policy_module(chromium-browser, 1.0.0)

gen_require(`
  role unconfined_r;
')

type chromium_t;
unconfined_domain(chromium_t);
type chromium_exec_t;
application_domain(chromium_t, chromium_exec_t);

type chromium_renderer_t;
domain_base_type(chromium_renderer_t);

type chromium_tmp_t;
userdom_user_tmp_file(chromium_tmp_t);

type chromium_tmpfs_t;
userdom_user_tmpfs_file(chromium_tmp_t);

domain_auto_trans(unconfined_t, chromium_exec_t, chromium_t);
role unconfined_r types { chromium_t chromium_renderer_t };

dyntrans_pattern(chromium_t, chromium_renderer_t);

manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t);
manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t);
files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir });

manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t);
fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, notdevfile_class_set);
fs_tmpfs_filetrans(chromium_renderer_t, chromium_tmpfs_t, notdevfile_class_set);

xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t);

allow chromium_renderer_t self:process execmem;

allow chromium_renderer_t self:fifo_file rw_fifo_file_perms;
allow chromium_renderer_t self:shm create_shm_perms;
allow chromium_renderer_t self:unix_dgram_socket { create read sendto };
allow chromium_renderer_t self:unix_stream_socket { create getattr read };

allow chromium_renderer_t chromium_t:fd use;
allow chromium_renderer_t chromium_t:unix_stream_socket rw_stream_socket_perms;

allow chromium_renderer_t chromium_tmpfs_t:file rw_file_perms;

dev_read_urand(chromium_renderer_t);
miscfiles_read_localization(chromium_renderer_t);
miscfiles_read_fonts(chromium_renderer_t);
xdg_read_generic_config_home_files(chromium_renderer_t);