Avoid SELinux denials
... caused by: * Read access to /etc/passwd * Watching files inside /usr/libexec * Read access to /var/lib/flatpak https://bugzilla.redhat.com/show_bug.cgi?id=2053634 https://bugzilla.redhat.com/show_bug.cgi?id=2070350 https://bugzilla.redhat.com/show_bug.cgi?id=2070741
This commit is contained in:
Debarshi Ray
parent
52deeed075
commit
b6e9962fa4
105
flatpak-selinux-permissions.patch
Normal file
105
flatpak-selinux-permissions.patch
Normal file
@ -0,0 +1,105 @@
|
||||
From b20c074fb225ed3e54337bd50dc18452a3dc3196 Mon Sep 17 00:00:00 2001
|
||||
From: Debarshi Ray <debarshir@gnome.org>
|
||||
Date: Tue, 12 Apr 2022 20:28:29 +0200
|
||||
Subject: [PATCH 1/3] selinux: Let the system helper have read access to
|
||||
/etc/passwd
|
||||
|
||||
The system-helper (ie., the `flatpak-system-helper` process) is
|
||||
labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t
|
||||
domain, and needs to be able to read /etc/passwd. This explicitly
|
||||
permits it to do so to avoid running into SELinux denials.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=2070350
|
||||
---
|
||||
selinux/flatpak.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/selinux/flatpak.te b/selinux/flatpak.te
|
||||
index 2bcc507b725a..871ffa2906cc 100644
|
||||
--- a/selinux/flatpak.te
|
||||
+++ b/selinux/flatpak.te
|
||||
@@ -12,6 +12,8 @@ type flatpak_helper_t;
|
||||
type flatpak_helper_exec_t;
|
||||
init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
|
||||
|
||||
+auth_read_passwd(flatpak_helper_t)
|
||||
+
|
||||
optional_policy(`
|
||||
dbus_stub()
|
||||
dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t)
|
||||
--
|
||||
2.35.1
|
||||
|
||||
|
||||
From d6743d58bbd0293a4f6992fee9b5e7363892ebe7 Mon Sep 17 00:00:00 2001
|
||||
From: Debarshi Ray <debarshir@gnome.org>
|
||||
Date: Tue, 12 Apr 2022 20:56:06 +0200
|
||||
Subject: [PATCH 2/3] selinux: Let the system helper watch files inside
|
||||
$libexecdir
|
||||
|
||||
The system-helper (ie., the `flatpak-system-helper` process) is
|
||||
labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t
|
||||
domain, and tries to set up an inotify(7) watch on it's own binary so
|
||||
that it can exit when the binary is replaced. This explicitly permits
|
||||
it to do so to avoid running into SELinux denials.
|
||||
|
||||
The corecmd_watch_bin_dirs SELinux interface is a recent addition [1],
|
||||
and is therefore used conditionally when defined.
|
||||
|
||||
[1] https://github.com/fedora-selinux/selinux-policy/commit/88072fd293
|
||||
https://github.com/fedora-selinux/selinux-policy/pull/1133
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=2053634
|
||||
---
|
||||
selinux/flatpak.te | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/selinux/flatpak.te b/selinux/flatpak.te
|
||||
index 871ffa2906cc..0bb776314ddb 100644
|
||||
--- a/selinux/flatpak.te
|
||||
+++ b/selinux/flatpak.te
|
||||
@@ -14,6 +14,10 @@ init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
|
||||
|
||||
auth_read_passwd(flatpak_helper_t)
|
||||
|
||||
+ifdef(`corecmd_watch_bin_dirs',`
|
||||
+ corecmd_watch_bin_dirs(flatpak_helper_t)
|
||||
+')
|
||||
+
|
||||
optional_policy(`
|
||||
dbus_stub()
|
||||
dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t)
|
||||
--
|
||||
2.35.1
|
||||
|
||||
|
||||
From 04524cb3b79bb777d62f743b1fb4037816c6a3f2 Mon Sep 17 00:00:00 2001
|
||||
From: Debarshi Ray <debarshir@gnome.org>
|
||||
Date: Tue, 12 Apr 2022 22:33:11 +0200
|
||||
Subject: [PATCH 3/3] selinux: Permit read access to /var/lib/flatpak
|
||||
|
||||
It's clearly quite important to have read access to /var/lib/flatpak
|
||||
and it's contents. This explicitly permits that to avoid running
|
||||
into SELinux denials.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=2070741
|
||||
---
|
||||
selinux/flatpak.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/selinux/flatpak.te b/selinux/flatpak.te
|
||||
index 0bb776314ddb..e1fd4377373f 100644
|
||||
--- a/selinux/flatpak.te
|
||||
+++ b/selinux/flatpak.te
|
||||
@@ -13,6 +13,8 @@ type flatpak_helper_exec_t;
|
||||
init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
|
||||
|
||||
auth_read_passwd(flatpak_helper_t)
|
||||
+files_list_var_lib(flatpak_helper_t)
|
||||
+files_read_var_lib_files(flatpak_helper_t)
|
||||
|
||||
ifdef(`corecmd_watch_bin_dirs',`
|
||||
corecmd_watch_bin_dirs(flatpak_helper_t)
|
||||
--
|
||||
2.35.1
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
|
||||
Name: flatpak
|
||||
Version: 1.13.2
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: Application deployment framework for desktop apps
|
||||
|
||||
License: LGPLv2+
|
||||
@ -16,6 +16,8 @@ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/
|
||||
Source1: flatpak-add-fedora-repos.service
|
||||
%endif
|
||||
|
||||
Patch0: flatpak-selinux-permissions.patch
|
||||
|
||||
BuildRequires: pkgconfig(appstream) >= %{appstream_version}
|
||||
BuildRequires: pkgconfig(dconf)
|
||||
BuildRequires: pkgconfig(fuse)
|
||||
@ -265,6 +267,10 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Apr 12 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.13.2-2
|
||||
- Avoid SELinux denials caused by read access to /etc/passwd, watching files
|
||||
inside /usr/libexec and read access to /var/lib/flatpak
|
||||
|
||||
* Thu Mar 17 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.13.2-1
|
||||
- Update to 1.13.2 (#2064038)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user