Avoid SELinux denials

... caused by:
  * Read access to /etc/passwd
  * Watching files inside /usr/libexec
  * Read access to /var/lib/flatpak

https://bugzilla.redhat.com/show_bug.cgi?id=2053634
https://bugzilla.redhat.com/show_bug.cgi?id=2070350
https://bugzilla.redhat.com/show_bug.cgi?id=2070741
This commit is contained in:
Debarshi Ray 2022-04-12 23:07:36 +02:00
parent 52deeed075
commit b6e9962fa4
2 changed files with 112 additions and 1 deletions

View File

@ -0,0 +1,105 @@
From b20c074fb225ed3e54337bd50dc18452a3dc3196 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <debarshir@gnome.org>
Date: Tue, 12 Apr 2022 20:28:29 +0200
Subject: [PATCH 1/3] selinux: Let the system helper have read access to
/etc/passwd
The system-helper (ie., the `flatpak-system-helper` process) is
labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t
domain, and needs to be able to read /etc/passwd. This explicitly
permits it to do so to avoid running into SELinux denials.
https://bugzilla.redhat.com/show_bug.cgi?id=2070350
---
selinux/flatpak.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/selinux/flatpak.te b/selinux/flatpak.te
index 2bcc507b725a..871ffa2906cc 100644
--- a/selinux/flatpak.te
+++ b/selinux/flatpak.te
@@ -12,6 +12,8 @@ type flatpak_helper_t;
type flatpak_helper_exec_t;
init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
+auth_read_passwd(flatpak_helper_t)
+
optional_policy(`
dbus_stub()
dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t)
--
2.35.1
From d6743d58bbd0293a4f6992fee9b5e7363892ebe7 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <debarshir@gnome.org>
Date: Tue, 12 Apr 2022 20:56:06 +0200
Subject: [PATCH 2/3] selinux: Let the system helper watch files inside
$libexecdir
The system-helper (ie., the `flatpak-system-helper` process) is
labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t
domain, and tries to set up an inotify(7) watch on it's own binary so
that it can exit when the binary is replaced. This explicitly permits
it to do so to avoid running into SELinux denials.
The corecmd_watch_bin_dirs SELinux interface is a recent addition [1],
and is therefore used conditionally when defined.
[1] https://github.com/fedora-selinux/selinux-policy/commit/88072fd293
https://github.com/fedora-selinux/selinux-policy/pull/1133
https://bugzilla.redhat.com/show_bug.cgi?id=2053634
---
selinux/flatpak.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/selinux/flatpak.te b/selinux/flatpak.te
index 871ffa2906cc..0bb776314ddb 100644
--- a/selinux/flatpak.te
+++ b/selinux/flatpak.te
@@ -14,6 +14,10 @@ init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
auth_read_passwd(flatpak_helper_t)
+ifdef(`corecmd_watch_bin_dirs',`
+ corecmd_watch_bin_dirs(flatpak_helper_t)
+')
+
optional_policy(`
dbus_stub()
dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t)
--
2.35.1
From 04524cb3b79bb777d62f743b1fb4037816c6a3f2 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <debarshir@gnome.org>
Date: Tue, 12 Apr 2022 22:33:11 +0200
Subject: [PATCH 3/3] selinux: Permit read access to /var/lib/flatpak
It's clearly quite important to have read access to /var/lib/flatpak
and it's contents. This explicitly permits that to avoid running
into SELinux denials.
https://bugzilla.redhat.com/show_bug.cgi?id=2070741
---
selinux/flatpak.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/selinux/flatpak.te b/selinux/flatpak.te
index 0bb776314ddb..e1fd4377373f 100644
--- a/selinux/flatpak.te
+++ b/selinux/flatpak.te
@@ -13,6 +13,8 @@ type flatpak_helper_exec_t;
init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
auth_read_passwd(flatpak_helper_t)
+files_list_var_lib(flatpak_helper_t)
+files_read_var_lib_files(flatpak_helper_t)
ifdef(`corecmd_watch_bin_dirs',`
corecmd_watch_bin_dirs(flatpak_helper_t)
--
2.35.1

View File

@ -4,7 +4,7 @@
Name: flatpak
Version: 1.13.2
Release: 1%{?dist}
Release: 2%{?dist}
Summary: Application deployment framework for desktop apps
License: LGPLv2+
@ -16,6 +16,8 @@ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/
Source1: flatpak-add-fedora-repos.service
%endif
Patch0: flatpak-selinux-permissions.patch
BuildRequires: pkgconfig(appstream) >= %{appstream_version}
BuildRequires: pkgconfig(dconf)
BuildRequires: pkgconfig(fuse)
@ -265,6 +267,10 @@ fi
%changelog
* Tue Apr 12 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.13.2-2
- Avoid SELinux denials caused by read access to /etc/passwd, watching files
inside /usr/libexec and read access to /var/lib/flatpak
* Thu Mar 17 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.13.2-1
- Update to 1.13.2 (#2064038)