policy_module(minecraft, 1.1.10)

########################################
#
# Declarations
#

attribute_role minecraft_roles;

type minecraft_t;
type minecraft_exec_t;
init_daemon_domain(minecraft_t, minecraft_exec_t)

type minecraft_tmp_t;
files_tmp_file(minecraft_tmp_t)

type minecraft_opt_t;
files_type(minecraft_opt_t)

########################################
#
# Local policy
#

allow minecraft_t self:process { execmem getsched };
allow minecraft_t self:fifo_file { read write getattr };
allow minecraft_t self:tcp_socket { create bind getattr setopt listen write read connect getopt accept};
allow minecraft_t self:udp_socket { create ioctl write read getattr connect };
allow minecraft_t self:netlink_route_socket { write getattr read bind create nlmsg_read };

manage_dirs_pattern(minecraft_t, minecraft_opt_t, minecraft_opt_t)
manage_files_pattern(minecraft_t, minecraft_opt_t, minecraft_opt_t)
type_transition minecraft_t minecraft_opt_t:file minecraft_opt_t;
type_transition minecraft_t minecraft_opt_t:dir minecraft_opt_t;

manage_dirs_pattern(minecraft_t,minecraft_tmp_t,minecraft_tmp_t)
manage_files_pattern(minecraft_t,minecraft_tmp_t,minecraft_tmp_t)
allow minecraft_t minecraft_tmp_t:file execute;
files_tmp_filetrans(minecraft_t,minecraft_tmp_t, { file dir })

allow minecraft_t minecraft_opt_t:file map;
allow minecraft_t minecraft_tmp_t:file map;

corecmd_exec_bin(minecraft_t)
corecmd_exec_shell(minecraft_t)

files_read_etc_files(minecraft_t)
files_read_usr_files(minecraft_t)

miscfiles_read_localization(minecraft_t)
sysnet_read_config(minecraft_t)

dev_read_urand(minecraft_t)
dev_read_sysfs(minecraft_t)
dev_read_rand(minecraft_t)

kernel_read_vm_sysctls(minecraft_t)
kernel_read_network_state(minecraft_t)
kernel_read_system_state(minecraft_t)
kernel_search_network_sysctl(minecraft_t)
kernel_read_net_sysctls(minecraft_t)
kernel_read_vm_overcommit_sysctl(minecraft_t)

corenet_tcp_connect_http_port(minecraft_t)
corenet_tcp_bind_all_unreserved_ports(minecraft_t)
corenet_tcp_bind_generic_node(minecraft_t)

fs_read_cgroup_files(minecraft_t)
fs_search_cgroup_dirs(minecraft_t)

java_exec(minecraft_t)

optional_policy(`
  gen_require(`
    type supervisor_t;
  ')
  supervisor_service_domain(minecraft_t,minecraft_exec_t)
  allow supervisor_t minecraft_opt_t:dir search;
')