fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
-userdom_rw_user_tmpfs_files(chrome_sandbox_t)
+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t)
+
userdom_use_user_ptys(chrome_sandbox_t)
userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
# chrome_sandbox_nacl local policy
#
+allow chrome_sandbox_nacl_t self:process execmem;
allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
-domain_use_interactive_fds(chrome_sandbox_nacl_t)
+allow chrome_sandbox_nacl_t self:shm create_shm_perms;
+allow chrome_sandbox_nacl_t self:unix_dgram_socket create_socket_perms;
+
+allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
+allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
allow chrome_sandbox_t chrome_sandbox_nacl_t:process share;
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
+fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
+
+domain_use_interactive_fds(chrome_sandbox_nacl_t)
+
dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero;
domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
+kernel_read_system_state(chrome_sandbox_nacl_t)
+
+dev_read_urand(chrome_sandbox_nacl_t)
+
files_read_etc_files(chrome_sandbox_nacl_t)
miscfiles_read_localization(chrome_sandbox_nacl_t)
+
+corecmd_sbin_entry_type(chrome_sandbox_nacl_t)
+
+userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
+userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
kernel_read_network_state(virtd_lxc_t)
kernel_search_network_sysctl(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
dev_read_sysfs(virtd_lxc_t)
+dev_relabel_all_dev_nodes(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
miscfiles_read_fonts(svirt_lxc_domain)
+optional_policy(`
+ apache_exec_modules(svirt_lxc_domain)
+')
+
virt_lxc_domain_template(svirt_lxc_net)
allow svirt_lxc_net_t self:udp_socket create_socket_perms;
domain_entry_file(svirt_lxc_net_t, svirt_lxc_file_t)
domtrans_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_net_t)
+fs_noxattr_type(svirt_lxc_file_t)
+term_pty(svirt_lxc_file_t)
########################################
#
fs_search_tmpfs($1)
')
+########################################
+## <summary>
+## Read/Write inherited user tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_rw_inherited_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ allow $1 user_tmpfs_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Execute user tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_execute_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ allow $1 user_tmpfs_t:file execute;
+')
+
########################################
## <summary>
## Get the attributes of a user domain tty.