Avoid SELinux denials caused by reading symbolic links in /var/lib/flatpak

https://bugzilla.redhat.com/show_bug.cgi?id=2071215
2022-07-14 15:56:24 +02:00 · 2022-07-14 15:56:24 +02:00 · 37c03167da
commit 37c03167da
parent 2f59c541aa
2 changed files with 37 additions and 1 deletions
--- a/flatpak-selinux-permissions-01.patch
+++ b/flatpak-selinux-permissions-01.patch
@ -0,0 +1,30 @@
+From a71257778d049875592aba4d018df4d5b5a724e4 Mon Sep 17 00:00:00 2001
+From: Debarshi Ray <debarshir@gnome.org>
+Date: Thu, 14 Jul 2022 15:43:06 +0200
+Subject: [PATCH] selinux: Permit read access to symbolic links in
+ /var/lib/flatpak
+
+Commit 8617ab0ad0243f5a granted read and lock access to
+/var/lib/flatpak but didn't cover symbolic links.  This explicitly
+permits that to avoid running into SELinux denials.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=2071215
+---
+ selinux/flatpak.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/selinux/flatpak.te b/selinux/flatpak.te
+index 66ebcaa18420..bb3d80e316eb 100644
+--- a/selinux/flatpak.te
+++ b/selinux/flatpak.te
+@@ -15,6 +15,7 @@ init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
+ auth_read_passwd(flatpak_helper_t)
+ files_list_var_lib(flatpak_helper_t)
+ files_read_var_lib_files(flatpak_helper_t)
+files_read_var_lib_symlinks(flatpak_helper_t)
+ 
+ ifdef(`corecmd_watch_bin_dirs',`
+     corecmd_watch_bin_dirs(flatpak_helper_t)
+-- 
+2.35.3
+
--- a/flatpak.spec
+++ b/flatpak.spec
@ -6,7 +6,7 @@

 Name:           flatpak
 Version:        1.13.3
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Application deployment framework for desktop apps

 License:        LGPLv2+
@ -25,6 +25,9 @@ Source2:        flatpak.sysusers.conf
 # https://github.com/flatpak/flatpak/pull/4914
 Patch0:         flatpak-1.13.3-add-gssproxy-support.patch

+# https://github.com/flatpak/flatpak/pull/4992
+Patch1:         flatpak-selinux-permissions-01.patch
+
 BuildRequires:  pkgconfig(appstream) >= %{appstream_version}
 BuildRequires:  pkgconfig(dconf)
 BuildRequires:  pkgconfig(fuse)
@ -275,6 +278,9 @@ fi


 %changelog
+* Thu Jul 14 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.13.3-4
+- Avoid SELinux denials caused by reading symbolic links in /var/lib/flatpak
+
 * Sun Jun 26 2022 Ralf Corsépius <corsepiu@fedoraproject.org> - 1.13.3-3
 - Let flatpak own %%{_sysconfdir}/flatpak (RHBZ#2101073).