diff --git a/files/scripts/selinux/chromium/chromium.fc b/files/scripts/selinux/chromium/chromium.fc index 8ff2f983..b9304adb 100644 --- a/files/scripts/selinux/chromium/chromium.fc +++ b/files/scripts/selinux/chromium/chromium.fc @@ -1,3 +1,6 @@ /usr/lib/chromium-browser/chromium-browser -- gen_context(system_u:object_r:chromium_exec_t,s0) /usr/lib/chromium-browser/chrome_crashpad_handler -- gen_context(system_u:object_r:chromium_exec_t,s0) -/usr/lib/chromium-browser/chromium-browser.sh -- gen_context(system_u:object_r:chromium_exec_t,s0) \ No newline at end of file +/usr/lib/chromium-browser/chromium-browser.sh -- gen_context(system_u:object_r:chromium_exec_t,s0) + +HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chromium_t,s0) +HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:chromium_t,s0) \ No newline at end of file diff --git a/files/scripts/selinux/chromium/chromium.sh b/files/scripts/selinux/chromium/chromium.sh index 3776a6ac..e29719ca 100644 --- a/files/scripts/selinux/chromium/chromium.sh +++ b/files/scripts/selinux/chromium/chromium.sh @@ -5,6 +5,7 @@ echo "Building and Loading Policy" set -x make -f /usr/share/selinux/devel/Makefile chromium.pp || exit +semodule -d chrome /usr/sbin/semodule -i chromium.pp -X 600 /sbin/restorecon -F -R -v /usr/lib/chromium-browser/ diff --git a/files/scripts/selinux/chromium/chromium.te b/files/scripts/selinux/chromium/chromium.te index 772f24e5..de657227 100644 --- a/files/scripts/selinux/chromium/chromium.te +++ b/files/scripts/selinux/chromium/chromium.te @@ -17,8 +17,9 @@ application_domain(chromium_t, chromium_exec_t) role chromium_roles types chromium_t; allow chromium_t self:process { execmem getcap getsched setcap setrlimit setsched sigkill signal signull }; -allow chromium_t self:dir { add_name write }; -allow chromium_t self:file create; +allow chromium_t self:dir { add_name create read remove_name rmdir write }; +allow chromium_t self:file { append create execute getattr ioctl lock map open read rename unlink write }; +allow chromium_t self:lnk_file { create read unlink }; allow chromium_t self:fifo_file rw_fifo_file_perms; allow chromium_t self:sem create_sem_perms; allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms; @@ -40,103 +41,96 @@ kernel_unconfined(chromium_t) corenet_unconfined(chromium_t) dev_unconfined(chromium_t) -optional_policy(` - gen_require(` - type data_home_t; - type bin_t; - type cache_home_t; - type cert_t; - type chrome_sandbox_home_t; - type config_home_t; - type etc_t; - type hwdata_t; - type init_t; - type locale_t; - type net_conf_t; - type passwd_file_t; - type pcscd_t; - type pcscd_var_run_t; - type pulseaudio_home_t; - type proc_t; - type root_t; - type session_dbusd_tmp_t; - type shell_exec_t; - type sysfs_t; - type system_dbusd_t; - type system_dbusd_var_run_t; - type systemd_resolved_var_run_t; - type tmp_t; - type tmpfs_t; - type unconfined_t; - type unconfined_dbusd_t; - type user_fonts_t; - type user_fonts_cache_t; - type user_fonts_config_t; - type user_home_dir_t; - type user_home_t; - type user_tmp_t; - type var_lib_t; - ') - - allow chromium_t data_home_t:file { read write getattr open map }; - allow chromium_t bin_t:file { execute execute_no_trans map }; - allow chromium_t cache_home_t:file { lock getattr open read write map }; - allow chromium_t cache_home_t:dir { add_name create write }; - allow chromium_t cert_t:file map; - allow chromium_t chrome_sandbox_home_t:dir { add_name create read remove_name rmdir write }; - allow chromium_t chrome_sandbox_home_t:file { append create execute getattr ioctl lock open read rename unlink write }; - allow chromium_t chrome_sandbox_home_t:file map; - allow chromium_t chrome_sandbox_home_t:lnk_file { create read unlink }; - allow chromium_t chromium_exec_t:file execute_no_trans; - allow chromium_t config_home_t:file { getattr open read write append create ioctl lock rename unlink map }; - allow chromium_t config_home_t:lnk_file { create unlink }; - allow chromium_t config_home_t:dir { add_name create read remove_name rename rmdir write }; - allow chromium_t data_home_t:dir { add_name read write }; - allow chromium_t data_home_t:file { create ioctl }; - allow chromium_t data_home_t:lnk_file { read }; - allow chromium_t etc_t:file map; - allow chromium_t hwdata_t:file { getattr open read }; - allow chromium_t init_t:dir search; - allow chromium_t locale_t:dir { watch }; - allow chromium_t net_conf_t:file { getattr open read }; - allow chromium_t net_conf_t:lnk_file { getattr read }; - allow chromium_t passwd_file_t:file { getattr open read }; - allow chromium_t pcscd_t:unix_stream_socket connectto; - allow chromium_t pcscd_var_run_t:sock_file { getattr write }; - allow chromium_t pulseaudio_home_t:file { lock open read }; - allow chromium_t proc_t:filesystem associate; - allow chromium_t root_t:dir watch; - allow chromium_t self:netlink_route_socket nlmsg_read; - allow chromium_t session_dbusd_tmp_t:sock_file write; - allow chromium_t shell_exec_t:file map; - allow chromium_t shell_exec_t:file { execute execute_no_trans }; - allow chromium_t sysfs_t:dir read; - allow chromium_t sysfs_t:file { getattr open read }; - allow chromium_t sysfs_t:lnk_file { read getattr }; - allow chromium_t system_dbusd_t:unix_stream_socket connectto; - allow chromium_t system_dbusd_var_run_t:sock_file write; - allow chromium_t systemd_resolved_var_run_t:dir { read watch }; - allow chromium_t tmp_t:dir { add_name create read remove_name rmdir write }; - allow chromium_t tmp_t:lnk_file { create unlink }; - allow chromium_t tmp_t:file { create open unlink write }; - allow chromium_t tmp_t:sock_file { create getattr unlink }; - allow chromium_t tmpfs_t:file { create getattr open read unlink write map }; - allow chromium_t unconfined_dbusd_t:unix_stream_socket connectto; - allow chromium_t unconfined_t:unix_stream_socket connectto; - allow chromium_t user_fonts_cache_t:file { map getattr open read }; - allow chromium_t user_fonts_config_t:file { getattr open read }; - allow chromium_t user_fonts_t:dir read; - allow chromium_t user_fonts_t:file { open map }; - allow chromium_t user_home_dir_t:dir { add_name create remove_name write }; - allow chromium_t user_home_dir_t:file { append create getattr lock open read setattr unlink write }; - allow chromium_t user_home_t:dir read; - allow chromium_t user_tmp_t:sock_file write; - allow chromium_t user_tmp_t:dir read; - allow chromium_t var_lib_t:dir read; - allow chromium_t var_lib_t:file { getattr open read }; - allow chromium_t var_lib_t:file map; +gen_require(` + type data_home_t; + type bin_t; + type cache_home_t; + type cert_t; + type config_home_t; + type etc_t; + type hwdata_t; + type init_t; + type locale_t; + type net_conf_t; + type passwd_file_t; + type pcscd_t; + type pcscd_var_run_t; + type pulseaudio_home_t; + type proc_t; + type root_t; + type session_dbusd_tmp_t; + type shell_exec_t; + type sysfs_t; + type system_dbusd_t; + type system_dbusd_var_run_t; + type systemd_resolved_var_run_t; + type tmp_t; + type tmpfs_t; + type unconfined_t; + type unconfined_dbusd_t; + type user_fonts_t; + type user_fonts_cache_t; + type user_fonts_config_t; + type user_home_dir_t; + type user_home_t; + type user_tmp_t; + type var_lib_t; ') +allow chromium_t data_home_t:file { read write getattr open map }; +allow chromium_t bin_t:file { execute execute_no_trans map }; +allow chromium_t cache_home_t:file { lock getattr open read write map }; +allow chromium_t cache_home_t:dir { add_name create write }; +allow chromium_t cert_t:file map; +allow chromium_t chromium_exec_t:file execute_no_trans; +allow chromium_t config_home_t:file { getattr open read write append create ioctl lock rename unlink map }; +allow chromium_t config_home_t:lnk_file { create unlink }; +allow chromium_t config_home_t:dir { add_name create read remove_name rename rmdir write }; +allow chromium_t data_home_t:dir { add_name read write }; +allow chromium_t data_home_t:file { create ioctl }; +allow chromium_t data_home_t:lnk_file { read }; +allow chromium_t etc_t:file map; +allow chromium_t hwdata_t:file { getattr open read }; +allow chromium_t init_t:dir search; +allow chromium_t locale_t:dir { watch }; +allow chromium_t net_conf_t:file { getattr open read }; +allow chromium_t net_conf_t:lnk_file { getattr read }; +allow chromium_t passwd_file_t:file { getattr open read }; +allow chromium_t pcscd_t:unix_stream_socket connectto; +allow chromium_t pcscd_var_run_t:sock_file { getattr write }; +allow chromium_t pulseaudio_home_t:file { lock open read }; +allow chromium_t proc_t:filesystem associate; +allow chromium_t root_t:dir watch; +allow chromium_t self:netlink_route_socket nlmsg_read; +allow chromium_t session_dbusd_tmp_t:sock_file write; +allow chromium_t shell_exec_t:file map; +allow chromium_t shell_exec_t:file { execute execute_no_trans }; +allow chromium_t sysfs_t:dir read; +allow chromium_t sysfs_t:file { getattr open read }; +allow chromium_t sysfs_t:lnk_file { read getattr }; +allow chromium_t system_dbusd_t:unix_stream_socket connectto; +allow chromium_t system_dbusd_var_run_t:sock_file write; +allow chromium_t systemd_resolved_var_run_t:dir { read watch }; +allow chromium_t tmp_t:dir { add_name create read remove_name rmdir write }; +allow chromium_t tmp_t:lnk_file { create unlink }; +allow chromium_t tmp_t:file { create open unlink write }; +allow chromium_t tmp_t:sock_file { create getattr unlink }; +allow chromium_t tmpfs_t:file { create getattr open read unlink write map }; +allow chromium_t unconfined_dbusd_t:unix_stream_socket connectto; +allow chromium_t unconfined_t:unix_stream_socket connectto; +allow chromium_t user_fonts_cache_t:file { map getattr open read }; +allow chromium_t user_fonts_config_t:file { getattr open read }; +allow chromium_t user_fonts_t:dir read; +allow chromium_t user_fonts_t:file { open map }; +allow chromium_t user_home_dir_t:dir { add_name create remove_name write }; +allow chromium_t user_home_dir_t:file { append create getattr lock open read setattr unlink write }; +allow chromium_t user_home_t:dir read; +allow chromium_t user_tmp_t:sock_file write; +allow chromium_t user_tmp_t:dir read; +allow chromium_t var_lib_t:dir read; +allow chromium_t var_lib_t:file { getattr open read }; +allow chromium_t var_lib_t:file map; + files_list_home(chromium_t) files_search_home(chromium_t) files_read_usr_files(chromium_t)