diff options
author | Alexander Larsson <alexl@redhat.com> | 2019-04-05 16:01:10 +0200 |
---|---|---|
committer | Atomic Bot <atomic-devel@projectatomic.io> | 2019-04-09 09:18:15 +0000 |
commit | bb46c1dbd63ff4b314836721267a1cf609f23ce8 (patch) | |
tree | 2fa0ce89096b4a9bd8beba23636ff855e8f6cfdf | |
parent | 081c3400b42c3c4538101ed981699ec7d5a2d2a3 (diff) | |
download | flatpak-bb46c1dbd63ff4b314836721267a1cf609f23ce8.tar.gz |
Add selinux module to allow system-helper to work with revokefs
Historycally the system helper has been running in a generic
unconfined_service_t domain. However, this caused problems with the
new revokefs support, because passing the revokefs unix domain socket
over the system bus got it kicked of the bus, because to do this
dbus-daemon needs rw rights to the socket.
So, this module creates a custom domain flatpak_helper_t, which
allows us to add special permissions to dbus-daemon to allow
access to its sockets.
The domain is otherwise uncontained just like before. I did try
to make it contained, but that is a lot of work as the permissions
it needs are very complex.
Note to packagers on selinux systems, for flatpak to work well
you need to install this module and relabel the system-helper
binary.
In my testing on fedora I used something like this:
%post
%selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2
%postun
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall %{_datadir}/selinux/packages/flatpak.pp.bz2
fi
With these new files:
%{_datadir}/selinux/packages/flatpak.pp.bz2
%{_datadir}/selinux/devel/include/contrib/flatpak.if
Closes: #2657
Approved by: alexlarsson
-rw-r--r-- | Makefile.am | 1 | ||||
-rw-r--r-- | configure.ac | 12 | ||||
-rw-r--r-- | selinux/Makefile.am.inc | 24 | ||||
-rw-r--r-- | selinux/flatpak.fc | 1 | ||||
-rw-r--r-- | selinux/flatpak.if | 1 | ||||
-rw-r--r-- | selinux/flatpak.te | 27 |
6 files changed, 66 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am index b354e0bd..c52f0bac 100644 --- a/Makefile.am +++ b/Makefile.am @@ -99,6 +99,7 @@ include portal/Makefile.am.inc include system-helper/Makefile.am.inc include icon-validator/Makefile.am.inc include revokefs/Makefile.am.inc +include selinux/Makefile.am.inc include tests/Makefile.am.inc if !WITH_SYSTEM_DBUS_PROXY diff --git a/configure.ac b/configure.ac index ca49ceb1..f01afc7e 100644 --- a/configure.ac +++ b/configure.ac @@ -236,6 +236,17 @@ AS_IF([ test x$have_gpgme = xno ], [ AC_MSG_ERROR([Need GPGME_PTHREAD version $LIBGPGME_DEPENDENCY or later]) ]) +AC_ARG_ENABLE(selinux-module, + [AS_HELP_STRING([--enable-selinux-module],[Enable selinux module for system-helper])], + enable_selinux_module=$enableval, enable_selinux_module=auto) +if test x$enable_selinux_module = xauto ; then + AC_CHECK_FILE([/usr/share/selinux/devel/Makefile], [enable_selinux_module=yes], [enable_selinux_module=no]) +fi +if test x$enable_selinux_module = xyes ; then + AC_CHECK_FILE([/usr/share/selinux/devel/Makefile], [], [AC_MSG_ERROR([selinux-policy-devel needed to build selinux module])]) +fi +AM_CONDITIONAL(BUILD_SELINUX_MODULE, test x$enable_selinux_module = xyes) + AC_ARG_ENABLE([system-helper], AC_HELP_STRING([--disable-system-helper], [Disable system helper]), @@ -506,6 +517,7 @@ echo " Flatpak $FLATPAK_VERSION" echo " =============" echo "" echo " Build system helper: $enable_system_helper" +echo " Build selinux module: $enable_selinux_module" echo " Build bubblewrap: $build_bwrap" echo " Build dbus-proxy: $build_dbus_proxy" echo " Use sandboxed triggers: $enable_sandboxed_triggers" diff --git a/selinux/Makefile.am.inc b/selinux/Makefile.am.inc new file mode 100644 index 00000000..d3580dde --- /dev/null +++ b/selinux/Makefile.am.inc @@ -0,0 +1,24 @@ +selinux_moduledir = ${datadir}/selinux/packages +selinux_module_DATA = $(NULL) + +selinux_develdir = ${datadir}/selinux/devel/include/contrib +selinux_devel_DATA = $(NULL) + +flatpak.pp.bz2: selinux/flatpak.te selinux/flatpak.fc + $(eval TMP := $(shell mktemp -d selinux-build-XXXXXX)) + cp $^ $(TMP)/ + cd $(TMP) && make -f /usr/share/selinux/devel/Makefile flatpak.pp + bzip2 -9 $(TMP)/flatpak.pp + cp $(TMP)/flatpak.pp.bz2 . + rm -rf $(TMP) + +if BUILD_SELINUX_MODULE +selinux_module_DATA += flatpak.pp.bz2 +selinux_devel_DATA += selinux/flatpak.if +endif + +EXTRA_DIST += \ + selinux/flatpak.te \ + selinux/flatpak.fc \ + selinux/flatpak.if \ + $(NULL) diff --git a/selinux/flatpak.fc b/selinux/flatpak.fc new file mode 100644 index 00000000..dc5b3bf8 --- /dev/null +++ b/selinux/flatpak.fc @@ -0,0 +1 @@ +/usr/libexec/flatpak-system-helper -- gen_context(system_u:object_r:flatpak_helper_exec_t,s0) diff --git a/selinux/flatpak.if b/selinux/flatpak.if new file mode 100644 index 00000000..3eb6a305 --- /dev/null +++ b/selinux/flatpak.if @@ -0,0 +1 @@ +## <summary></summary> diff --git a/selinux/flatpak.te b/selinux/flatpak.te new file mode 100644 index 00000000..74bf8452 --- /dev/null +++ b/selinux/flatpak.te @@ -0,0 +1,27 @@ +policy_module(flatpak, 0.0.1) + +# The flatpak-system helper used to be a regular unconfined_service_t +# but this failed because it was not allowed to pass a unix socket fd +# over dbus-daemon. This module fixes that by creating an unconfined +# domain with some additional dbus permissions. + +# I did try to make the domain confined, but it needs a lot of +# permissions and my selinux-foo just isn't good enough. + +type flatpak_helper_t; +type flatpak_helper_exec_t; +init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t) + +unconfined_domain(flatpak_helper_t) + +optional_policy(` + dbus_stub() + dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t) + + # Allow passing the revokefs socket over dbus + allow system_dbusd_t flatpak_helper_t:unix_stream_socket rw_stream_socket_perms; +') + +optional_policy(` + policykit_dbus_chat(flatpak_helper_t) +') |