fixes

files/scripts/selinux/chromium/chromium.fc

@@ -1,3 +1,6 @@
 /usr/lib/chromium-browser/chromium-browser				--	gen_context(system_u:object_r:chromium_exec_t,s0)
 /usr/lib/chromium-browser/chrome_crashpad_handler			--	gen_context(system_u:object_r:chromium_exec_t,s0)
-/usr/lib/chromium-browser/chromium-browser.sh		--	gen_context(system_u:object_r:chromium_exec_t,s0)
+/usr/lib/chromium-browser/chromium-browser.sh		--	gen_context(system_u:object_r:chromium_exec_t,s0)
+
+HOME_DIR/\.cache/chromium(/.*)?		gen_context(system_u:object_r:chromium_t,s0)
+HOME_DIR/\.config/chromium(/.*)?	gen_context(system_u:object_r:chromium_t,s0)

files/scripts/selinux/chromium/chromium.sh

@@ -5,6 +5,7 @@ echo "Building and Loading Policy"
 set -x
 
 make -f /usr/share/selinux/devel/Makefile chromium.pp || exit
+semodule -d chrome
 /usr/sbin/semodule -i chromium.pp -X 600
 
 /sbin/restorecon -F -R -v /usr/lib/chromium-browser/

files/scripts/selinux/chromium/chromium.te

@@ -17,8 +17,9 @@ application_domain(chromium_t, chromium_exec_t)
 role chromium_roles types chromium_t;
 
 allow chromium_t self:process { execmem getcap getsched setcap setrlimit setsched sigkill signal signull };
-allow chromium_t self:dir { add_name write };
-allow chromium_t self:file create;
+allow chromium_t self:dir { add_name create read remove_name rmdir write };
+allow chromium_t self:file { append create execute getattr ioctl lock map open read rename unlink write };
+allow chromium_t self:lnk_file { create read unlink };
 allow chromium_t self:fifo_file rw_fifo_file_perms;
 allow chromium_t self:sem create_sem_perms;
 allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
@@ -40,103 +41,96 @@ kernel_unconfined(chromium_t)
 corenet_unconfined(chromium_t)
 dev_unconfined(chromium_t)
 
-optional_policy(`
-	gen_require(`
-		type data_home_t;
-		type bin_t;
-		type cache_home_t;
-		type cert_t;
-		type chrome_sandbox_home_t;
-		type config_home_t;
-		type etc_t;
-		type hwdata_t;
-		type init_t;
-		type locale_t;
-		type net_conf_t;
-		type passwd_file_t;
-		type pcscd_t;
-		type pcscd_var_run_t;
-		type pulseaudio_home_t;
-		type proc_t;
-		type root_t;
-		type session_dbusd_tmp_t;
-		type shell_exec_t;
-		type sysfs_t;
-		type system_dbusd_t;
-		type system_dbusd_var_run_t;
-		type systemd_resolved_var_run_t;
-		type tmp_t;
-		type tmpfs_t;
-		type unconfined_t;
-		type unconfined_dbusd_t;
-		type user_fonts_t;
-		type user_fonts_cache_t;
-		type user_fonts_config_t;
-		type user_home_dir_t;
-		type user_home_t;
-		type user_tmp_t;
-		type var_lib_t;
-	')
-
-	allow chromium_t data_home_t:file { read write getattr open map };
-	allow chromium_t bin_t:file { execute execute_no_trans map };
-	allow chromium_t cache_home_t:file { lock getattr open read write map };
-	allow chromium_t cache_home_t:dir { add_name create write };
-	allow chromium_t cert_t:file map;
-	allow chromium_t chrome_sandbox_home_t:dir { add_name create read remove_name rmdir write };
-	allow chromium_t chrome_sandbox_home_t:file { append create execute getattr ioctl lock open read rename unlink write };
-	allow chromium_t chrome_sandbox_home_t:file map;
-	allow chromium_t chrome_sandbox_home_t:lnk_file { create read unlink };
-	allow chromium_t chromium_exec_t:file execute_no_trans;
-	allow chromium_t config_home_t:file { getattr open read write append create ioctl lock rename unlink map };
-	allow chromium_t config_home_t:lnk_file { create unlink };
-	allow chromium_t config_home_t:dir { add_name create read remove_name rename rmdir write };
-	allow chromium_t data_home_t:dir { add_name read write };
-	allow chromium_t data_home_t:file { create ioctl };
-	allow chromium_t data_home_t:lnk_file { read };
-	allow chromium_t etc_t:file map;
-	allow chromium_t hwdata_t:file { getattr open read };
-	allow chromium_t init_t:dir search;
-	allow chromium_t locale_t:dir { watch };
-	allow chromium_t net_conf_t:file { getattr open read };
-	allow chromium_t net_conf_t:lnk_file { getattr read };
-	allow chromium_t passwd_file_t:file { getattr open read };
-	allow chromium_t pcscd_t:unix_stream_socket connectto;
-	allow chromium_t pcscd_var_run_t:sock_file { getattr write };
-	allow chromium_t pulseaudio_home_t:file { lock open read };
-	allow chromium_t proc_t:filesystem associate;
-	allow chromium_t root_t:dir watch;
-	allow chromium_t self:netlink_route_socket nlmsg_read;
-	allow chromium_t session_dbusd_tmp_t:sock_file write;
-	allow chromium_t shell_exec_t:file map;
-	allow chromium_t shell_exec_t:file { execute execute_no_trans };
-	allow chromium_t sysfs_t:dir read;
-	allow chromium_t sysfs_t:file { getattr open read };
-	allow chromium_t sysfs_t:lnk_file { read getattr };
-	allow chromium_t system_dbusd_t:unix_stream_socket connectto;
-	allow chromium_t system_dbusd_var_run_t:sock_file write;
-	allow chromium_t systemd_resolved_var_run_t:dir { read watch };
-	allow chromium_t tmp_t:dir { add_name create read remove_name rmdir write };
-	allow chromium_t tmp_t:lnk_file { create unlink };
-	allow chromium_t tmp_t:file { create open unlink write };
-	allow chromium_t tmp_t:sock_file { create getattr unlink };
-	allow chromium_t tmpfs_t:file { create getattr open read unlink write map };
-	allow chromium_t unconfined_dbusd_t:unix_stream_socket connectto;
-	allow chromium_t unconfined_t:unix_stream_socket connectto;
-	allow chromium_t user_fonts_cache_t:file { map getattr open read };
-	allow chromium_t user_fonts_config_t:file { getattr open read };
-	allow chromium_t user_fonts_t:dir read;
-	allow chromium_t user_fonts_t:file { open map };
-	allow chromium_t user_home_dir_t:dir { add_name create remove_name write };
-	allow chromium_t user_home_dir_t:file { append create getattr lock open read setattr unlink write };
-	allow chromium_t user_home_t:dir read;
-	allow chromium_t user_tmp_t:sock_file write;
-	allow chromium_t user_tmp_t:dir read;
-	allow chromium_t var_lib_t:dir read;
-	allow chromium_t var_lib_t:file { getattr open read };
-	allow chromium_t var_lib_t:file map;
+gen_require(`
+	type data_home_t;
+	type bin_t;
+	type cache_home_t;
+	type cert_t;
+	type config_home_t;
+	type etc_t;
+	type hwdata_t;
+	type init_t;
+	type locale_t;
+	type net_conf_t;
+	type passwd_file_t;
+	type pcscd_t;
+	type pcscd_var_run_t;
+	type pulseaudio_home_t;
+	type proc_t;
+	type root_t;
+	type session_dbusd_tmp_t;
+	type shell_exec_t;
+	type sysfs_t;
+	type system_dbusd_t;
+	type system_dbusd_var_run_t;
+	type systemd_resolved_var_run_t;
+	type tmp_t;
+	type tmpfs_t;
+	type unconfined_t;
+	type unconfined_dbusd_t;
+	type user_fonts_t;
+	type user_fonts_cache_t;
+	type user_fonts_config_t;
+	type user_home_dir_t;
+	type user_home_t;
+	type user_tmp_t;
+	type var_lib_t;
 ')
 
+allow chromium_t data_home_t:file { read write getattr open map };
+allow chromium_t bin_t:file { execute execute_no_trans map };
+allow chromium_t cache_home_t:file { lock getattr open read write map };
+allow chromium_t cache_home_t:dir { add_name create write };
+allow chromium_t cert_t:file map;
+allow chromium_t chromium_exec_t:file execute_no_trans;
+allow chromium_t config_home_t:file { getattr open read write append create ioctl lock rename unlink map };
+allow chromium_t config_home_t:lnk_file { create unlink };
+allow chromium_t config_home_t:dir { add_name create read remove_name rename rmdir write };
+allow chromium_t data_home_t:dir { add_name read write };
+allow chromium_t data_home_t:file { create ioctl };
+allow chromium_t data_home_t:lnk_file { read };
+allow chromium_t etc_t:file map;
+allow chromium_t hwdata_t:file { getattr open read };
+allow chromium_t init_t:dir search;
+allow chromium_t locale_t:dir { watch };
+allow chromium_t net_conf_t:file { getattr open read };
+allow chromium_t net_conf_t:lnk_file { getattr read };
+allow chromium_t passwd_file_t:file { getattr open read };
+allow chromium_t pcscd_t:unix_stream_socket connectto;
+allow chromium_t pcscd_var_run_t:sock_file { getattr write };
+allow chromium_t pulseaudio_home_t:file { lock open read };
+allow chromium_t proc_t:filesystem associate;
+allow chromium_t root_t:dir watch;
+allow chromium_t self:netlink_route_socket nlmsg_read;
+allow chromium_t session_dbusd_tmp_t:sock_file write;
+allow chromium_t shell_exec_t:file map;
+allow chromium_t shell_exec_t:file { execute execute_no_trans };
+allow chromium_t sysfs_t:dir read;
+allow chromium_t sysfs_t:file { getattr open read };
+allow chromium_t sysfs_t:lnk_file { read getattr };
+allow chromium_t system_dbusd_t:unix_stream_socket connectto;
+allow chromium_t system_dbusd_var_run_t:sock_file write;
+allow chromium_t systemd_resolved_var_run_t:dir { read watch };
+allow chromium_t tmp_t:dir { add_name create read remove_name rmdir write };
+allow chromium_t tmp_t:lnk_file { create unlink };
+allow chromium_t tmp_t:file { create open unlink write };
+allow chromium_t tmp_t:sock_file { create getattr unlink };
+allow chromium_t tmpfs_t:file { create getattr open read unlink write map };
+allow chromium_t unconfined_dbusd_t:unix_stream_socket connectto;
+allow chromium_t unconfined_t:unix_stream_socket connectto;
+allow chromium_t user_fonts_cache_t:file { map getattr open read };
+allow chromium_t user_fonts_config_t:file { getattr open read };
+allow chromium_t user_fonts_t:dir read;
+allow chromium_t user_fonts_t:file { open map };
+allow chromium_t user_home_dir_t:dir { add_name create remove_name write };
+allow chromium_t user_home_dir_t:file { append create getattr lock open read setattr unlink write };
+allow chromium_t user_home_t:dir read;
+allow chromium_t user_tmp_t:sock_file write;
+allow chromium_t user_tmp_t:dir read;
+allow chromium_t var_lib_t:dir read;
+allow chromium_t var_lib_t:file { getattr open read };
+allow chromium_t var_lib_t:file map;
+
 files_list_home(chromium_t)
 files_search_home(chromium_t)
 files_read_usr_files(chromium_t)