1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
## <summary>
## Chromium browser
## </summary>
#######################################
## <summary>
## Role access for chromium
## </summary>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
interface(`chromium_role',`
gen_require(`
type chromium_t;
type chromium_renderer_t;
type chromium_sandbox_t;
type chromium_naclhelper_t;
type chromium_exec_t;
')
role $1 types chromium_t;
role $1 types chromium_renderer_t;
role $1 types chromium_sandbox_t;
role $1 types chromium_naclhelper_t;
# Transition from the user domain to the derived domain
chromium_domtrans($2)
# Allow ps to show chromium processes and allow the user to signal it
ps_process_pattern($2, chromium_t)
ps_process_pattern($2, chromium_renderer_t)
allow $2 chromium_t:process signal_perms;
allow $2 chromium_renderer_t:process signal_perms;
allow $2 chromium_naclhelper_t:process signal_perms;
allow chromium_sandbox_t $2:fd use;
allow chromium_naclhelper_t $2:fd use;
')
#######################################
## <summary>
## Read-write access to Chromiums' temporary fifo files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`chromium_rw_tmp_pipes',`
gen_require(`
type chromium_tmp_t;
')
rw_fifo_files_pattern($1, chromium_tmp_t, chromium_tmp_t)
')
##############################################
## <summary>
## Automatically use the specified type for resources created in chromium's
## temporary locations
## </summary>
## <param name="domain">
## <summary>
## Domain that creates the resource(s)
## </summary>
## </param>
## <param name="class">
## <summary>
## Type of the resource created
## </summary>
## </param>
## <param name="filename" optional="true">
## <summary>
## The name of the resource being created
## </summary>
## </param>
#
interface(`chromium_tmp_filetrans',`
gen_require(`
type chromium_tmp_t;
')
search_dirs_pattern($1, chromium_tmp_t, chromium_tmp_t)
filetrans_pattern($1, chromium_tmp_t, $2, $3, $4)
')
#######################################
## <summary>
## Execute a domain transition to the chromium domain (chromium_t)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`chromium_domtrans',`
gen_require(`
type chromium_t;
type chromium_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, chromium_exec_t, chromium_t)
')
#######################################
## <summary>
## Execute chromium in the chromium domain and allow the specified role to access the chromium domain
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
#
interface(`chromium_run',`
gen_require(`
type chromium_t;
')
chromium_domtrans($1)
role $2 types chromium_t;
')
|
GitWeb