policy_module(starbound, 0.1.9)

########################################
#
# Declarations
#

attribute_role starbound_roles;

type starbound_t;
type starbound_exec_t;
init_daemon_domain(starbound_t, starbound_exec_t)

type starbound_opt_t;
files_type(starbound_opt_t)

type starbound_tmp_t;
files_tmp_file(starbound_tmp_t)

########################################
#
# Local policy
#

allow starbound_t self:tcp_socket { bind setopt accept listen create write read shutdown };
allow starbound_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
allow starbound_t self:process signal;

corenet_tcp_bind_generic_node(starbound_t)
corenet_tcp_bind_all_unreserved_ports(starbound_t)
kernel_read_vm_sysctls(starbound_t)
dev_read_urand(starbound_t)
dev_read_sysfs(starbound_t)
kernel_read_system_state(starbound_t)

manage_dirs_pattern(starbound_t, starbound_opt_t, starbound_opt_t)
manage_files_pattern(starbound_t, starbound_opt_t, starbound_opt_t)
type_transition starbound_t starbound_opt_t:file starbound_opt_t;
type_transition starbound_t starbound_opt_t:dir starbound_opt_t;

manage_dirs_pattern(starbound_t,starbound_tmp_t,starbound_tmp_t)
manage_files_pattern(starbound_t,starbound_tmp_t,starbound_tmp_t)
files_tmp_filetrans(starbound_t,starbound_tmp_t, file)

optional_policy(`
  gen_require(`
    type supervisor_t;
  ')
  supervisor_service_domain(starbound_t,starbound_exec_t)
  allow supervisor_t starbound_opt_t:dir search;
')

miscfiles_read_localization(starbound_t)