| # SELinux policy for Chrome OS |
| |
| SELinux policy for Chrome OS lives here. |
| |
| ## Directory structure: |
| |
| ` platform2/sepolicy` |
| - `|- policy` SELinux policies live here. It contains sids, access vectors, mls, |
| security classes, users, and roles definitions, type definitions, necessary |
| macros for policy writing, and AVC rules. |
| - `|- base` sids, access vectors, mls, security classes, users, roles |
| definitions. fs_use, and genfs definitions. fs_use defines context for |
| different filesystems, e.g, devtmpfs -> u:object_r:device:s0, ext4 -> |
| u:object_r:labeledfs:s0. genfscon defines file labels from the policy (so no |
| need to xattr actual inode), mostly for procfs. |
| - `|- chromeos` All Chrome OS AVCs except for those in chromeos_base live |
| here. Chrome OS file type definitions also live here. |
| - `|- te_macros` Chrome OS-specific macros to write .te files, excluding |
| those in `policy/base` or in `shared`. |
| - `|- attributes` Chrome OS attributes. |
| - `|- file.te` Chrome OS file labels. |
| - `|- **.te` AVC rules for different domains. |
| - `|- chromeos_base` minijail, cros_init, and cros init script domains live |
| here. Inside structure similar to `chromeos`. |
| - `|- mask_only` an NO-OP mask to make sure (base + mask_only) combined is a |
| valid monotlithic policy. |
| - `|- file_contexts` file labels on system image, stateful partition, devtmpfs, |
| sysfs live here. |
| - `\- shared` shared macros live here. |
| |
| ## Docs |
| |
| Docs are located at |
| [SELinux in ChromeOS](https://www.chromium.org/chromium-os/developer-library/reference/security/selinux/) |
