Avoid SELinux denials
... caused by: * Read access to /etc/passwd * Watching files inside /usr/libexec * Read access to /var/lib/flatpak https://bugzilla.redhat.com/show_bug.cgi?id=2053634 https://bugzilla.redhat.com/show_bug.cgi?id=2070350 https://bugzilla.redhat.com/show_bug.cgi?id=2070741
This commit is contained in:
parent
52deeed075
commit
b6e9962fa4
105
flatpak-selinux-permissions.patch
Normal file
105
flatpak-selinux-permissions.patch
Normal file
@ -0,0 +1,105 @@
|
|||||||
|
From b20c074fb225ed3e54337bd50dc18452a3dc3196 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Debarshi Ray <debarshir@gnome.org>
|
||||||
|
Date: Tue, 12 Apr 2022 20:28:29 +0200
|
||||||
|
Subject: [PATCH 1/3] selinux: Let the system helper have read access to
|
||||||
|
/etc/passwd
|
||||||
|
|
||||||
|
The system-helper (ie., the `flatpak-system-helper` process) is
|
||||||
|
labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t
|
||||||
|
domain, and needs to be able to read /etc/passwd. This explicitly
|
||||||
|
permits it to do so to avoid running into SELinux denials.
|
||||||
|
|
||||||
|
https://bugzilla.redhat.com/show_bug.cgi?id=2070350
|
||||||
|
---
|
||||||
|
selinux/flatpak.te | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/selinux/flatpak.te b/selinux/flatpak.te
|
||||||
|
index 2bcc507b725a..871ffa2906cc 100644
|
||||||
|
--- a/selinux/flatpak.te
|
||||||
|
+++ b/selinux/flatpak.te
|
||||||
|
@@ -12,6 +12,8 @@ type flatpak_helper_t;
|
||||||
|
type flatpak_helper_exec_t;
|
||||||
|
init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
|
||||||
|
|
||||||
|
+auth_read_passwd(flatpak_helper_t)
|
||||||
|
+
|
||||||
|
optional_policy(`
|
||||||
|
dbus_stub()
|
||||||
|
dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t)
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
||||||
|
|
||||||
|
From d6743d58bbd0293a4f6992fee9b5e7363892ebe7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Debarshi Ray <debarshir@gnome.org>
|
||||||
|
Date: Tue, 12 Apr 2022 20:56:06 +0200
|
||||||
|
Subject: [PATCH 2/3] selinux: Let the system helper watch files inside
|
||||||
|
$libexecdir
|
||||||
|
|
||||||
|
The system-helper (ie., the `flatpak-system-helper` process) is
|
||||||
|
labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t
|
||||||
|
domain, and tries to set up an inotify(7) watch on it's own binary so
|
||||||
|
that it can exit when the binary is replaced. This explicitly permits
|
||||||
|
it to do so to avoid running into SELinux denials.
|
||||||
|
|
||||||
|
The corecmd_watch_bin_dirs SELinux interface is a recent addition [1],
|
||||||
|
and is therefore used conditionally when defined.
|
||||||
|
|
||||||
|
[1] https://github.com/fedora-selinux/selinux-policy/commit/88072fd293
|
||||||
|
https://github.com/fedora-selinux/selinux-policy/pull/1133
|
||||||
|
|
||||||
|
https://bugzilla.redhat.com/show_bug.cgi?id=2053634
|
||||||
|
---
|
||||||
|
selinux/flatpak.te | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/selinux/flatpak.te b/selinux/flatpak.te
|
||||||
|
index 871ffa2906cc..0bb776314ddb 100644
|
||||||
|
--- a/selinux/flatpak.te
|
||||||
|
+++ b/selinux/flatpak.te
|
||||||
|
@@ -14,6 +14,10 @@ init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
|
||||||
|
|
||||||
|
auth_read_passwd(flatpak_helper_t)
|
||||||
|
|
||||||
|
+ifdef(`corecmd_watch_bin_dirs',`
|
||||||
|
+ corecmd_watch_bin_dirs(flatpak_helper_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
optional_policy(`
|
||||||
|
dbus_stub()
|
||||||
|
dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t)
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
||||||
|
|
||||||
|
From 04524cb3b79bb777d62f743b1fb4037816c6a3f2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Debarshi Ray <debarshir@gnome.org>
|
||||||
|
Date: Tue, 12 Apr 2022 22:33:11 +0200
|
||||||
|
Subject: [PATCH 3/3] selinux: Permit read access to /var/lib/flatpak
|
||||||
|
|
||||||
|
It's clearly quite important to have read access to /var/lib/flatpak
|
||||||
|
and it's contents. This explicitly permits that to avoid running
|
||||||
|
into SELinux denials.
|
||||||
|
|
||||||
|
https://bugzilla.redhat.com/show_bug.cgi?id=2070741
|
||||||
|
---
|
||||||
|
selinux/flatpak.te | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/selinux/flatpak.te b/selinux/flatpak.te
|
||||||
|
index 0bb776314ddb..e1fd4377373f 100644
|
||||||
|
--- a/selinux/flatpak.te
|
||||||
|
+++ b/selinux/flatpak.te
|
||||||
|
@@ -13,6 +13,8 @@ type flatpak_helper_exec_t;
|
||||||
|
init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
|
||||||
|
|
||||||
|
auth_read_passwd(flatpak_helper_t)
|
||||||
|
+files_list_var_lib(flatpak_helper_t)
|
||||||
|
+files_read_var_lib_files(flatpak_helper_t)
|
||||||
|
|
||||||
|
ifdef(`corecmd_watch_bin_dirs',`
|
||||||
|
corecmd_watch_bin_dirs(flatpak_helper_t)
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
@ -4,7 +4,7 @@
|
|||||||
|
|
||||||
Name: flatpak
|
Name: flatpak
|
||||||
Version: 1.13.2
|
Version: 1.13.2
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
Summary: Application deployment framework for desktop apps
|
Summary: Application deployment framework for desktop apps
|
||||||
|
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
@ -16,6 +16,8 @@ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/
|
|||||||
Source1: flatpak-add-fedora-repos.service
|
Source1: flatpak-add-fedora-repos.service
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
Patch0: flatpak-selinux-permissions.patch
|
||||||
|
|
||||||
BuildRequires: pkgconfig(appstream) >= %{appstream_version}
|
BuildRequires: pkgconfig(appstream) >= %{appstream_version}
|
||||||
BuildRequires: pkgconfig(dconf)
|
BuildRequires: pkgconfig(dconf)
|
||||||
BuildRequires: pkgconfig(fuse)
|
BuildRequires: pkgconfig(fuse)
|
||||||
@ -265,6 +267,10 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Apr 12 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.13.2-2
|
||||||
|
- Avoid SELinux denials caused by read access to /etc/passwd, watching files
|
||||||
|
inside /usr/libexec and read access to /var/lib/flatpak
|
||||||
|
|
||||||
* Thu Mar 17 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.13.2-1
|
* Thu Mar 17 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.13.2-1
|
||||||
- Update to 1.13.2 (#2064038)
|
- Update to 1.13.2 (#2064038)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user