# Copyright 2019 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

include(sepolicy/file_contexts/chromeos_unconfined)
include(sepolicy/file_contexts/coreutils)

include(sepolicy/file_contexts/sysfs_contexts)

# Chrome OS file contexts.
/([^/]+)?                       u:object_r:rootfs:s0
/usr/[^/]+                      u:object_r:cros_usr_dirs:s0
/usr/share(/.*)?                u:object_r:cros_usr_dirs:s0
/usr/local/[^/]+                u:object_r:cros_dev_image_files:s0
/sbin/init                      u:object_r:chromeos_init_exec:s0

# SBIN_START_HERE
/sbin/agetty                    u:object_r:cros_agetty_exec:s0
/sbin/audispd                   u:object_r:cros_audispd_exec:s0
/sbin/auditd                    u:object_r:cros_auditd_exec:s0
/sbin/capsh                     u:object_r:cros_capsh_exec:s0
/sbin/chromeos_startup          u:object_r:chromeos_startup_script_exec:s0
/sbin/crash_reporter            u:object_r:cros_crash_reporter_exec:s0
/sbin/crash_sender              u:object_r:cros_crash_sender_exec:s0
/sbin/debugd                    u:object_r:cros_debugd_exec:s0
/sbin/dhcpcd                    u:object_r:cros_dhcpcd_exec:s0
/sbin/frecon                    u:object_r:frecon_exec:s0
/sbin/hwclock                   u:object_r:cros_hwclock_exec:s0
/sbin/insmod                    u:object_r:cros_modprobe_exec:s0
/sbin/minijail0                 u:object_r:cros_minijail_exec:s0
/sbin/modprobe                  u:object_r:cros_modprobe_exec:s0
/sbin/restorecon                u:object_r:cros_restorecon_exec:s0
/sbin/rmmod                     u:object_r:cros_modprobe_exec:s0
/sbin/session_manager           u:object_r:cros_session_manager_exec:s0
/sbin/setfiles                  u:object_r:cros_restorecon_exec:s0
/sbin/udevd                     u:object_r:cros_udevd_exec:s0
/sbin/upstart-socket-bridge     u:object_r:upstart_socket_bridge_exec:s0
/sbin/ureadahead                u:object_r:cros_ureadahead_exec:s0
# SBIN_END_HERE

/bin/bash                       u:object_r:sh_exec:s0
/bin/brltty                     u:object_r:cros_brltty_exec:s0
/bin/dash                       u:object_r:sh_exec:s0
/bin/kmod                       u:object_r:cros_modprobe_exec:s0
/bin/sh                         u:object_r:sh_exec:s0

# USR_BIN_START_HERE
/usr/bin/anomaly_detector       u:object_r:cros_anomaly_detector_exec:s0
/usr/bin/arc-appfuse-provider   u:object_r:cros_arc_appfuse_provider_exec:s0
/usr/bin/arc-data-snapshotd     u:object_r:cros_arc_data_snapshotd_exec:s0
/usr/bin/arc-host-clock-service u:object_r:cros_arc_host_clock_service_exec:s0
/usr/bin/arc-obb-mounter        u:object_r:cros_arc_obb_mounter_exec:s0
/usr/bin/arc_camera_service     u:object_r:cros_arc_camera_service_exec:s0
/usr/bin/arc_sensor_service     u:object_r:cros_arc_sensor_service_exec:s0
/usr/bin/biod                   u:object_r:cros_biod_exec:s0
/usr/bin/btdispatch             u:object_r:cros_btdispatch_exec:s0
/usr/bin/chrt                   u:object_r:cros_chrt_exec:s0
/usr/bin/chunneld               u:object_r:cros_chunneld_exec:s0
/usr/bin/core_collector[0-9]*   u:object_r:cros_core_collector_exec:s0
/usr/bin/cras                   u:object_r:cros_cras_exec:s0
/usr/bin/cros-disks             u:object_r:cros_disks_exec:s0
/usr/bin/cros_camera_algo       u:object_r:cros_camera_algo_exec:s0
/usr/bin/cros_camera_service    u:object_r:cros_camera_service_exec:s0
/usr/bin/cros_healthd           u:object_r:cros_healthd_exec:s0
/usr/bin/cups_proxy             u:object_r:cros_cups_proxy_exec:s0
/usr/bin/dbus-daemon            u:object_r:cros_dbus_daemon_exec:s0
/usr/bin/dbus-send              u:object_r:cros_dbus_send_exec:s0
/usr/bin/dbus-uuidgen           u:object_r:cros_dbus_uuidgen_exec:s0
/usr/bin/esif_ufd               u:object_r:cros_esif_ufd_exec:s0
/usr/bin/find                   u:object_r:cros_system_file:s0
/usr/bin/gdbus                  u:object_r:cros_gdbus_exec:s0
/usr/bin/hermes                 u:object_r:cros_hermes_exec:s0
/usr/bin/ionice                 u:object_r:cros_ionice_exec:s0
/usr/bin/ippusb_manager         u:object_r:cros_ippusb_manager_exec:s0
/usr/bin/logger                 u:object_r:cros_logger_exec:s0
/usr/bin/lorgnette              u:object_r:cros_lorgnette_exec:s0
/usr/bin/memd                   u:object_r:cros_memd_exec:s0
/usr/bin/metrics_client         u:object_r:cros_metrics_client_exec:s0
/usr/bin/metrics_daemon         u:object_r:cros_metrics_daemon_exec:s0
/usr/bin/midis                  u:object_r:cros_midis_exec:s0
/usr/bin/ml_service             u:object_r:cros_ml_service_exec:s0
/usr/bin/mmdata_mgr             u:object_r:cros_mmdata_mgr_exec:s0
/usr/bin/modemfwd               u:object_r:cros_modemfwd_exec:s0
/usr/bin/mount-passthrough      u:object_r:cros_mount_passthrough_exec:s0
/usr/bin/mount-passthrough-jailed u:object_r:cros_mount_passthrough_jailed_exec:s0
/usr/bin/newblued               u:object_r:cros_newblued_exec:s0
/usr/bin/patchpaneld            u:object_r:cros_patchpaneld_exec:s0
/usr/bin/periodic_scheduler     u:object_r:cros_periodic_scheduler_exec:s0
/usr/bin/permission_broker      u:object_r:cros_permission_broker_exec:s0
/usr/bin/powerd                 u:object_r:cros_powerd_exec:s0
/usr/bin/qrtr-ns                u:object_r:cros_qrtr_ns_exec:s0
/usr/bin/rmtfs                  u:object_r:cros_rmtfs_exec:s0
/usr/bin/run_oci                u:object_r:cros_run_oci_exec:s0
/usr/bin/seneschal              u:object_r:cros_seneschal_exec:s0
/usr/bin/shill                  u:object_r:cros_shill_exec:s0
/usr/bin/systemd-cat            u:object_r:cros_systemd_cat_exec:s0
/usr/bin/timberslide            u:object_r:cros_timberslide_exec:s0
/usr/bin/tlsdated               u:object_r:cros_tlsdated_exec:s0
/usr/bin/typecd                 u:object_r:cros_typecd_exec:s0
/usr/bin/u2fd                   u:object_r:cros_u2fd_exec:s0
/usr/bin/vm_cicerone            u:object_r:cros_vm_cicerone_exec:s0
/usr/bin/vm_concierge           u:object_r:cros_vm_concierge_exec:s0
/usr/bin/vmlog_forwarder        u:object_r:cros_vmlog_forwarder_exec:s0
/usr/bin/wilco_dtc_supportd     u:object_r:cros_wilco_dtc_supportd_exec:s0
/usr/bin/ureadahead-diff        u:object_r:cros_ureadahead_diff_exec:s0
# USR_BIN_END_HERE

# USR_SBIN_START_HERE
/usr/sbin/ModemManager          u:object_r:cros_modem_manager_exec:s0
/usr/sbin/accelerator-logs      u:object_r:cros_accelerator_logs_exec:s0
/usr/sbin/apk-cache-cleaner-jailed u:object_r:cros_apk_cache_cleaner_jailed_exec:s0
/usr/sbin/arc-apply-per-board-config u:object_r:cros_arc_apply_per_board_config_exec:s0
/usr/sbin/arc-keymasterd        u:object_r:cros_arc_keymasterd_exec:s0
/usr/sbin/arc-setup             u:object_r:cros_arc_setup_exec:s0
/usr/sbin/arcvm_boot_notification_server u:object_r:cros_arcvm_boot_notification_server_exec:s0
/usr/sbin/arcvm-forward-pstore  u:object_r:cros_arcvm_forward_pstore_exec:s0
/usr/sbin/atrusd                u:object_r:cros_atrusd_exec:s0
/usr/sbin/attestationd          u:object_r:cros_attestationd_exec:s0
/usr/sbin/avahi-daemon          u:object_r:cros_avahi_daemon_exec:s0
/usr/sbin/bootlockboxd          u:object_r:cros_bootlockboxd_exec:s0
/usr/sbin/bootstat              u:object_r:cros_bootstat_exec:s0
/usr/sbin/brcm_patchram_plus    u:object_r:cros_brcm_patchram_plus_exec:s0
/usr/sbin/cdm-oemcrypto         u:object_r:cros_cdm_oemcrypto_exec:s0
/usr/sbin/cecservice            u:object_r:cros_cecservice_exec:s0
/usr/sbin/chapsd                u:object_r:cros_chapsd_exec:s0
/usr/sbin/chromeos-cleanup-logs u:object_r:cros_chromeos_cleanup_logs_exec:s0
/usr/sbin/chromeos-trim         u:object_r:cros_chromeos_trim_exec:s0
/usr/sbin/conntrackd            u:object_r:cros_conntrackd_exec:s0
/usr/sbin/cros-machine-id-regen u:object_r:cros_machine_id_regen_exec:s0
/usr/sbin/crosdns               u:object_r:cros_crosdns_exec:s0
/usr/sbin/cryptohomed           u:object_r:cros_cryptohomed_exec:s0
/usr/sbin/cryptohome-namespace-mounter u:object_r:cros_cryptohome_namespace_mounter_exec:s0
/usr/sbin/cryptohome-proxy      u:object_r:cros_cryptohome_proxy_exec:s0
/usr/sbin/cupsd                 u:object_r:cros_cupsd_exec:s0
/usr/sbin/daisydog              u:object_r:cros_daisydog_exec:s0
/usr/sbin/dlcservice            u:object_r:cros_dlcservice_exec:s0
/usr/sbin/huddly-monitor         u:object_r:cros_huddly_monitor_exec:s0
/usr/sbin/imageloader           u:object_r:cros_imageloader_exec:s0
/usr/sbin/jetstream-update-stats u:object_r:cros_jetstream_update_stats_exec:s0
/usr/sbin/mimo-monitor          u:object_r:cros_mimo_monitor_exec:s0
/usr/sbin/mtpd                  u:object_r:cros_mtpd_exec:s0
/usr/sbin/oobe_config_restore   u:object_r:cros_oobe_config_restore_exec:s0
/usr/sbin/p2p-http-server       u:object_r:cros_p2p_http_server_exec:s0
/usr/sbin/p2p-server            u:object_r:cros_p2p_server_exec:s0
/usr/sbin/pca_agentd            u:object_r:cros_pca_agentd_exec:s0
/usr/sbin/rsyslogd              u:object_r:cros_rsyslogd_exec:s0
/usr/sbin/sshd                  u:object_r:cros_sshd_exec:s0
/usr/sbin/sslh(-fork|-select)?  u:object_r:cros_sslh_exec:s0
/usr/sbin/syslog-cat            u:object_r:cros_syslog_cat_exec:s0
/usr/sbin/tcsd                  u:object_r:cros_tcsd_exec:s0
/usr/sbin/tpm_managerd          u:object_r:cros_tpm_managerd_exec:s0
/usr/sbin/trunksd               u:object_r:cros_trunksd_exec:s0
/usr/sbin/update_engine         u:object_r:cros_update_engine_exec:s0
/usr/sbin/usbguard-daemon       u:object_r:cros_usbguard_exec:s0
/usr/sbin/wpa_supplicant        u:object_r:cros_wpa_supplicant_exec:s0
# USR_SBIN_END_HERE

/usr/local/bin/recover_duts     u:object_r:cros_recover_duts_script:s0

/usr/lib/systemd/systemd-journald u:object_r:cros_journald_exec:s0
/usr/libexec/bluetooth/bluetoothd u:object_r:cros_bluetoothd_exec:s0

/usr/libexec/cryptohome/update_userdataauth_from_features.sh u:object_r:cros_update_userdataauth_shell_script:s0

/usr/libexec/ipsec/charon       u:object_r:cros_ipsec_charon_exec:s0
/usr/libexec/ipsec/starter      u:object_r:cros_ipsec_starter_exec:s0

/usr/share/policy(/.*)?         u:object_r:cros_seccomp_policy_file:s0
/usr/share/userfeedback(/.*)?   u:object_r:cros_userfeedback_file:s0

/usr/bin/start_bluetoothd.sh    u:object_r:cros_init_start_bluetoothd_shell_script:s0
/usr/bin/start_bluetoothlog.sh  u:object_r:cros_init_start_bluetoothlog_shell_script:s0
/usr/share/chromeos-ssh-config/sshd-pre u:object_r:cros_init_sshd_pre_shell_script:s0
/usr/share/cros(/.*)?           u:object_r:cros_usr_dirs:s0
/usr/share/cros/init(/.*)?      u:object_r:cros_init_shell_scripts:s0
/usr/share/cros/init/activate_date.sh u:object_r:cros_init_activate_date_script:s0
/usr/share/cros/init/crx-import.sh u:object_r:cros_init_crx_import_script:s0
/usr/share/cros/init/lockbox-cache.sh u:object_r:cros_init_lockbox_cache_script:s0
/usr/share/cros/init/powerd-pre-start.sh u:object_r:cros_init_powerd_pre_start_script:s0
/usr/share/cros/init/ui-pre-start u:object_r:cros_init_ui_pre_start_shell_script:s0
/usr/share/cros/init/ui-respawn u:object_r:cros_init_ui_respawn_shell_script:s0
/usr/share/cros/init/shill.sh   u:object_r:cros_init_shill_shell_script:s0
/usr/share/cros/init/shill-pre-start.sh u:object_r:cros_init_shill_shell_script:s0

/var                            u:object_r:cros_var:s0
/var/cache                      u:object_r:cros_var_cache:s0
/var/cache/shill(/.*)?          u:object_r:cros_var_cache_shill:s0
/var/cache/camera(/.*)?         u:object_r:cros_var_cache_camera:s0
/var/empty                      u:object_r:cros_var_empty:s0
/var/lib                        u:object_r:cros_var_lib:s0
/var/lib/bluetooth(/.*)?        u:object_r:cros_var_lib_bluetooth:s0
/var/lib/chaps(/.*)?            u:object_r:cros_var_lib_chaps:s0
/var/lib/crash_reporter(/.*)?   u:object_r:cros_var_lib_crash_reporter:s0
/var/lib/dbus(/.*)?             u:object_r:cros_var_lib_dbus:s0
/var/lib/dhcpcd(/.*)?           u:object_r:cros_var_lib_shill:s0
/var/lib/imageloader(/.*)?      u:object_r:cros_var_lib_imageloader:s0
/var/lib/metrics(/.*)?          u:object_r:cros_metrics_file:s0
/var/lib/metrics/uma-events     u:object_r:cros_metrics_uma_events_file:s0
/var/lib/oemcrypto(/.*)?        u:object_r:cros_var_lib_oemcrypto:s0
/var/lib/oobe_config_restore(/.*)? u:object_r:cros_var_lib_oobe_config_restore:s0
/var/lib/power_manager(/.*)?    u:object_r:cros_var_lib_power_manager:s0
/var/lib/preload-network-drivers.* u:object_r:cros_var_lib_preload_network_drivers:s0
/var/lib/shill(/.*)?            u:object_r:cros_var_lib_shill:s0
/var/lib/tpm(/.*)?              u:object_r:cros_var_lib_tpm:s0
/var/lib/trim(/.*)?             u:object_r:cros_var_lib_trim:s0
/var/lib/ui(/.*)?               u:object_r:cros_var_lib_ui:s0
/var/lib/update_engine(/.*)?    u:object_r:cros_var_lib_update_engine:s0
/var/lib/ureadahead(/.*)?       u:object_r:cros_var_lib_ureadahead:s0
/var/lib/whitelist(/.*)?        u:object_r:cros_var_lib_whitelist:s0
/var/log                        u:object_r:cros_var_log:s0
/var/log/arc.log                u:object_r:cros_arc_log:s0
/var/log/asan(/.*)?             u:object_r:cros_var_log_asan:s0
/var/log/atrus.log              u:object_r:cros_var_log_atrus:s0
/var/log/audit(/.*)?            u:object_r:cros_var_log_audit:s0
/var/log/authpolicy.log         u:object_r:cros_authpolicy_log:s0
/var/log/bluetooth.log          u:object_r:cros_var_log_bluetooth:s0
/var/log/boot.log               u:object_r:cros_boot_log:s0
/var/log/chrome(/.*)?           u:object_r:cros_var_log_chrome:s0
/var/log/eventlog.txt           u:object_r:cros_var_log_eventlog:s0
/var/log/faillog                u:object_r:cros_var_log_faillog:s0
/var/log/hammerd.log            u:object_r:cros_hammerd_log:s0
/var/log/journal(/.*)?          u:object_r:cros_var_log_journal:s0
/var/log/messages               u:object_r:cros_syslog:s0
/var/log/mount_options.log      u:object_r:chromeos_startup_mount_options_log_file:s0
/var/log/net.log                u:object_r:cros_net_log:s0
/var/log/powerd.out             u:object_r:cros_powerd_log:s0
/var/log/recover_duts(/.*)?     u:object_r:cros_var_log_recover_duts:s0
/var/log/secure                 u:object_r:cros_secure_log:s0
/var/log/session_manager        u:object_r:cros_var_log_session_manager:s0
/var/log/tlsdate.log            u:object_r:cros_tlsdate_log:s0
/var/log/tpm-firmware-updater.log u:object_r:cros_var_log_tpm_firmware_updater:s0
/var/log/typecd.log             u:object_r:cros_typecd_log:s0
/var/log/ui(/.*)?               u:object_r:cros_var_log_ui:s0
/var/log/upstart.log            u:object_r:cros_var_log_upstart:s0
/var/log/vmlog(/.*)?            u:object_r:cros_var_log_vmlog:s0
/var/spool                      u:object_r:cros_var_spool:s0
/var/spool/cron-lite(/.*)?      u:object_r:cros_periodic_scheduler_cache_t:s0
/var/spool/crash(/.*)?          u:object_r:cros_crash_spool:s0
/var/spool/power_manager(/.*)?  u:object_r:cros_var_spool_power_manager:s0

# /opt
/opt(/.*)          u:object_r:cros_system_file:s0
/opt/google/chrome/chrome       u:object_r:chrome_browser_exec:s0
/opt/google/containers/android/rootfs/root u:object_r:cros_arc_rootfs_mountpoint:s0
/opt/google/containers/arc-sdcard/mountpoints/container-root u:object_r:cros_arc_sdcard_mountpoint:s0
# These files are mounted into the mini-container before real /data, /cache are
# available.
/opt/google/containers/android/rootfs/android-data/cache                   u:object_r:cache_file:s0
/opt/google/containers/android/rootfs/android-data/data                    u:object_r:system_data_file:s0
/opt/google/containers/android/rootfs/android-data/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
/opt/google/easy_unlock/easy_unlock u:object_r:cros_easy_unlock_exec:s0

# /etc
/etc(/.*)?                      u:object_r:cros_conf_file:s0
/etc/group                      u:object_r:cros_passwd_file:s0
/etc/passwd                     u:object_r:cros_passwd_file:s0
/etc/shadow                     u:object_r:cros_shadow_file:s0
/etc/selinux(/.*)?              u:object_r:cros_selinux_config_file:s0

# All the following files are created dynamically and need to be labeled at
# runtime.
/run                            u:object_r:cros_run:s0
/run/lock                       u:object_r:cros_run_lock:s0
/run/arc/debugfs                u:object_r:debugfs:s0
/run/arc/sdcard(/.*)?           u:object_r:storage_file:s0
/run/cryptohome                 u:object_r:cros_run_cryptohome:s0
/run/cryptohome/ephemeral_mount u:object_r:cros_ephemeral_mount:s0
/run/dbus                       u:object_r:cros_run_dbus:s0
/run/dbus.pid                   u:object_r:cros_dbus_pid_file:s0
/run/dbus/system_bus_socket     u:object_r:cros_system_bus_socket:s0
/run/metrics                    u:object_r:cros_run_metrics:s0
/run/metrics/external           u:object_r:cros_run_metrics_external:s0
/run/rsyslogd                   u:object_r:cros_run_rsyslogd:s0


has_arc(`
/run/arc/cmdline.android        u:object_r:proc_cmdline:s0
')


/dev                            u:object_r:device:s0
/dev/console                    u:object_r:console_device:s0
/dev/input(/.*)?                u:object_r:input_device:s0
/dev/kmsg                       u:object_r:kmsg_device:s0
/dev/log                        u:object_r:logger_device:s0
/dev/null                       u:object_r:null_device:s0
/dev/ptmx                       u:object_r:ptmx_device:s0
/dev/random                     u:object_r:random_device:s0
/dev/shm(/.*)?                  u:object_r:cros_shm:s0
/dev/snd(/.*)?                  u:object_r:audio_device:s0
/dev/tpm[0-9]*                  u:object_r:tpm_device:s0
/dev/urandom                    u:object_r:urandom_device:s0
/dev/zero                       u:object_r:zero_device:s0

# Label /dev/bus/usb/NNN/MMM
# (USB device nodes passed by Chrome / permission broker)
/dev/bus/usb(/.*)?              u:object_r:usb_device:s0


(/usr)?/lib64(/.*)?                    u:object_r:cros_system_file:s0
(/usr)?/lib(/.*)?                      u:object_r:cros_system_file:s0
/lib/modules(/.*)?                     u:object_r:cros_kernel_modules_file:s0
/lib/modules/.*\.ko                    u:object_r:cros_kernel_modules_ko_file:s0

# /home
/home                            u:object_r:cros_home:s0
/home/root(/[0-9a-z]{40})?       u:object_r:cros_home_root:s0
/home/user(/[0-9a-z]{40})?       u:object_r:cros_home_user:s0
/home/chronos(/(?!(u-[0-9a-z]{40}|user)).*)?   u:object_r:cros_home_chronos:s0
/home/chronos/crash              u:object_r:cros_home_chronos_crash:s0
/home/chronos/user               u:object_r:cros_home_chronos:s0
/home/chronos/u-[0-9a-z]{40}     u:object_r:cros_home_chronos:s0
/home/.shadow                    u:object_r:cros_home_shadow:s0
/home/.shadow/(?![0-9a-z]{40}).* u:object_r:cros_home_shadow:s0
/home/.shadow/low_entropy_creds(/.*)? u:object_r:cros_home_shadow_low_entropy_creds:s0
# exclude <uid>/mount/root/android-data/data
/home/.shadow/[0-9a-z]{40}(/(?!mount/root/android-data/data).*)? u:object_r:cros_home_shadow_uid:s0
/home/.shadow/[0-9a-z]{40}/mount/root(/(?!android-data/data).*)? u:object_r:cros_home_shadow_uid_root:s0
/home/.shadow/[0-9a-z]{40}/mount/user(/.*)? u:object_r:cros_home_shadow_uid_user:s0
/home/.shadow/[0-9a-z]{40}/mount/user/Downloads(/.*)? u:object_r:has_arc(media_rw_data_file, cros_downloads_file):s0
/home/.shadow/[0-9a-z]{40}/mount/user/MyFiles(/.*)?   u:object_r:has_arc(media_rw_data_file, cros_downloads_file):s0
/home/.shadow/[0-9a-z]{40}/mount/root/android-data u:object_r:cros_home_shadow_uid_root_android:s0
/home/.shadow/[0-9a-z]{40}/mount/root/android-data/cache u:object_r:cache_file:s0
/home/.shadow/[0-9a-z]{40}/mount/root/android-data/data u:object_r:system_data_file:s0
/home/.shadow/[0-9a-z]{40}/mount/root/authpolicyd(/.*)?   u:object_r:cros_home_shadow_uid_root_authpolicyd:s0
/home/.shadow/[0-9a-z]{40}/mount/root/chaps(/.*)?   u:object_r:cros_home_shadow_uid_root_chaps:s0
/home/.shadow/[0-9a-z]{40}/mount/root/session_manager(/.*)?   u:object_r:cros_home_shadow_uid_root_session_manager:s0
/home/.shadow/[0-9a-z]{40}/mount/root/shill(/.*)?   u:object_r:cros_home_shadow_uid_root_shill:s0
/home/.shadow/[0-9a-z]{40}/mount/root/shill_logs(/.*)?   u:object_r:cros_home_shadow_uid_root_shill_logs:s0
/home/.shadow/[0-9a-z]{40}/mount/root/usb_bouncer(/.*)?   u:object_r:cros_home_shadow_uid_root_usb_bouncer:s0