policy_module(chromium-browser, 1.0.0) gen_require(` role unconfined_r; type unconfined_t; ') type chromium_t; domain_dyntrans_type(chromium_t); type chromium_exec_t; application_domain(chromium_t, chromium_exec_t); type chromium_renderer_t; domain_base_type(chromium_renderer_t); type chromium_tmp_t; userdom_user_tmp_file(chromium_tmp_t); type chromium_tmpfs_t; userdom_user_tmpfs_file(chromium_tmp_t); domain_auto_trans(unconfined_t, chromium_exec_t, chromium_t); role unconfined_r types { chromium_t chromium_renderer_t }; dyntrans_pattern(chromium_t, chromium_renderer_t); manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t); manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t); manage_lnk_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t); manage_sock_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t); files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir }); manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t); fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, notdevfile_class_set); fs_tmpfs_filetrans(chromium_renderer_t, chromium_tmpfs_t, notdevfile_class_set); xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t); allow chromium_renderer_t self:process execmem; allow chromium_renderer_t self:fifo_file rw_fifo_file_perms; allow chromium_renderer_t self:shm create_shm_perms; allow chromium_renderer_t self:unix_dgram_socket { create read sendto }; allow chromium_renderer_t self:unix_stream_socket { create getattr read write }; allow chromium_renderer_t chromium_t:fd use; allow chromium_renderer_t chromium_t:unix_stream_socket rw_stream_socket_perms; allow chromium_renderer_t chromium_tmpfs_t:file rw_file_perms; dontaudit chromium_renderer_t chromium_t:dir search; dontaudit chromium_renderer_t self:process getsched; allow chromium_t self:fifo_file rw_fifo_file_perms;; allow chromium_t self:process { getsched setsched signal }; allow chromium_t chromium_exec_t:file execute_no_trans; allow chromium_t chromium_renderer_t:dir list_dir_perms; allow chromium_t chromium_renderer_t:file read_file_perms; allow chromium_t chromium_renderer_t:fd use; allow chromium_t chromium_renderer_t:process signal_perms; allow chromium_t chromium_renderer_t:shm rw_shm_perms; allow chromium_t chromium_renderer_t:unix_dgram_socket { read write }; allow chromium_t chromium_renderer_t:unix_stream_socket { read write }; dontaudit chromium_t self:process execmem; corecmd_exec_bin(chromium_t); corecmd_exec_shell(chromium_t); corenet_tcp_connect_all_unreserved_ports(chromium_t); corenet_tcp_connect_ftp_port(chromium_t); corenet_tcp_connect_http_port(chromium_t); dev_read_sysfs(chromium_t); dev_read_urand(chromium_t); files_list_home(chromium_t); files_read_etc_files(chromium_t); files_read_etc_runtime_files(chromium_t); files_read_usr_files(chromium_t); fs_dontaudit_getattr_xattr_fs(chromium_t); kernel_read_kernel_sysctls(chromium_t); miscfiles_read_localization(chromium_t); seutil_libselinux_linked(chromium_t); sysnet_dns_name_resolve(chromium_t); sysnet_read_config(chromium_t); userdom_manage_user_home_content_dirs(chromium_t); userdom_manage_user_home_content_files(chromium_t); userdom_use_user_ptys(chromium_t); xdg_manage_generic_cache_home_content(chromium_t); xdg_manage_generic_config_home_content(chromium_t); xdg_manage_generic_data_home_content(chromium_t); dev_read_urand(chromium_renderer_t); files_list_tmp(chromium_renderer_t); # TODO: this should be dontaudit. files_read_etc_files(chromium_renderer_t); files_dontaudit_read_all_symlinks(chromium_renderer_t); files_dontaudit_search_var(chromium_renderer_t); init_sigchld(chromium_renderer_t); kernel_dontaudit_read_system_state(chromium_renderer_t); kernel_dontaudit_search_sysctl(chromium_renderer_t); miscfiles_read_localization(chromium_renderer_t); miscfiles_read_fonts(chromium_renderer_t); userdom_dontaudit_use_user_ptys(chromium_renderer_t); xdg_read_generic_config_home_files(chromium_renderer_t); optional_policy(` cups_read_config(chromium_t); cups_stream_connect(chromium_t); ') optional_policy(` dbus_system_bus_client(chromium_t); optional_policy(` unconfined_dbus_chat(chromium_t); ') ') optional_policy(` unconfined_sigchld(chromium_t); unconfined_stream_connect(chromium_t); unconfined_use_fds(chromium_t); # TODO: this should be dontaudit. unconfined_use_fds(chromium_renderer_t); ')