This is an SELinux policy module for the Soldat Dedicated Server. Surely not many people will be interested in this, but well...
This module defines the following types:
- soldatserver_t: The domain for the server process.
- soldatserver_exec_t: The domain for the server executables, entry point for the soldatserver_t domain.
- soldatserver_data_t: For all kinds of read-only server data, readable by soldatserver_t.
- soldatserver_log_t: For log and pid files of the server, writable by soldatserver_t.
- soldatserver_data_rw_t: Read-write data of the server, such as the banned lists, admin lists etc.
- soldatserver_port_t: For network ports that the server will bind to, such as the game port and the file server port.
- soldatserver_lobbyport_t: For the port that the server needs to connect to to register itself to the lobby.
Type enforcement rules are derived by using common sense and testing. I will not delve into details here, the module is pretty short and one can guess the purpose of most lines by using common sense.
The module assumes that the server will be placed under /opt/.
Under /opt/, you can place as many server instances as you like, with the
pattern /opt/soldatserver_.+. For example, I run three servers as:
/opt/soldatserver_CTF//opt/soldatserver_DM//opt/soldatserver_RCTF/
-
I run the servers as systemd services. I did not test any other kind of configuration. However, except the pidfile workaround (see the .te file) that I'm not sure if necessary, there should be no stuff dependant on systemd or any other stuff in my distro (Fedora Workstation 28). Still, here is my systemd unit template.
-
This module is tested on Fedora Workstation 28, with Soldat Dedicated Server 2.7.1. It does not generate any AVC's, and it is the tightest policy I could come up with with two days of work. But note that my knowledge of SELinux is pretty limited.
- Document the rules for Telegram admin notifier, once I complete my Telegram bot and open source it.