# Last Modified: Thu Jan 11 16:16:07 2018
#include <tunables/global>
/usr/lib64/chromium-browser/chrome {
#include <abstractions/X>
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
#include <abstractions/dbus-session>
#include <abstractions/fonts>
#include <abstractions/gnome>
#include <abstractions/java>
#include <abstractions/nvidia>
#include <abstractions/user-tmp>
capability sys_admin,
capability sys_chroot,
network inet dgram,
network inet stream,
network inet6 dgram,
network inet6 stream,
signal receive set=abrt peer=/usr/lib64/chromium-browser/chrome,
signal receive set=kill peer=/usr/lib64/chromium-browser/chrome,
signal receive set=term peer=/usr/lib64/chromium-browser/chrome,
signal receive set=term peer=unconfined,
signal send set=abrt peer=/usr/lib64/chromium-browser/chrome,
signal send set=kill peer=/usr/lib64/chromium-browser/chrome,
signal send set=term peer=/usr/lib64/chromium-browser/chrome,
deny /etc/ r,
deny /selinux/ r,
deny /sys/modules/ mrwlx,
deny /usr/bin/bug-buddy x,
deny owner @{HOME}/.mozilla/plugins/ r,
/bin/bash ix,
/bin/bash ix,
/bin/bash rix,
/bin/bzip2 rix,
/bin/cat rix,
/bin/dirname rix,
/bin/head rix,
/bin/readlink rix,
/bin/sed rix,
/bin/which rix,
/dev/ r,
/dev/shm/.com.google.Chrome* rw,
/dev/video0 r,
/dev/video1 r,
/dev/video3 r,
/etc/fstab r,
/etc/gai.conf r,
/etc/gentoo-release r,
/etc/group r,
/etc/host.conf r,
/etc/hosts r,
/etc/lsb-release r,
/etc/man_db.conf r,
/etc/mtab r,
/etc/nsswitch.conf r,
/etc/os-release r,
/etc/passwd r,
/etc/python2.7/sitecustomize.py r,
/etc/resolv.conf r,
/etc/udev/udev.conf r,
/opt/Adobe/flash-player/flash-plugin/libflashplayer.so mr,
/usr/lib64/chromium-browser/** r,
/usr/lib64/chromium-browser/*.so mr,
/opt/google/*/PepperFlash/libpepflashplayer.so mr,
/usr/lib64/chromium-browser/chrome mrix,
/usr/lib64/chromium-browser/extensions/ mrw,
/proc/ r,
/proc/cpuinfo r,
/proc/filesystems r,
/proc/meminfo r,
/proc/sys/kernel/shmmax r,
/proc/sys/kernel/yama/ptrace_scope r,
/proc/sys/net/ipv4/tcp_fastopen r,
/proc/vmstat r,
/sys/ r,
/sys/** r,
/sys/block/sda/sda[0-9]/size r,
/sys/block/sda/sda[0-9]/uevent r,
/sys/devices/pci[0-9]*/**/class r,
/sys/devices/pci[0-9]*/**/device r,
/sys/devices/pci[0-9]*/**/irq r,
/sys/devices/pci[0-9]*/**/resource r,
/sys/devices/pci[0-9]*/**/vendor r,
/tmp/ r,
/usr/bin/col rix,
/usr/bin/find rix,
/usr/bin/getopt rix,
/usr/bin/groff rix,
/usr/bin/grotty rix,
/usr/bin/locale rix,
/usr/bin/lsb_release rix,
/usr/bin/man rix,
/usr/bin/nroff r,
/usr/bin/nroff rix,
/usr/bin/preconv rix,
/usr/bin/python2.7 r,
/usr/bin/smplayer PUx,
/usr/bin/tbl rix,
/usr/bin/troff rix,
/usr/bin/which rix,
/usr/bin/xdg-open PUx,
/usr/bin/xdg-settings PUx,
/usr/include/python2.7/pyconfig.h r,
/usr/lib/jvm/**/jre/lib/amd64/IcedTeaPlugin.so mr,
/usr/lib/mozilla/plugins/gecko-mediaplayer-*.so mr,
/usr/lib/totem/totem-plugin-viewer Px,
/usr/lib/x86_64-linux-gnu/gtk-2.0/*/immodules/*.so mr,
/usr/lib/x86_64-linux-gnu/pango/*/modules/pango-*.so mr,
/usr/lib64/chromium-browser/chrome mrix,
/usr/lib64/chromium-browser/chromium-launcher.sh mrix,
/usr/lib64/chromium-browser/chromium-launcher.sh r,
/usr/libexec/man-db/manconv rix,
/usr/lib{,32,64}/** mr,
/usr/local/lib/python2.7/dist-packages/ r,
/usr/share/X11/XErrorDB r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/gvfs/remote-volume-monitors/ r,
/usr/share/gvfs/remote-volume-monitors/* r,
/usr/share/icons/ r,
/usr/share/icons/** r,
/usr/share/mime/** r,
/usr/share/misc/pci.ids r,
/usr/share/pixmaps/ r,
/usr/share/pyshared/* r,
/usr/share/themes/** r,
/var/cache/man/cat1/cat2QxLQ2 w,
/var/cache/man/cat1/catAduaPc w,
/var/cache/man/cat1/catalnbB4 w,
/var/cache/man/cat1/catv8PgNE w,
/var/cache/man/index.db rk,
/var/cache/man/pl/index.db rk,
/var/tmp/ r,
/var/tmp/* rw,
/{,var/}run/resolvconf/resolv.conf r,
/{,var/}run/shm/.com.google.Chrome.* rw,
/{,var/}run/shm/com.google.Chrome.shmem.* rw,
/{,var/}run/udev/queue.bin r,
/{run,dev}/shm/pulse-shm* rw,
@{PROC}/@{pid}/auxv r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/environ r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/io r,
@{PROC}/@{pid}/maps r,
@{PROC}/@{pid}/mounts r,
@{PROC}/@{pid}/oom_score_adj w,
@{PROC}/@{pid}/setgroups w,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/statm r,
@{PROC}/@{pid}/status r,
@{PROC}/@{pid}/task/ r,
@{PROC}/@{pid}/task/**/syscall r,
@{PROC}/@{pid}/task/[0-9]*/stat r,
owner /dev/shm/.org.chromium.Chromium.* rw,
owner /tmp/** rwk,
owner /usr/lib{,32,64}/** mrw,
owner /{run,dev}/shm/pulse-shm* k,
owner @{HOME}/ r,
owner @{HOME}/* r,
owner @{HOME}/.ICEauthority r,
owner @{HOME}/.Xauthority r,
owner @{HOME}/.cache/chromium/ rw,
owner @{HOME}/.cache/chromium/** rw,
owner @{HOME}/.cache/dconf/user rw,
owner @{HOME}/.config/chromium/ rwk,
owner @{HOME}/.config/chromium/ rwl,
owner @{HOME}/.config/chromium/** mrwk,
owner @{HOME}/.config/chromium/** mrwk,
owner @{HOME}/.config/dconf/user r,
owner @{HOME}/.config/gtk-3.0/gtk.css r,
owner @{HOME}/.config/gtk-3.0/settings.ini r,
owner @{HOME}/.config/ibus/bus/ w,
owner @{HOME}/.config/pulse/client.conf r,
owner @{HOME}/.config/user-dirs.dirs r,
owner @{HOME}/.fontconfig/* r,
owner @{HOME}/.gksu.lock r,
owner @{HOME}/.goutputstream-* r,
owner @{HOME}/.gtk-bookmarks r,
owner @{HOME}/.icons/ r,
owner @{HOME}/.local/share/icons/ r,
owner @{HOME}/.local/share/icons/** r,
owner @{HOME}/.local/share/mime/* r,
owner @{HOME}/.local/share/recently-used.xbel* rw,
owner @{HOME}/.local/share/sddm/xorg-session.log w,
owner @{HOME}/.nv/GLCache/ r,
owner @{HOME}/.nv/GLCache/** rwk,
owner @{HOME}/.nv/nvidia-application-profile-globals-rc r,
owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/** rwk,
owner @{HOME}/.pki/nssdb/*.db rwk,
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
owner @{HOME}/.pulse-cookie rwk,
owner @{HOME}/.thumbnails/normal/* r,
owner @{HOME}/.xsession-errors r,
owner @{HOME}/Desktop/ r,
owner @{HOME}/Desktop/* rw,
owner @{HOME}/Pobrane/ r,
owner @{HOME}/Pobrane/** rw,
owner @{HOME}/libpeerconnection.log w,
owner @{PROC}/@{pid}//oom_score_adj w,
owner @{PROC}/@{pid}/gid_map rw,
owner @{PROC}/@{pid}/uid_map rw,
profile /opt/google/*/xdg-settings {
/bin/dash r,
/bin/grep rix,
/bin/readlink rix,
/bin/sed rix,
/bin/which rix,
/dev/null w,
/etc/gnome/defaults.list r,
/etc/ld.so.cache r,
/etc/locale.alias r,
/lib/x86_64-linux-gnu/ld-*.so r,
/lib/x86_64-linux-gnu/libc-*.so mr,
/lib/x86_64-linux-gnu/libdl-*.so mr,
/lib/x86_64-linux-gnu/libm-*.so mr,
/lib/x86_64-linux-gnu/libselinux.so.* mr,
/lib{,32,64}/ r,
/lib{,32,64}/** mr,
/opt/google/chrome/xdg-settings r,
/proc/filesystems r,
/usr/**/lib{,32,64}/ mr,
/usr/**/lib{,32,64}/** mr,
/usr/**/share/ r,
/usr/**/share/** r,
/usr/bin/basename rix,
/usr/bin/cut rix,
/usr/bin/gawk rix,
/usr/bin/mawk rix,
/usr/bin/xdg-mime rix,
/usr/bin/xdg-open PUx,
/usr/bin/xdg-settings PUx,
/usr/lib/locale/** r,
/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache r,
/usr/lib{,32,64}/ r,
/usr/lib{,32,64}/** mr,
/usr/local/bin/qtorrent PUx,
/usr/local/bin/skyper PUx,
/usr/share/ r,
/usr/share/** r,
owner /proc/*/maps r,
owner @{HOME}/.local/share/applications/google-chrome.desktop r,
owner @{HOME}/.local/share/applications/mimeapps.list r,
}
}
Źródło:
Pobierz program!
