selinux-refpolicy/policy/modules/apps/games.te

policy_module(games, 2.6.1)

########################################
#
# Declarations
#

attribute_role games_roles;

type games_t;
type games_exec_t;
userdom_user_application_domain(games_t, games_exec_t)
role games_roles types games_t;

optional_policy(`
	wm_application_domain(games_t, games_exec_t)
')

type games_data_t;
files_type(games_data_t)
ubac_constrained(games_data_t)

type games_devpts_t;
term_pty(games_devpts_t)
ubac_constrained(games_devpts_t)

type games_srv_t;
init_system_domain(games_srv_t, games_exec_t)

type games_srv_runtime_t alias games_srv_var_run_t;
files_pid_file(games_srv_runtime_t)

type games_tmp_t;
userdom_user_tmp_file(games_tmp_t)

type games_tmpfs_t;
userdom_user_tmpfs_file(games_tmpfs_t)

optional_policy(`
	pulseaudio_tmpfs_content(games_tmpfs_t)
')

########################################
#
# Server local policy
#

dontaudit games_srv_t self:capability sys_tty_config;
allow games_srv_t self:process signal_perms;

manage_files_pattern(games_srv_t, games_data_t, games_data_t)
manage_lnk_files_pattern(games_srv_t, games_data_t, games_data_t)

manage_files_pattern(games_srv_t, games_srv_runtime_t, games_srv_runtime_t)
files_pid_filetrans(games_srv_t, games_srv_runtime_t, file)

can_exec(games_srv_t, games_exec_t)

kernel_read_kernel_sysctls(games_srv_t)
kernel_list_proc(games_srv_t)
kernel_read_proc_symlinks(games_srv_t)

dev_read_sysfs(games_srv_t)

fs_getattr_all_fs(games_srv_t)
fs_search_auto_mountpoints(games_srv_t)

term_dontaudit_use_console(games_srv_t)

domain_use_interactive_fds(games_srv_t)

init_use_fds(games_srv_t)
init_use_script_ptys(games_srv_t)

logging_send_syslog_msg(games_srv_t)

miscfiles_read_localization(games_srv_t)

userdom_dontaudit_use_unpriv_user_fds(games_srv_t)

userdom_dontaudit_search_user_home_dirs(games_srv_t)

optional_policy(`
	seutil_sigchld_newrole(games_srv_t)
')

optional_policy(`
	udev_read_db(games_srv_t)
')

########################################
#
# Client local policy
#

allow games_t self:fifo_file rw_fifo_file_perms;
allow games_t self:sem create_sem_perms;
allow games_t self:tcp_socket { accept listen };

manage_files_pattern(games_t, games_data_t, games_data_t)
manage_lnk_files_pattern(games_t, games_data_t, games_data_t)

allow games_t games_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(games_t, games_devpts_t)

manage_dirs_pattern(games_t, games_tmp_t, games_tmp_t)
manage_files_pattern(games_t, games_tmp_t, games_tmp_t)
files_tmp_filetrans(games_t, games_tmp_t, { file dir })

manage_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
manage_lnk_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
manage_fifo_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
manage_sock_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
fs_tmpfs_filetrans(games_t, games_tmpfs_t, { file lnk_file sock_file fifo_file })

can_exec(games_t, games_exec_t)

kernel_read_system_state(games_t)

corecmd_exec_bin(games_t)

corenet_all_recvfrom_netlabel(games_t)
corenet_tcp_sendrecv_generic_if(games_t)
corenet_tcp_sendrecv_generic_node(games_t)
corenet_tcp_bind_generic_node(games_t)

corenet_sendrecv_generic_server_packets(games_t)
corenet_tcp_bind_generic_port(games_t)

corenet_sendrecv_generic_client_packets(games_t)
corenet_tcp_connect_generic_port(games_t)

dev_read_sound(games_t)
dev_read_input(games_t)
dev_read_mouse(games_t)
dev_read_urand(games_t)
dev_rw_dri(games_t)
dev_write_sound(games_t)

files_list_var(games_t)
files_search_var_lib(games_t)
files_dontaudit_search_var(games_t)
files_read_etc_files(games_t)
files_read_usr_files(games_t)
files_read_var_files(games_t)

fs_dontaudit_getattr_xattr_fs(games_t)

init_dontaudit_rw_utmp(games_t)

logging_dontaudit_search_logs(games_t)

miscfiles_read_man_pages(games_t)
miscfiles_read_localization(games_t)

sysnet_dns_name_resolve(games_t)

userdom_manage_user_tmp_dirs(games_t)
userdom_manage_user_tmp_files(games_t)
userdom_manage_user_tmp_symlinks(games_t)
userdom_manage_user_tmp_sockets(games_t)
userdom_dontaudit_read_user_home_content_files(games_t)

tunable_policy(`allow_execmem',`
	allow games_t self:process execmem;
')

optional_policy(`
	dbus_all_session_bus_client(games_t)
	dbus_connect_all_session_bus(games_t)
')

optional_policy(`
	nscd_use(games_t)
')

optional_policy(`
	pulseaudio_run(games_t, games_roles)
')

optional_policy(`
	xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
	xserver_create_xdm_tmp_sockets(games_t)
	xserver_read_xdm_lib_files(games_t)
	xserver_rw_mesa_shader_cache(games_t)
')