policy_module(xpilotd,1.0.0)

########################################
#
# Declarations
#

gen_require(`
    type port_t;
    attribute port_type;
    type var_log_t;
')

type xpilotd_port_t, port_type;

type xpilotd_t;
type xpilotd_exec_t;
domain_type(xpilotd_t)
init_daemon_domain(xpilotd_t, xpilotd_exec_t)

# pid files
type xpilotd_var_run_t;
files_pid_file(xpilotd_var_run_t)

# Game data files
type xpilotd_private_data_t;
files_type(xpilotd_private_data_t);

########################################
#
# xpilot local policy
#
# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
# Note: /usr/share/selinux/devel/include/support/obj_perm_sets.spt contains
# the definitions of many permissions, such as 'rw_dir_perms'

# Some common macros (you might be able to remove some)
files_read_usr_files(xpilotd_t)
files_read_etc_files(xpilotd_t)
libs_use_ld_so(xpilotd_t)
libs_use_shared_libs(xpilotd_t)
miscfiles_read_localization(xpilotd_t)
## internal communication is often done using fifo and unix sockets.
allow xpilotd_t self:fifo_file { read write };
allow xpilotd_t self:unix_stream_socket create_stream_socket_perms;

# log files
allow xpilotd_t var_log_t:file rw_file_perms ;

## Networking basics (adjust to your needs!)
sysnet_dns_name_resolve(xpilotd_t)
corenet_udp_bind_all_nodes(xpilotd_t)
corenet_all_recvfrom_unlabeled(xpilotd_t)

corenet_udp_sendrecv_all_ports(xpilotd_t)

allow xpilotd_t xpilotd_port_t:udp_socket { name_bind };



# Init script handling
init_use_fds(xpilotd_t)
init_use_script_ptys(xpilotd_t)
domain_use_interactive_fds(xpilotd_t)

# Game private data
allow xpilotd_t xpilotd_private_data_t:file { r_file_perms };
allow xpilotd_t xpilotd_private_data_t:dir search;


# Misc rules that are needed.  I don't understand the meaning of some
# of these, and for others I don't yet understand why the game needs
# them
kernel_read_system_state(xpilotd_t)
allow xpilotd_t self:process signal;