sepolicy/file_contexts/chromeos_file_contexts - mirrors/cros/chromiumos/platform2 - Git at Google

 include(sepolicy/file_contexts/chromeos_unconfined)
 include(sepolicy/file_contexts/coreutils)

 # Chrome OS file contexts.
 /([^/]+)?                       u:object_r:rootfs:s0
 /usr/[^/]+                      u:object_r:cros_usr_dirs:s0
 /usr/local/[^/]+                u:object_r:cros_dev_image_files:s0
 /sbin/init                      u:object_r:chromeos_init_exec:s0

 /sbin/chromeos_startup          u:object_r:chromeos_startup_script_exec:s0
 /sbin/crash_reporter            u:object_r:cros_crash_reporter_exec:s0
 /sbin/crash_sender              u:object_r:cros_crash_sender_exec:s0
 /sbin/debugd                    u:object_r:cros_debugd_exec:s0
 /sbin/dhcpcd                    u:object_r:cros_dhcpcd_exec:s0
 /sbin/frecon                    u:object_r:frecon_exec:s0
 /sbin/insmod                    u:object_r:cros_modprobe_exec:s0
 /sbin/minijail0                 u:object_r:cros_minijail_exec:s0
 /sbin/modprobe                  u:object_r:cros_modprobe_exec:s0
 /sbin/restorecon                u:object_r:cros_restorecon_exec:s0
 /sbin/rmmod                     u:object_r:cros_modprobe_exec:s0
 /sbin/session_manager           u:object_r:cros_session_manager_exec:s0
 /sbin/setfiles                  u:object_r:cros_restorecon_exec:s0
 /sbin/udevd                     u:object_r:cros_udevd_exec:s0
 /sbin/upstart-socket-bridge     u:object_r:upstart_socket_bridge_exec:s0

 /bin/bash                       u:object_r:sh_exec:s0
 /bin/dash                       u:object_r:sh_exec:s0
 /bin/kmod                       u:object_r:cros_modprobe_exec:s0
 /bin/sh                         u:object_r:sh_exec:s0

 /usr/bin/anomaly_collector      u:object_r:cros_anomaly_collector_exec:s0
 /usr/bin/btdispatch             u:object_r:cros_btdispatch_exec:s0
 /usr/bin/chrt                   u:object_r:cros_chrt_exec:s0
 /usr/bin/cras                   u:object_r:cros_cras_exec:s0
 /usr/bin/cros_camera_algo       u:object_r:cros_camera_algo_exec:s0
 /usr/bin/cros_camera_service    u:object_r:cros_camera_service_exec:s0
 /usr/bin/cros-disks             u:object_r:cros_disks_exec:s0
 /usr/bin/dbus-daemon            u:object_r:cros_dbus_daemon_exec:s0
 /usr/bin/dbus-uuidgen           u:object_r:cros_dbus_uuidgen_exec:s0
 /usr/bin/ionice                 u:object_r:cros_ionice_exec:s0
 /usr/bin/logger                 u:object_r:cros_logger_exec:s0
 /usr/bin/memd                   u:object_r:cros_memd_exec:s0
 /usr/bin/metrics_client         u:object_r:cros_metrics_client_exec:s0
 /usr/bin/metrics_daemon         u:object_r:cros_metrics_daemon_exec:s0
 /usr/bin/midis                  u:object_r:cros_midis_exec:s0
 /usr/bin/newblued               u:object_r:cros_newblued_exec:s0
 /usr/bin/periodic_scheduler     u:object_r:cros_periodic_scheduler_exec:s0
 /usr/bin/permission_broker      u:object_r:cros_permission_broker_exec:s0
 /usr/bin/powerd                 u:object_r:cros_powerd_exec:s0
 /usr/bin/shill                  u:object_r:cros_shill_exec:s0
 /usr/bin/tlsdated               u:object_r:cros_tlsdated_exec:s0

 /usr/sbin/ModemManager          u:object_r:cros_modem_manager_exec:s0
 /usr/sbin/accelerator-logs      u:object_r:cros_accelerator_logs_exec:s0
 /usr/sbin/apk-cache-cleaner-jailed u:object_r:cros_apk_cache_cleaner_jailed_exec:s0
 /usr/sbin/arc-oemcrypto         u:object_r:cros_arc_oemcrypto:s0
 /usr/sbin/arc-setup             u:object_r:cros_arc_setup_exec:s0
 /usr/sbin/avahi-daemon          u:object_r:cros_avahi_daemon_exec:s0
 /usr/sbin/bootstat              u:object_r:cros_bootstat_exec:s0
 /usr/sbin/chapsd                u:object_r:cros_chapsd_exec:s0
 /usr/sbin/chromeos-cleanup-logs u:object_r:cros_chromeos_cleanup_logs_exec:s0
 /usr/sbin/chromeos-trim         u:object_r:cros_chromeos_trim_exec:s0
 /usr/sbin/conntrackd            u:object_r:cros_conntrackd_exec:s0
 /usr/sbin/cros-machine-id-regen u:object_r:cros_machine_id_regen_exec:s0
 /usr/sbin/cryptohomed           u:object_r:cros_cryptohomed_exec:s0
 /usr/sbin/jetstream-update-stats u:object_r:cros_jetstream_update_stats_exec:s0
 /usr/sbin/mtpd                  u:object_r:cros_mtpd_exec:s0
 /usr/sbin/rsyslogd              u:object_r:cros_rsyslogd_exec:s0
 /usr/sbin/sshd                  u:object_r:cros_sshd_exec:s0
 /usr/sbin/sslh(-fork|-select)?  u:object_r:cros_sslh_exec:s0
 /usr/sbin/tcsd                  u:object_r:cros_tcsd_exec:s0
 /usr/sbin/update_engine         u:object_r:cros_update_engine_exec:s0
 /usr/sbin/wpa_supplicant        u:object_r:cros_wpa_supplicant_exec:s0

 /usr/lib/systemd/systemd-journald u:object_r:cros_journald_exec:s0
 /usr/libexec/bluetooth/bluetoothd u:object_r:cros_bluetoothd_exec:s0

 /usr/share/policy(/.*)?         u:object_r:cros_seccomp_policy_file:s0
 /usr/share/userfeedback(/.*)?   u:object_r:cros_userfeedback_file:s0

 /usr/bin/start_bluetoothd.sh    u:object_r:cros_init_start_bluetoothd_shell_script:s0
 /usr/bin/start_bluetoothlog.sh  u:object_r:cros_init_start_bluetoothlog_shell_script:s0
 /usr/share/cros(/.*)?           u:object_r:cros_usr_dirs:s0
 /usr/share/cros/init(/.*)?      u:object_r:cros_init_shell_scripts:s0
 /usr/share/cros/init/activate_date.sh u:object_r:cros_init_activate_date_script:s0
 /usr/share/cros/init/chapsd.sh u:object_r:cros_init_chapsd_shell_script:s0
 /usr/share/cros/init/crx-import.sh u:object_r:cros_init_crx_import_script:s0
 /usr/share/cros/init/lockbox-cache.sh u:object_r:cros_init_lockbox_cache_script:s0
 /usr/share/cros/init/powerd-pre-start.sh u:object_r:cros_init_powerd_pre_start_script:s0
 /usr/share/cros/init/ui-pre-start u:object_r:cros_init_ui_pre_start_shell_script:s0
 /usr/share/cros/init/ui-respawn u:object_r:cros_init_ui_respawn_shell_script:s0
 /usr/share/cros/init/shill.sh   u:object_r:cros_init_shill_shell_script:s0
 /usr/share/cros/init/shill-pre-start.sh u:object_r:cros_init_shill_shell_script:s0

 /var                            u:object_r:cros_var:s0
 /var/cache                      u:object_r:cros_var_cache:s0
 /var/cache/shill(/.*)?          u:object_r:cros_var_cache_shill:s0
 /var/empty                      u:object_r:cros_var_empty:s0
 /var/lib                        u:object_r:cros_var_lib:s0
 /var/lib/chaps(/.*)?            u:object_r:cros_var_lib_chaps:s0
 /var/lib/crash_reporter(/.*)?   u:object_r:cros_var_lib_crash_reporter:s0
 /var/lib/dbus(/.*)?             u:object_r:cros_var_lib_dbus:s0
 /var/lib/dhcpcd(/.*)?           u:object_r:cros_var_lib_shill:s0
 /var/lib/metrics(/.*)?          u:object_r:cros_metrics_file:s0
 /var/lib/metrics/uma-events     u:object_r:cros_metrics_uma_events_file:s0
 /var/lib/power_manager(/.*)?    u:object_r:cros_var_lib_power_manager:s0
 /var/lib/shill(/.*)?            u:object_r:cros_var_lib_shill:s0
 /var/lib/update_engine(/.*)?    u:object_r:cros_var_lib_update_engine:s0
 /var/lib/whitelist(/.*)?        u:object_r:cros_var_lib_whitelist:s0
 /var/log                        u:object_r:cros_var_log:s0
 /var/log/eventlog.txt           u:object_r:cros_var_log_eventlog:s0
 /var/log/arc.log                u:object_r:cros_arc_log:s0
 /var/log/authpolicy.log         u:object_r:cros_authpolicy_log:s0
 /var/log/boot.log               u:object_r:cros_boot_log:s0
 /var/log/chrome(/.*)?           u:object_r:cros_var_log_chrome:s0
 /var/log/messages               u:object_r:cros_syslog:s0
 /var/log/net.log                u:object_r:cros_net_log:s0
 /var/log/secure                 u:object_r:cros_secure_log:s0
 /var/log/tlsdate.log            u:object_r:cros_tlsdate_log:s0
 /var/log/powerd.out             u:object_r:cros_powerd_log:s0
 /var/log/asan(/.*)?             u:object_r:cros_var_log_asan:s0
 /var/log/mount_options.log      u:object_r:chromeos_startup_mount_options_log_file:s0
 /var/spool                      u:object_r:cros_var_spool:s0
 /var/spool/cron-lite(/.*)?      u:object_r:cros_periodic_scheduler_cache_t:s0
 /var/spool/crash_reporter(/.*)? u:object_r:cros_crash_spool:s0

 # /opt/google
 /opt/google/chrome/chrome       u:object_r:chrome_browser_exec:s0

 # /etc
 /etc                            u:object_r:cros_etc:s0
 # Safe to be readable by anyone.
 /etc/lsb-release                u:object_r:cros_etc:s0

 # Intential blank lines to put all cros_etc labelled files above.
 /etc/conntrackd(/.*)?           u:object_r:cros_conntrackd_conf_file:s0
 /etc/dhcpcd.conf                u:object_r:cros_network_conf_file:s0
 /etc/group                      u:object_r:cros_passwd_file:s0
 /etc/hosts                      u:object_r:cros_network_conf_file:s0
 /etc/hosts.d(/.*)?              u:object_r:cros_network_conf_file:s0
 /etc/init(/.*)?                 u:object_r:cros_init_conf_file:s0
 /etc/ld.so.*                    u:object_r:cros_ld_conf_cache:s0
 /etc/ld.so.cache~               u:object_r:cros_ld_conf_cache:s0
 /etc/modprobe.d(/.*)?           u:object_r:cros_modprobe_conf_file:s0
 /etc/nsswitch.conf              u:object_r:cros_network_conf_file:s0
 /etc/passwd                     u:object_r:cros_passwd_file:s0
 /etc/resolv.conf                u:object_r:cros_network_conf_file:s0
 /etc/rsyslog(.*)?               u:object_r:cros_rsyslog_conf_file:s0
 /etc/selinux(/.*)?              u:object_r:cros_selinux_config_file:s0
 /etc/sysctl.d(/.*)?             u:object_r:cros_sysctl_conf_file:s0
 /etc/systemd/network(/.*)?      u:object_r:cros_network_conf_file:s0
 /etc/systemd/journald.conf      u:object_r:cros_journal_conf_file:s0
 /etc/udev(/.*)?                 u:object_r:cros_udev_conf_file:s0

 # These files are mounted into the mini-container before real /data, /cache are
 # available.
 /opt/google/containers/android/rootfs/android-data/cache                   u:object_r:cache_file:s0
 /opt/google/containers/android/rootfs/android-data/data                    u:object_r:system_data_file:s0
 /opt/google/containers/android/rootfs/android-data/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0

 # All the following files are created dynamically and need to be labeled at
 # runtime.
 /run                            u:object_r:cros_run:s0
 /run/lock                       u:object_r:cros_run_lock:s0
 /run/arc/debugfs                u:object_r:debugfs:s0
 /run/arc/sdcard(/.*)?           u:object_r:storage_file:s0
 /run/dbus                       u:object_r:cros_run_dbus:s0
 /run/dbus.pid                   u:object_r:cros_dbus_pid_file:s0
 /run/dbus/system_bus_socket     u:object_r:cros_system_bus_socket:s0


 has_arc(`
 /run/arc/cmdline.android        u:object_r:is_arc_nyc(proc, proc_cmdline):s0
 ')


 include(sepolicy/file_contexts/sysfs_contexts)

 /dev/console                    u:object_r:console_device:s0
 /dev/log                        u:object_r:logger_device:s0
 /dev/null                       u:object_r:null_device:s0
 /dev/random                     u:object_r:random_device:s0
 /dev/shm(/.*)?                  u:object_r:cros_shm:s0
 /dev/urandom                    u:object_r:urandom_device:s0
 /dev/zero                       u:object_r:zero_device:s0
 /dev/ptmx                       u:object_r:ptmx_device:s0

 # Label /dev/bus/usb/NNN/MMM
 # (USB device nodes passed by Chrome / permission broker)
 /dev/bus/usb(/.*)?              u:object_r:usb_device:s0


 (/usr)?/lib64(/.*)?                    u:object_r:cros_system_file:s0
 (/usr)?/lib(/.*)?                      u:object_r:cros_system_file:s0
 /lib/modules(/.*)?                     u:object_r:cros_kernel_modules_file:s0
 /lib/modules/.*\.ko                    u:object_r:cros_kernel_modules_ko_file:s0

 # /home
 /home                            u:object_r:cros_home:s0
 /home/root(/[0-9a-z]{40})?       u:object_r:cros_home_root:s0
 /home/user(/[0-9a-z]{40})?       u:object_r:cros_home_user:s0
 /home/chronos(/(?!(u-[0-9a-z]{40}|user)).*)?   u:object_r:cros_home_chronos:s0
 /home/chronos/user               u:object_r:cros_home_chronos:s0
 /home/chronos/u-[0-9a-z]{40}     u:object_r:cros_home_chronos:s0
 /home/.shadow                    u:object_r:cros_home_shadow:s0
 /home/.shadow/(?![0-9a-z]{40}).* u:object_r:cros_home_shadow:s0
 # exclude <uid>/mount/root/android-data/data
 /home/.shadow/[0-9a-z]{40}(/(?!mount/root/android-data/data).*)? u:object_r:cros_home_shadow_uid:s0
 /home/.shadow/[0-9a-z]{40}/mount/root(/(?!android-data/data).*)? u:object_r:cros_home_shadow_uid_root:s0
 /home/.shadow/[0-9a-z]{40}/mount/user(/.*)? u:object_r:cros_home_shadow_uid_user:s0
 /home/.shadow/[0-9a-z]{40}/mount/user/Downloads(/.*)? u:object_r:has_arc(media_rw_data_file, cros_downloads_file):s0
 /home/.shadow/[0-9a-z]{40}/mount/user/MyFiles(/.*)?   u:object_r:has_arc(media_rw_data_file, cros_downloads_file):s0
 /home/.shadow/[0-9a-z]{40}/mount/root/android-data u:object_r:cros_home_shadow_uid_root_android:s0
 /home/.shadow/[0-9a-z]{40}/mount/root/android-data/cache(/.*)? u:object_r:cros_home_shadow_uid_root_android_cache:s0
 /home/.shadow/[0-9a-z]{40}/mount/root/android-data/data u:object_r:system_data_file:s0
 /home/.shadow/[0-9a-z]{40}/mount/root/chaps(/.*)?   u:object_r:cros_home_shadow_uid_root_chaps:s0
	include(sepolicy/file_contexts/chromeos_unconfined)
	include(sepolicy/file_contexts/coreutils)

	# Chrome OS file contexts.
	/([^/]+)? u:object_r:rootfs:s0
	/usr/[^/]+ u:object_r:cros_usr_dirs:s0
	/usr/local/[^/]+ u:object_r:cros_dev_image_files:s0
	/sbin/init u:object_r:chromeos_init_exec:s0

	/sbin/chromeos_startup u:object_r:chromeos_startup_script_exec:s0
	/sbin/crash_reporter u:object_r:cros_crash_reporter_exec:s0
	/sbin/crash_sender u:object_r:cros_crash_sender_exec:s0
	/sbin/debugd u:object_r:cros_debugd_exec:s0
	/sbin/dhcpcd u:object_r:cros_dhcpcd_exec:s0
	/sbin/frecon u:object_r:frecon_exec:s0
	/sbin/insmod u:object_r:cros_modprobe_exec:s0
	/sbin/minijail0 u:object_r:cros_minijail_exec:s0
	/sbin/modprobe u:object_r:cros_modprobe_exec:s0
	/sbin/restorecon u:object_r:cros_restorecon_exec:s0
	/sbin/rmmod u:object_r:cros_modprobe_exec:s0
	/sbin/session_manager u:object_r:cros_session_manager_exec:s0
	/sbin/setfiles u:object_r:cros_restorecon_exec:s0
	/sbin/udevd u:object_r:cros_udevd_exec:s0
	/sbin/upstart-socket-bridge u:object_r:upstart_socket_bridge_exec:s0

	/bin/bash u:object_r:sh_exec:s0
	/bin/dash u:object_r:sh_exec:s0
	/bin/kmod u:object_r:cros_modprobe_exec:s0
	/bin/sh u:object_r:sh_exec:s0

	/usr/bin/anomaly_collector u:object_r:cros_anomaly_collector_exec:s0
	/usr/bin/btdispatch u:object_r:cros_btdispatch_exec:s0
	/usr/bin/chrt u:object_r:cros_chrt_exec:s0
	/usr/bin/cras u:object_r:cros_cras_exec:s0
	/usr/bin/cros_camera_algo u:object_r:cros_camera_algo_exec:s0
	/usr/bin/cros_camera_service u:object_r:cros_camera_service_exec:s0
	/usr/bin/cros-disks u:object_r:cros_disks_exec:s0
	/usr/bin/dbus-daemon u:object_r:cros_dbus_daemon_exec:s0
	/usr/bin/dbus-uuidgen u:object_r:cros_dbus_uuidgen_exec:s0
	/usr/bin/ionice u:object_r:cros_ionice_exec:s0
	/usr/bin/logger u:object_r:cros_logger_exec:s0
	/usr/bin/memd u:object_r:cros_memd_exec:s0
	/usr/bin/metrics_client u:object_r:cros_metrics_client_exec:s0
	/usr/bin/metrics_daemon u:object_r:cros_metrics_daemon_exec:s0
	/usr/bin/midis u:object_r:cros_midis_exec:s0
	/usr/bin/newblued u:object_r:cros_newblued_exec:s0
	/usr/bin/periodic_scheduler u:object_r:cros_periodic_scheduler_exec:s0
	/usr/bin/permission_broker u:object_r:cros_permission_broker_exec:s0
	/usr/bin/powerd u:object_r:cros_powerd_exec:s0
	/usr/bin/shill u:object_r:cros_shill_exec:s0
	/usr/bin/tlsdated u:object_r:cros_tlsdated_exec:s0

	/usr/sbin/ModemManager u:object_r:cros_modem_manager_exec:s0
	/usr/sbin/accelerator-logs u:object_r:cros_accelerator_logs_exec:s0
	/usr/sbin/apk-cache-cleaner-jailed u:object_r:cros_apk_cache_cleaner_jailed_exec:s0
	/usr/sbin/arc-oemcrypto u:object_r:cros_arc_oemcrypto:s0
	/usr/sbin/arc-setup u:object_r:cros_arc_setup_exec:s0
	/usr/sbin/avahi-daemon u:object_r:cros_avahi_daemon_exec:s0
	/usr/sbin/bootstat u:object_r:cros_bootstat_exec:s0
	/usr/sbin/chapsd u:object_r:cros_chapsd_exec:s0
	/usr/sbin/chromeos-cleanup-logs u:object_r:cros_chromeos_cleanup_logs_exec:s0
	/usr/sbin/chromeos-trim u:object_r:cros_chromeos_trim_exec:s0
	/usr/sbin/conntrackd u:object_r:cros_conntrackd_exec:s0
	/usr/sbin/cros-machine-id-regen u:object_r:cros_machine_id_regen_exec:s0
	/usr/sbin/cryptohomed u:object_r:cros_cryptohomed_exec:s0
	/usr/sbin/jetstream-update-stats u:object_r:cros_jetstream_update_stats_exec:s0
	/usr/sbin/mtpd u:object_r:cros_mtpd_exec:s0
	/usr/sbin/rsyslogd u:object_r:cros_rsyslogd_exec:s0
	/usr/sbin/sshd u:object_r:cros_sshd_exec:s0
	/usr/sbin/sslh(-fork\|-select)? u:object_r:cros_sslh_exec:s0
	/usr/sbin/tcsd u:object_r:cros_tcsd_exec:s0
	/usr/sbin/update_engine u:object_r:cros_update_engine_exec:s0
	/usr/sbin/wpa_supplicant u:object_r:cros_wpa_supplicant_exec:s0

	/usr/lib/systemd/systemd-journald u:object_r:cros_journald_exec:s0
	/usr/libexec/bluetooth/bluetoothd u:object_r:cros_bluetoothd_exec:s0

	/usr/share/policy(/.*)? u:object_r:cros_seccomp_policy_file:s0
	/usr/share/userfeedback(/.*)? u:object_r:cros_userfeedback_file:s0

	/usr/bin/start_bluetoothd.sh u:object_r:cros_init_start_bluetoothd_shell_script:s0
	/usr/bin/start_bluetoothlog.sh u:object_r:cros_init_start_bluetoothlog_shell_script:s0
	/usr/share/cros(/.*)? u:object_r:cros_usr_dirs:s0
	/usr/share/cros/init(/.*)? u:object_r:cros_init_shell_scripts:s0
	/usr/share/cros/init/activate_date.sh u:object_r:cros_init_activate_date_script:s0
	/usr/share/cros/init/chapsd.sh u:object_r:cros_init_chapsd_shell_script:s0
	/usr/share/cros/init/crx-import.sh u:object_r:cros_init_crx_import_script:s0
	/usr/share/cros/init/lockbox-cache.sh u:object_r:cros_init_lockbox_cache_script:s0
	/usr/share/cros/init/powerd-pre-start.sh u:object_r:cros_init_powerd_pre_start_script:s0
	/usr/share/cros/init/ui-pre-start u:object_r:cros_init_ui_pre_start_shell_script:s0
	/usr/share/cros/init/ui-respawn u:object_r:cros_init_ui_respawn_shell_script:s0
	/usr/share/cros/init/shill.sh u:object_r:cros_init_shill_shell_script:s0
	/usr/share/cros/init/shill-pre-start.sh u:object_r:cros_init_shill_shell_script:s0

	/var u:object_r:cros_var:s0
	/var/cache u:object_r:cros_var_cache:s0
	/var/cache/shill(/.*)? u:object_r:cros_var_cache_shill:s0
	/var/empty u:object_r:cros_var_empty:s0
	/var/lib u:object_r:cros_var_lib:s0
	/var/lib/chaps(/.*)? u:object_r:cros_var_lib_chaps:s0
	/var/lib/crash_reporter(/.*)? u:object_r:cros_var_lib_crash_reporter:s0
	/var/lib/dbus(/.*)? u:object_r:cros_var_lib_dbus:s0
	/var/lib/dhcpcd(/.*)? u:object_r:cros_var_lib_shill:s0
	/var/lib/metrics(/.*)? u:object_r:cros_metrics_file:s0
	/var/lib/metrics/uma-events u:object_r:cros_metrics_uma_events_file:s0
	/var/lib/power_manager(/.*)? u:object_r:cros_var_lib_power_manager:s0
	/var/lib/shill(/.*)? u:object_r:cros_var_lib_shill:s0
	/var/lib/update_engine(/.*)? u:object_r:cros_var_lib_update_engine:s0
	/var/lib/whitelist(/.*)? u:object_r:cros_var_lib_whitelist:s0
	/var/log u:object_r:cros_var_log:s0
	/var/log/eventlog.txt u:object_r:cros_var_log_eventlog:s0
	/var/log/arc.log u:object_r:cros_arc_log:s0
	/var/log/authpolicy.log u:object_r:cros_authpolicy_log:s0
	/var/log/boot.log u:object_r:cros_boot_log:s0
	/var/log/chrome(/.*)? u:object_r:cros_var_log_chrome:s0
	/var/log/messages u:object_r:cros_syslog:s0
	/var/log/net.log u:object_r:cros_net_log:s0
	/var/log/secure u:object_r:cros_secure_log:s0
	/var/log/tlsdate.log u:object_r:cros_tlsdate_log:s0
	/var/log/powerd.out u:object_r:cros_powerd_log:s0
	/var/log/asan(/.*)? u:object_r:cros_var_log_asan:s0
	/var/log/mount_options.log u:object_r:chromeos_startup_mount_options_log_file:s0
	/var/spool u:object_r:cros_var_spool:s0
	/var/spool/cron-lite(/.*)? u:object_r:cros_periodic_scheduler_cache_t:s0
	/var/spool/crash_reporter(/.*)? u:object_r:cros_crash_spool:s0

	# /opt/google
	/opt/google/chrome/chrome u:object_r:chrome_browser_exec:s0

	# /etc
	/etc u:object_r:cros_etc:s0
	# Safe to be readable by anyone.
	/etc/lsb-release u:object_r:cros_etc:s0

	# Intential blank lines to put all cros_etc labelled files above.
	/etc/conntrackd(/.*)? u:object_r:cros_conntrackd_conf_file:s0
	/etc/dhcpcd.conf u:object_r:cros_network_conf_file:s0
	/etc/group u:object_r:cros_passwd_file:s0
	/etc/hosts u:object_r:cros_network_conf_file:s0
	/etc/hosts.d(/.*)? u:object_r:cros_network_conf_file:s0
	/etc/init(/.*)? u:object_r:cros_init_conf_file:s0
	/etc/ld.so.* u:object_r:cros_ld_conf_cache:s0
	/etc/ld.so.cache~ u:object_r:cros_ld_conf_cache:s0
	/etc/modprobe.d(/.*)? u:object_r:cros_modprobe_conf_file:s0
	/etc/nsswitch.conf u:object_r:cros_network_conf_file:s0
	/etc/passwd u:object_r:cros_passwd_file:s0
	/etc/resolv.conf u:object_r:cros_network_conf_file:s0
	/etc/rsyslog(.*)? u:object_r:cros_rsyslog_conf_file:s0
	/etc/selinux(/.*)? u:object_r:cros_selinux_config_file:s0
	/etc/sysctl.d(/.*)? u:object_r:cros_sysctl_conf_file:s0
	/etc/systemd/network(/.*)? u:object_r:cros_network_conf_file:s0
	/etc/systemd/journald.conf u:object_r:cros_journal_conf_file:s0
	/etc/udev(/.*)? u:object_r:cros_udev_conf_file:s0

	# These files are mounted into the mini-container before real /data, /cache are
	# available.
	/opt/google/containers/android/rootfs/android-data/cache u:object_r:cache_file:s0
	/opt/google/containers/android/rootfs/android-data/data u:object_r:system_data_file:s0
	/opt/google/containers/android/rootfs/android-data/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0

	# All the following files are created dynamically and need to be labeled at
	# runtime.
	/run u:object_r:cros_run:s0
	/run/lock u:object_r:cros_run_lock:s0
	/run/arc/debugfs u:object_r:debugfs:s0
	/run/arc/sdcard(/.*)? u:object_r:storage_file:s0
	/run/dbus u:object_r:cros_run_dbus:s0
	/run/dbus.pid u:object_r:cros_dbus_pid_file:s0
	/run/dbus/system_bus_socket u:object_r:cros_system_bus_socket:s0


	has_arc(`
	/run/arc/cmdline.android u:object_r:is_arc_nyc(proc, proc_cmdline):s0
	')



	include(sepolicy/file_contexts/sysfs_contexts)

	/dev/console u:object_r:console_device:s0
	/dev/log u:object_r:logger_device:s0
	/dev/null u:object_r:null_device:s0
	/dev/random u:object_r:random_device:s0
	/dev/shm(/.*)? u:object_r:cros_shm:s0
	/dev/urandom u:object_r:urandom_device:s0
	/dev/zero u:object_r:zero_device:s0
	/dev/ptmx u:object_r:ptmx_device:s0

	# Label /dev/bus/usb/NNN/MMM
	# (USB device nodes passed by Chrome / permission broker)
	/dev/bus/usb(/.*)? u:object_r:usb_device:s0


	(/usr)?/lib64(/.*)? u:object_r:cros_system_file:s0
	(/usr)?/lib(/.*)? u:object_r:cros_system_file:s0
	/lib/modules(/.*)? u:object_r:cros_kernel_modules_file:s0
	/lib/modules/.*\.ko u:object_r:cros_kernel_modules_ko_file:s0

	# /home
	/home u:object_r:cros_home:s0
	/home/root(/[0-9a-z]{40})? u:object_r:cros_home_root:s0
	/home/user(/[0-9a-z]{40})? u:object_r:cros_home_user:s0
	/home/chronos(/(?!(u-[0-9a-z]{40}\|user)).*)? u:object_r:cros_home_chronos:s0
	/home/chronos/user u:object_r:cros_home_chronos:s0
	/home/chronos/u-[0-9a-z]{40} u:object_r:cros_home_chronos:s0
	/home/.shadow u:object_r:cros_home_shadow:s0
	/home/.shadow/(?![0-9a-z]{40}).* u:object_r:cros_home_shadow:s0
	# exclude <uid>/mount/root/android-data/data
	/home/.shadow/[0-9a-z]{40}(/(?!mount/root/android-data/data).*)? u:object_r:cros_home_shadow_uid:s0
	/home/.shadow/[0-9a-z]{40}/mount/root(/(?!android-data/data).*)? u:object_r:cros_home_shadow_uid_root:s0
	/home/.shadow/[0-9a-z]{40}/mount/user(/.*)? u:object_r:cros_home_shadow_uid_user:s0
	/home/.shadow/[0-9a-z]{40}/mount/user/Downloads(/.*)? u:object_r:has_arc(media_rw_data_file, cros_downloads_file):s0
	/home/.shadow/[0-9a-z]{40}/mount/user/MyFiles(/.*)? u:object_r:has_arc(media_rw_data_file, cros_downloads_file):s0
	/home/.shadow/[0-9a-z]{40}/mount/root/android-data u:object_r:cros_home_shadow_uid_root_android:s0
	/home/.shadow/[0-9a-z]{40}/mount/root/android-data/cache(/.*)? u:object_r:cros_home_shadow_uid_root_android_cache:s0
	/home/.shadow/[0-9a-z]{40}/mount/root/android-data/data u:object_r:system_data_file:s0
	/home/.shadow/[0-9a-z]{40}/mount/root/chaps(/.*)? u:object_r:cros_home_shadow_uid_root_chaps:s0