blob: ae2f8b7a46ad144526530c0dc1c9b35a53876a3d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
policy_module(chromium-browser,1.0.0)
gen_require(`
type gnome_home_t;
type proc_t;
type tmpfs_t;
type unconfined_t;
type urandom_device_t;
type user_devpts_t;
type user_tmpfs_t;
')
type chromium_renderer_t;
domain_base_type(chromium_renderer_t)
role unconfined_r types chromium_renderer_t;
allow unconfined_t chromium_renderer_t:process { dyntransition };
allow chromium_renderer_t unconfined_t:unix_stream_socket { read write send_msg recv_msg };
allow unconfined_t chromium_renderer_t:unix_stream_socket { read write send_msg recv_msg };
allow chromium_renderer_t urandom_device_t:chr_file { read };
allow chromium_renderer_t user_devpts_t:chr_file { write };
allow chromium_renderer_t self:process { execmem };
allow chromium_renderer_t self:fifo_file { read write };
allow chromium_renderer_t self:unix_dgram_socket { read write create send_msg recv_msg sendto };
allow chromium_renderer_t unconfined_t:unix_dgram_socket { read write send_msg recv_msg };
allow unconfined_t chromium_renderer_t:unix_dgram_socket { read write send_msg recv_msg };
allow chromium_renderer_t user_tmpfs_t:file { read write append open getattr };
allow chromium_renderer_t tmpfs_t:file { read write };
allow chromium_renderer_t self:shm { create destroy getattr setattr read write associate unix_read unix_write };
# For reading dictionaries out of the user-data-dir
allow chromium_renderer_t gnome_home_t:file { read getattr };
miscfiles_read_localization(chromium_renderer_t);
miscfiles_read_fonts(chromium_renderer_t);
# The renderer will attempt to read meminfo
dontaudit chromium_renderer_t proc_t:file { read };
|
