesis_t) # cyphesis wants to talk to avahi via dbus avahi_dbus_chat(avahi_t) avahi_dbus_chat(cyphesis_t) dbus_send_system_bus(cyphesis_t) postgresql_stream_connect(cyphesis_t) allow cyphesis_t system_dbusd_t:unix_stream_socket connectto; allow cyphesis_t system_dbusd_var_run_t:dir search; allow cyphesis_t system_dbusd_var_run_t:sock_file write; allow cyphesis_t self:process { setsched signal }; files_manage_generic_tmp_files(cyphesis_t) allow cyphesis_t tmp_t:sock_file create; allow cyphesis_t tmp_t:sock_file unlink; allow cyphesis_t urandom_device_t:chr_file { getattr ioctl read }; allow cyphesis_t krb5_conf_t:file { getattr read }; allow cyphesis_t proc_t:file { getattr read }; allow cyphesis_t initrc_su_t:process sigchld;