From b6e9962fa41fec1c46393f7a81e4a3b4e32f1436 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <debarshir@gnome.org>
Date: Tue, 12 Apr 2022 23:07:36 +0200
Subject: [PATCH] Avoid SELinux denials

... caused by:
  * Read access to /etc/passwd
  * Watching files inside /usr/libexec
  * Read access to /var/lib/flatpak

https://bugzilla.redhat.com/show_bug.cgi?id=2053634
https://bugzilla.redhat.com/show_bug.cgi?id=2070350
https://bugzilla.redhat.com/show_bug.cgi?id=2070741
---
 flatpak-selinux-permissions.patch | 105 ++++++++++++++++++++++++++++++
 flatpak.spec                      |   8 ++-
 2 files changed, 112 insertions(+), 1 deletion(-)
 create mode 100644 flatpak-selinux-permissions.patch

diff --git a/flatpak-selinux-permissions.patch b/flatpak-selinux-permissions.patch
new file mode 100644
index 0000000..1234a97
--- /dev/null
+++ b/flatpak-selinux-permissions.patch
@@ -0,0 +1,105 @@
+From b20c074fb225ed3e54337bd50dc18452a3dc3196 Mon Sep 17 00:00:00 2001
+From: Debarshi Ray <debarshir@gnome.org>
+Date: Tue, 12 Apr 2022 20:28:29 +0200
+Subject: [PATCH 1/3] selinux: Let the system helper have read access to
+ /etc/passwd
+
+The system-helper (ie., the `flatpak-system-helper` process) is
+labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t
+domain, and needs to be able to read /etc/passwd.  This explicitly
+permits it to do so to avoid running into SELinux denials.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=2070350
+---
+ selinux/flatpak.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/selinux/flatpak.te b/selinux/flatpak.te
+index 2bcc507b725a..871ffa2906cc 100644
+--- a/selinux/flatpak.te
++++ b/selinux/flatpak.te
+@@ -12,6 +12,8 @@ type flatpak_helper_t;
+ type flatpak_helper_exec_t;
+ init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
+ 
++auth_read_passwd(flatpak_helper_t)
++
+ optional_policy(`
+     dbus_stub()
+     dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t)
+-- 
+2.35.1
+
+
+From d6743d58bbd0293a4f6992fee9b5e7363892ebe7 Mon Sep 17 00:00:00 2001
+From: Debarshi Ray <debarshir@gnome.org>
+Date: Tue, 12 Apr 2022 20:56:06 +0200
+Subject: [PATCH 2/3] selinux: Let the system helper watch files inside
+ $libexecdir
+
+The system-helper (ie., the `flatpak-system-helper` process) is
+labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t
+domain, and tries to set up an inotify(7) watch on it's own binary so
+that it can exit when the binary is replaced.  This explicitly permits
+it to do so to avoid running into SELinux denials.
+
+The corecmd_watch_bin_dirs SELinux interface is a recent addition [1],
+and is therefore used conditionally when defined.
+
+[1] https://github.com/fedora-selinux/selinux-policy/commit/88072fd293
+    https://github.com/fedora-selinux/selinux-policy/pull/1133
+
+https://bugzilla.redhat.com/show_bug.cgi?id=2053634
+---
+ selinux/flatpak.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/selinux/flatpak.te b/selinux/flatpak.te
+index 871ffa2906cc..0bb776314ddb 100644
+--- a/selinux/flatpak.te
++++ b/selinux/flatpak.te
+@@ -14,6 +14,10 @@ init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
+ 
+ auth_read_passwd(flatpak_helper_t)
+ 
++ifdef(`corecmd_watch_bin_dirs',`
++    corecmd_watch_bin_dirs(flatpak_helper_t)
++')
++
+ optional_policy(`
+     dbus_stub()
+     dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t)
+-- 
+2.35.1
+
+
+From 04524cb3b79bb777d62f743b1fb4037816c6a3f2 Mon Sep 17 00:00:00 2001
+From: Debarshi Ray <debarshir@gnome.org>
+Date: Tue, 12 Apr 2022 22:33:11 +0200
+Subject: [PATCH 3/3] selinux: Permit read access to /var/lib/flatpak
+
+It's clearly quite important to have read access to /var/lib/flatpak
+and it's contents.  This explicitly permits that to avoid running
+into SELinux denials.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=2070741
+---
+ selinux/flatpak.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/selinux/flatpak.te b/selinux/flatpak.te
+index 0bb776314ddb..e1fd4377373f 100644
+--- a/selinux/flatpak.te
++++ b/selinux/flatpak.te
+@@ -13,6 +13,8 @@ type flatpak_helper_exec_t;
+ init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
+ 
+ auth_read_passwd(flatpak_helper_t)
++files_list_var_lib(flatpak_helper_t)
++files_read_var_lib_files(flatpak_helper_t)
+ 
+ ifdef(`corecmd_watch_bin_dirs',`
+     corecmd_watch_bin_dirs(flatpak_helper_t)
+-- 
+2.35.1
+
diff --git a/flatpak.spec b/flatpak.spec
index b14ad54..b3eefd1 100644
--- a/flatpak.spec
+++ b/flatpak.spec
@@ -4,7 +4,7 @@
 
 Name:           flatpak
 Version:        1.13.2
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Application deployment framework for desktop apps
 
 License:        LGPLv2+
@@ -16,6 +16,8 @@ Source0:        https://github.com/flatpak/flatpak/releases/download/%{version}/
 Source1:        flatpak-add-fedora-repos.service
 %endif
 
+Patch0:         flatpak-selinux-permissions.patch
+
 BuildRequires:  pkgconfig(appstream) >= %{appstream_version}
 BuildRequires:  pkgconfig(dconf)
 BuildRequires:  pkgconfig(fuse)
@@ -265,6 +267,10 @@ fi
 
 
 %changelog
+* Tue Apr 12 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.13.2-2
+- Avoid SELinux denials caused by read access to /etc/passwd, watching files
+  inside /usr/libexec and read access to /var/lib/flatpak
+
 * Thu Mar 17 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.13.2-1
 - Update to 1.13.2 (#2064038)