policy_module(xonotic, 0.1.6) ######################################## # # Declarations # attribute_role xonotic_roles; type xonotic_t; type xonotic_exec_t; init_daemon_domain(xonotic_t, xonotic_exec_t) role xonotic_roles types xonotic_t; type xonotic_initrc_exec_t; init_script_file(xonotic_initrc_exec_t); type xonotic_var_log_t; logging_log_file(xonotic_var_log_t) type xonotic_opt_t; files_type(xonotic_opt_t) ######################################## # # Local policy # allow xonotic_t self:udp_socket create_socket_perms; allow xonotic_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; allow xonotic_t self:tcp_socket { write getattr connect read getopt create }; manage_dirs_pattern(xonotic_t, xonotic_var_log_t, xonotic_var_log_t) append_files_pattern(xonotic_t, xonotic_var_log_t, xonotic_var_log_t) create_files_pattern(xonotic_t, xonotic_var_log_t, xonotic_var_log_t) logging_log_filetrans(xonotic_t, xonotic_var_log_t, file) manage_dirs_pattern(xonotic_t, xonotic_opt_t, xonotic_opt_t) manage_files_pattern(xonotic_t, xonotic_opt_t, xonotic_opt_t) type_transition xonotic_t xonotic_opt_t:file xonotic_opt_t; corenet_udp_bind_generic_node(xonotic_t) kernel_read_system_state(xonotic_t) corenet_udp_bind_all_unreserved_ports(xonotic_t) dev_read_urand(xonotic_t) auth_use_nsswitch(xonotic_t) corenet_tcp_connect_all_reserved_ports(xonotic_t) sysnet_read_config(xonotic_t) miscfiles_read_localization(xonotic_t) supervisor_service_domain(xonotic_t,xonotic_exec_t) optional_policy(` gen_require(` type supervisor_t; ') allow supervisor_t xonotic_opt_t:dir search; ')