b6e9962fa4
... caused by: * Read access to /etc/passwd * Watching files inside /usr/libexec * Read access to /var/lib/flatpak https://bugzilla.redhat.com/show_bug.cgi?id=2053634 https://bugzilla.redhat.com/show_bug.cgi?id=2070350 https://bugzilla.redhat.com/show_bug.cgi?id=2070741
106 lines
3.3 KiB
Diff
106 lines
3.3 KiB
Diff
From b20c074fb225ed3e54337bd50dc18452a3dc3196 Mon Sep 17 00:00:00 2001
|
|
From: Debarshi Ray <debarshir@gnome.org>
|
|
Date: Tue, 12 Apr 2022 20:28:29 +0200
|
|
Subject: [PATCH 1/3] selinux: Let the system helper have read access to
|
|
/etc/passwd
|
|
|
|
The system-helper (ie., the `flatpak-system-helper` process) is
|
|
labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t
|
|
domain, and needs to be able to read /etc/passwd. This explicitly
|
|
permits it to do so to avoid running into SELinux denials.
|
|
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=2070350
|
|
---
|
|
selinux/flatpak.te | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/selinux/flatpak.te b/selinux/flatpak.te
|
|
index 2bcc507b725a..871ffa2906cc 100644
|
|
--- a/selinux/flatpak.te
|
|
+++ b/selinux/flatpak.te
|
|
@@ -12,6 +12,8 @@ type flatpak_helper_t;
|
|
type flatpak_helper_exec_t;
|
|
init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
|
|
|
|
+auth_read_passwd(flatpak_helper_t)
|
|
+
|
|
optional_policy(`
|
|
dbus_stub()
|
|
dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t)
|
|
--
|
|
2.35.1
|
|
|
|
|
|
From d6743d58bbd0293a4f6992fee9b5e7363892ebe7 Mon Sep 17 00:00:00 2001
|
|
From: Debarshi Ray <debarshir@gnome.org>
|
|
Date: Tue, 12 Apr 2022 20:56:06 +0200
|
|
Subject: [PATCH 2/3] selinux: Let the system helper watch files inside
|
|
$libexecdir
|
|
|
|
The system-helper (ie., the `flatpak-system-helper` process) is
|
|
labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t
|
|
domain, and tries to set up an inotify(7) watch on it's own binary so
|
|
that it can exit when the binary is replaced. This explicitly permits
|
|
it to do so to avoid running into SELinux denials.
|
|
|
|
The corecmd_watch_bin_dirs SELinux interface is a recent addition [1],
|
|
and is therefore used conditionally when defined.
|
|
|
|
[1] https://github.com/fedora-selinux/selinux-policy/commit/88072fd293
|
|
https://github.com/fedora-selinux/selinux-policy/pull/1133
|
|
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=2053634
|
|
---
|
|
selinux/flatpak.te | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
diff --git a/selinux/flatpak.te b/selinux/flatpak.te
|
|
index 871ffa2906cc..0bb776314ddb 100644
|
|
--- a/selinux/flatpak.te
|
|
+++ b/selinux/flatpak.te
|
|
@@ -14,6 +14,10 @@ init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
|
|
|
|
auth_read_passwd(flatpak_helper_t)
|
|
|
|
+ifdef(`corecmd_watch_bin_dirs',`
|
|
+ corecmd_watch_bin_dirs(flatpak_helper_t)
|
|
+')
|
|
+
|
|
optional_policy(`
|
|
dbus_stub()
|
|
dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t)
|
|
--
|
|
2.35.1
|
|
|
|
|
|
From 04524cb3b79bb777d62f743b1fb4037816c6a3f2 Mon Sep 17 00:00:00 2001
|
|
From: Debarshi Ray <debarshir@gnome.org>
|
|
Date: Tue, 12 Apr 2022 22:33:11 +0200
|
|
Subject: [PATCH 3/3] selinux: Permit read access to /var/lib/flatpak
|
|
|
|
It's clearly quite important to have read access to /var/lib/flatpak
|
|
and it's contents. This explicitly permits that to avoid running
|
|
into SELinux denials.
|
|
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=2070741
|
|
---
|
|
selinux/flatpak.te | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/selinux/flatpak.te b/selinux/flatpak.te
|
|
index 0bb776314ddb..e1fd4377373f 100644
|
|
--- a/selinux/flatpak.te
|
|
+++ b/selinux/flatpak.te
|
|
@@ -13,6 +13,8 @@ type flatpak_helper_exec_t;
|
|
init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
|
|
|
|
auth_read_passwd(flatpak_helper_t)
|
|
+files_list_var_lib(flatpak_helper_t)
|
|
+files_read_var_lib_files(flatpak_helper_t)
|
|
|
|
ifdef(`corecmd_watch_bin_dirs',`
|
|
corecmd_watch_bin_dirs(flatpak_helper_t)
|
|
--
|
|
2.35.1
|
|
|