policy_module(chromium-browser, 1.0.0)

gen_require(`
  type user_tmpfs_t;
  role unconfined_r;
')

type chromium_t;
unconfined_domain(chromium_t);
type chromium_exec_t;
application_domain(chromium_t, chromium_exec_t);

type chromium_renderer_t;
domain_base_type(chromium_renderer_t)

domain_auto_trans(unconfined_t, chromium_exec_t, chromium_t);
role unconfined_r types { chromium_t chromium_renderer_t };

dyntrans_pattern(chromium_t, chromium_renderer_t);

allow chromium_renderer_t self:process execmem;

allow chromium_renderer_t self:fifo_file rw_fifo_file_perms;
allow chromium_renderer_t self:shm { create destroy read write unix_read unix_write };
allow chromium_renderer_t self:unix_dgram_socket { create read sendto };
allow chromium_renderer_t self:unix_stream_socket { create getattr read };

allow chromium_renderer_t chromium_t:fd use;
allow chromium_renderer_t chromium_t:unix_stream_socket rw_stream_socket_perms;

allow chromium_renderer_t user_tmpfs_t:file { read getattr append };

dev_read_urand(chromium_renderer_t);
files_list_tmp(chromium_renderer_t);
fs_rw_tmpfs_files(chromium_renderer_t);
miscfiles_read_localization(chromium_renderer_t);
miscfiles_read_fonts(chromium_renderer_t);
xdg_read_generic_config_home_files(chromium_renderer_t);