This is some of the other things needed by Chrome/Chromium. Some is obvious (like IPP). The file creation thing under /proc is something Chrome does, I still don't know why. I'll submit a patch without that if you like, but I think the rest should be acceptable without debate. Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx> Index: refpolicy-2.20201205/policy/modules/apps/chromium.te =================================================================== --- refpolicy-2.20201205.orig/policy/modules/apps/chromium.te +++ refpolicy-2.20201205/policy/modules/apps/chromium.te @@ -90,7 +97,9 @@ xdg_cache_content(chromium_xdg_cache_t) # # execmem for load in plugins -allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal }; +allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal signull }; +allow chromium_t self:dir { write add_name }; +allow chromium_t self:file create; allow chromium_t self:fifo_file rw_fifo_file_perms; allow chromium_t self:sem create_sem_perms; allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms; @@ -145,7 +154,12 @@ dyntrans_pattern(chromium_t, chromium_re domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t) domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t) +# for self:file create +kernel_associate_proc(chromium_t) + +kernel_get_sysvipc_info(chromium_t) kernel_list_proc(chromium_t) +kernel_read_crypto_sysctls(chromium_t) kernel_read_fs_sysctls(chromium_t) kernel_read_kernel_sysctls(chromium_t) kernel_read_net_sysctls(chromium_t) @@ -157,6 +171,7 @@ corecmd_exec_shell(chromium_t) corenet_tcp_connect_all_unreserved_ports(chromium_t) corenet_tcp_connect_ftp_port(chromium_t) corenet_tcp_connect_http_port(chromium_t) +corenet_tcp_connect_ipp_port(chromium_t) corenet_udp_bind_generic_node(chromium_t) corenet_udp_bind_all_unreserved_ports(chromium_t) @@ -328,6 +348,9 @@ userdom_use_user_terminals(chromium_rend xdg_read_config_files(chromium_renderer_t) +# should we have a tunable for this? +xdg_read_pictures(chromium_t) + xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t, chromium_tmpfs_t) tunable_policy(`chromium_read_system_info',` Index: refpolicy-2.20201205/policy/modules/kernel/kernel.if =================================================================== --- refpolicy-2.20201205.orig/policy/modules/kernel/kernel.if +++ refpolicy-2.20201205/policy/modules/kernel/kernel.if @@ -2442,6 +2442,24 @@ interface(`kernel_rw_all_sysctls',` ######################################## ## <summary> +## Associate a file to proc_t (/proc) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kernel_associate_proc',` + gen_require(` + type proc_t; + ') + allow $1 proc_t:filesystem associate; +') + +######################################## +## <summary> ## Send a kill signal to unlabeled processes. ## </summary> ## <param name="domain">