policy_module(terraria, 0.1.4)

########################################
#
# Declarations
#

attribute_role terraria_roles;

type terraria_t;
type terraria_exec_t;
init_daemon_domain(terraria_t,terraria_exec_t)

type terraria_opt_t;
files_type(terraria_opt_t)

type terraria_tmp_t;
files_tmp_file(terraria_tmp_t)

########################################
#
# Local policy
#

allow terraria_t self:process { execmem signal signull getsched };
allow terraria_t self:tcp_socket { bind create setopt shutdown accept listen };

auth_use_nsswitch(terraria_t)
miscfiles_read_localization(terraria_t)
corenet_tcp_bind_all_unreserved_ports(terraria_t)
corenet_tcp_bind_generic_node(terraria_t)
kernel_read_system_state(terraria_t)
fs_manage_tmpfs_files(terraria_t)
kernel_read_vm_sysctls(terraria_t)
fs_getattr_tmpfs(terraria_t)
dev_read_sysfs(terraria_t)

manage_dirs_pattern(terraria_t,terraria_opt_t,terraria_opt_t)
manage_files_pattern(terraria_t,terraria_opt_t,terraria_opt_t)
allow terraria_t terraria_opt_t:file execute;
type_transition terraria_t terraria_opt_t:file terraria_opt_t;
type_transition terraria_t terraria_opt_t:dir terraria_opt_t;

manage_dirs_pattern(terraria_t,terraria_tmp_t,terraria_tmp_t)
manage_files_pattern(terraria_t,terraria_tmp_t,terraria_tmp_t)
files_tmp_filetrans(terraria_t,terraria_tmp_t, file)

optional_policy(`
  gen_require(`
    type supervisor_t;
  ')
  supervisor_service_domain(terraria_t,terraria_exec_t)
  allow supervisor_t terraria_opt_t:dir search;
  allow supervisor_t terraria_t:process { siginh rlimitinh noatsecure };
')