From b20c074fb225ed3e54337bd50dc18452a3dc3196 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Tue, 12 Apr 2022 20:28:29 +0200 Subject: [PATCH 1/3] selinux: Let the system helper have read access to /etc/passwd The system-helper (ie., the `flatpak-system-helper` process) is labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t domain, and needs to be able to read /etc/passwd. This explicitly permits it to do so to avoid running into SELinux denials. https://bugzilla.redhat.com/show_bug.cgi?id=2070350 --- selinux/flatpak.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/selinux/flatpak.te b/selinux/flatpak.te index 2bcc507b725a..871ffa2906cc 100644 --- a/selinux/flatpak.te +++ b/selinux/flatpak.te @@ -12,6 +12,8 @@ type flatpak_helper_t; type flatpak_helper_exec_t; init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t) +auth_read_passwd(flatpak_helper_t) + optional_policy(` dbus_stub() dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t) -- 2.35.1 From d6743d58bbd0293a4f6992fee9b5e7363892ebe7 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Tue, 12 Apr 2022 20:56:06 +0200 Subject: [PATCH 2/3] selinux: Let the system helper watch files inside $libexecdir The system-helper (ie., the `flatpak-system-helper` process) is labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t domain, and tries to set up an inotify(7) watch on it's own binary so that it can exit when the binary is replaced. This explicitly permits it to do so to avoid running into SELinux denials. The corecmd_watch_bin_dirs SELinux interface is a recent addition [1], and is therefore used conditionally when defined. [1] https://github.com/fedora-selinux/selinux-policy/commit/88072fd293 https://github.com/fedora-selinux/selinux-policy/pull/1133 https://bugzilla.redhat.com/show_bug.cgi?id=2053634 --- selinux/flatpak.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/selinux/flatpak.te b/selinux/flatpak.te index 871ffa2906cc..0bb776314ddb 100644 --- a/selinux/flatpak.te +++ b/selinux/flatpak.te @@ -14,6 +14,10 @@ init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t) auth_read_passwd(flatpak_helper_t) +ifdef(`corecmd_watch_bin_dirs',` + corecmd_watch_bin_dirs(flatpak_helper_t) +') + optional_policy(` dbus_stub() dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t) -- 2.35.1 From 04524cb3b79bb777d62f743b1fb4037816c6a3f2 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Tue, 12 Apr 2022 22:33:11 +0200 Subject: [PATCH 3/3] selinux: Permit read access to /var/lib/flatpak It's clearly quite important to have read access to /var/lib/flatpak and it's contents. This explicitly permits that to avoid running into SELinux denials. https://bugzilla.redhat.com/show_bug.cgi?id=2070741 --- selinux/flatpak.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/selinux/flatpak.te b/selinux/flatpak.te index 0bb776314ddb..e1fd4377373f 100644 --- a/selinux/flatpak.te +++ b/selinux/flatpak.te @@ -13,6 +13,8 @@ type flatpak_helper_exec_t; init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t) auth_read_passwd(flatpak_helper_t) +files_list_var_lib(flatpak_helper_t) +files_read_var_lib_files(flatpak_helper_t) ifdef(`corecmd_watch_bin_dirs',` corecmd_watch_bin_dirs(flatpak_helper_t) -- 2.35.1