diff options
| author | Debarshi Ray <debarshir@gnome.org> | 2022-04-12 20:56:06 +0200 |
|---|---|---|
| committer | Simon McVittie <smcv@debian.org> | 2022-04-23 16:13:00 +0100 |
| commit | f8a9153d0ed464dbd1668976bf5b00edc845c80d (patch) | |
| tree | 141239cfd158d4e275f17e4f9004b538576932f3 /selinux | |
| parent | 45d86effce96b6862eaa68aab4af582ff4ce2c3c (diff) | |
| download | flatpak-f8a9153d0ed464dbd1668976bf5b00edc845c80d.tar.gz | |
selinux: Let the system helper watch files inside $libexecdir
The system-helper (ie., the `flatpak-system-helper` process) is
labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t
domain, and tries to set up an inotify(7) watch on it's own binary so
that it can exit when the binary is replaced. This explicitly permits
it to do so to avoid running into SELinux denials.
The corecmd_watch_bin_dirs SELinux interface is a recent addition [1],
and is therefore used conditionally when defined.
[1] https://github.com/fedora-selinux/selinux-policy/commit/88072fd293
https://github.com/fedora-selinux/selinux-policy/pull/1133
https://bugzilla.redhat.com/show_bug.cgi?id=2053634
Diffstat (limited to 'selinux')
| -rw-r--r-- | selinux/flatpak.te | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/selinux/flatpak.te b/selinux/flatpak.te index 871ffa29..0bb77631 100644 --- a/selinux/flatpak.te +++ b/selinux/flatpak.te @@ -14,6 +14,10 @@ init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t) auth_read_passwd(flatpak_helper_t) +ifdef(`corecmd_watch_bin_dirs',` + corecmd_watch_bin_dirs(flatpak_helper_t) +') + optional_policy(` dbus_stub() dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t) |