fix

RoyalOughtness · Jan 13, 2025 · 9c1580c · 9c1580c
1 parent 9ab0116
commit 9c1580c
Showing 1 changed file with 17 additions and 5 deletions.
diff --git a/files/scripts/selinux/chromium/chromium.te b/files/scripts/selinux/chromium/chromium.te
@@ -45,13 +45,15 @@ gen_require(`
     type chrome_sandbox_home_t;
     type config_home_t;
     type data_home_t;
+	type dma_device_t;
     type dri_device_t;
     type etc_t;
     type fs_t;
     type gconf_home_t;
     type hwdata_t;
     type http_port_t;
     type init_t;
+	type init_var_run_t
     type locale_t;
     type net_conf_t;
     type passwd_file_t;
@@ -61,6 +63,7 @@ gen_require(`
     type root_t;
     type session_dbusd_tmp_t;
     type shell_exec_t;
+	type sysctl_fs_t;
     type sysfs_t;
     type system_dbusd_t;
     type system_dbusd_var_run_t;
@@ -71,6 +74,7 @@ gen_require(`
     type tmpfs_t;
     type unconfined_dbusd_t;
     type unconfined_t;
+	type udev_var_run_t;
     type user_devpts_t;
     type user_fonts_cache_t;
     type user_fonts_config_t;
@@ -85,6 +89,7 @@ allow chromium_t alsa_etc_rw_t:file { getattr };
 allow chromium_t bin_t:file { execute execute_no_trans map };
 allow chromium_t cache_home_t:dir { add_name create getattr search write };
 allow chromium_t cache_home_t:file { create lock getattr open read write map };
+allow chromium_t chromium_exec_t:file execute_no_trans;
 allow chromium_t cert_t:file map;
 allow chromium_t chrome_sandbox_home_t:dir { add_name create read remove_name rmdir write getattr open rename search };
 allow chromium_t chrome_sandbox_home_t:file { append create execute getattr ioctl lock map open read rename unlink write };
@@ -95,46 +100,53 @@ allow chromium_t config_home_t:file { getattr open read write append create ioct
 allow chromium_t data_home_t:dir { add_name getattr open read search watch write };
 allow chromium_t data_home_t:file { create ioctl read write getattr open map };
 allow chromium_t data_home_t:lnk_file { read };
+allow chromium_t dma_device_t:chr_file { getattr map ioctl open read write  };
 allow chromium_t dri_device_t:chr_file { getattr map ioctl open read write };
 allow chromium_t etc_t:file map;
 allow chromium_t fs_t:filesystem { associate getattr };
 allow chromium_t gconf_home_t:dir { search };
 allow chromium_t hwdata_t:file { getattr open read };
 allow chromium_t hwdata_t:dir { search };
 allow chromium_t http_port_t:tcp_socket { name_connect };
+allow chromium_t init_var_run_t:dir { search };
 allow chromium_t init_t:dir search;
 allow chromium_t locale_t:dir { watch };
 allow chromium_t net_conf_t:file { getattr open read };
 allow chromium_t net_conf_t:lnk_file { getattr read };
 allow chromium_t passwd_file_t:file { getattr open read };
 allow chromium_t pcscd_t:unix_stream_socket connectto;
 allow chromium_t pcscd_var_run_t:sock_file { getattr write };
+allow chromium_t pcscd_var_run_t:dir { search };
 allow chromium_t proc_t:filesystem associate;
 allow chromium_t proc_t:dir { read };
 allow chromium_t proc_t:file { read open getattr };
 allow chromium_t pulseaudio_home_t:file { lock open read };
 allow chromium_t root_t:dir watch;
 allow chromium_t self:netlink_route_socket nlmsg_read;
 allow chromium_t shell_exec_t:file { map execute execute_no_trans };
+allow chromium_t sysctl_fs_t:dir search;
+allow chromium_t sysctl_fs_t:file { read getattr open };
 allow chromium_t sysfs_t:dir read;
 allow chromium_t sysfs_t:file { getattr open read };
 allow chromium_t sysfs_t:lnk_file { read getattr };
 allow chromium_t systemd_hostnamed_t:dbus { send_msg };
 allow chromium_t systemd_resolved_var_run_t:dir { read watch };
 allow chromium_t tmp_t:dir { add_name create read remove_name rmdir write };
 allow chromium_t tmp_t:lnk_file { create unlink };
-allow chromium_t tmp_t:file { create open unlink write };
-allow chromium_t tmp_t:sock_file { create getattr unlink };
+allow chromium_t tmp_t:file { create open unlink write map };
+allow chromium_t tmp_t:sock_file { create getattr unlink write };
 allow chromium_t tmpfs_t:file { create getattr open read unlink write map };
+allow chromium_t udev_var_run_t:dir { search };
 allow chromium_t user_devpts_t:chr_file { getattr ioctl read write };
 allow chromium_t user_fonts_cache_t:file { map getattr open read };
 allow chromium_t user_fonts_config_t:file { getattr open read };
 allow chromium_t user_fonts_t:dir read;
 allow chromium_t user_fonts_t:file { open map };
-allow chromium_t user_home_dir_t:dir { add_name create remove_name write };
+allow chromium_t user_home_dir_t:dir { add_name create remove_name write getattr search };
 allow chromium_t user_home_dir_t:file { append create getattr lock open read setattr unlink write };
-allow chromium_t user_home_t:dir read;
-allow chromium_t user_tmp_t:dir read;
+allow chromium_t user_home_t:dir { read add_name search getattr write remove_name };
+allow chromium_t user_tmp_t:dir { read search getattr open };
+allow chromium_t user_tmp_t:file { create open read write rename unlink setattr };
 allow chromium_t user_tmp_t:sock_file write;
 allow chromium_t var_lib_t:dir read;
 allow chromium_t var_lib_t:file { getattr open map read };