policy for chrome

######################################## ##

## Execute a domain transition to run chrome_sandbox. ##

## ##

## Domain allowed to transition. ##

## # interface(`chrome_domtrans_sandbox',` gen_require(` type chrome_sandbox_t, chrome_sandbox_exec_t; ') domtrans_pattern($1,chrome_sandbox_exec_t,chrome_sandbox_t) ps_process_pattern(chrome_sandbox_t, $1) ifdef(`hide_broken_symptoms', ` dontaudit chrome_sandbox_t $1:socket_class_set { read write }; fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t) ') ') ######################################## ##

## Execute chrome_sandbox in the chrome_sandbox domain, and ## allow the specified role the chrome_sandbox domain. ##

## ##

## Domain allowed access ##

## ## ##

## The role to be allowed the chrome_sandbox domain. ##

## # interface(`chrome_run_sandbox',` gen_require(` type chrome_sandbox_t; ') chrome_domtrans_sandbox($1) role $2 types chrome_sandbox_t; ') ######################################## ##

## Role access for chrome sandbox ##

## ##

## Role allowed access ##

## ## ##

## User domain for the role ##

## # interface(`chrome_role',` gen_require(` type chrome_sandbox_t; type chrome_sandbox_tmpfs_t; ') role $1 types chrome_sandbox_t; chrome_domtrans_sandbox($2) ps_process_pattern($2, chrome_sandbox_t) allow $2 chrome_sandbox_t:process signal_perms; allow chrome_sandbox_t $2:unix_dgram_socket { read write }; allow $2 chrome_sandbox_t:unix_dgram_socket { read write }; allow chrome_sandbox_t $2:unix_stream_socket { read write }; allow $2 chrome_sandbox_t:unix_stream_socket { read write }; allow $2 chrome_sandbox_t:shm rw_shm_perms; allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms; ')