| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Install flatpak.if to the same location for Autotools and meson.
|
|
|
|
|
| |
With custom_target, providing build_by_default is not enough to install
the output, which must be explicitly requested.
|
|
|
|
|
| |
Resolves: https://github.com/flatpak/flatpak/issues/2241
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
|
|
|
|
| |
Commit 8617ab0ad0243f5a granted read and lock access to
/var/lib/flatpak but didn't cover symbolic links. This explicitly
permits that to avoid running into SELinux denials.
https://bugzilla.redhat.com/show_bug.cgi?id=2071215
|
|
|
|
|
|
|
|
|
|
| |
The systemd-userdbd service was added in systemd 245, which was
released in March 2020 and is available in RHEL 9. Therefore, it's
safe to assume that the systemd_userdbd_stream_connect() SELinux
interface is also available on all relevant operating systems, unless
there's reason to believe otherwise.
https://bugzilla.redhat.com/show_bug.cgi?id=2071217
|
|
|
|
|
|
| |
This will make them easier to share between Autotools and Meson.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
|
|
|
|
| |
It's clearly quite important to have read access to /var/lib/flatpak
and it's contents. This explicitly permits that to avoid running
into SELinux denials.
https://bugzilla.redhat.com/show_bug.cgi?id=2070741
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The system-helper (ie., the `flatpak-system-helper` process) is
labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t
domain, and tries to set up an inotify(7) watch on it's own binary so
that it can exit when the binary is replaced. This explicitly permits
it to do so to avoid running into SELinux denials.
The corecmd_watch_bin_dirs SELinux interface is a recent addition [1],
and is therefore used conditionally when defined.
[1] https://github.com/fedora-selinux/selinux-policy/commit/88072fd293
https://github.com/fedora-selinux/selinux-policy/pull/1133
https://bugzilla.redhat.com/show_bug.cgi?id=2053634
|
|
|
|
|
|
|
|
|
| |
The system-helper (ie., the `flatpak-system-helper` process) is
labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t
domain, and needs to be able to read /etc/passwd. This explicitly
permits it to do so to avoid running into SELinux denials.
https://bugzilla.redhat.com/show_bug.cgi?id=2070350
|
|
|
|
| |
Fixed bug where disabling unconfined module fails because macro unconfined_domain(flatpak_helper_t) wasn't in optional_policy block
|
|
|
|
|
| |
...by moving everything selinux specific into the scope of the
if.
|
| |
|
|
Historycally the system helper has been running in a generic
unconfined_service_t domain. However, this caused problems with the
new revokefs support, because passing the revokefs unix domain socket
over the system bus got it kicked of the bus, because to do this
dbus-daemon needs rw rights to the socket.
So, this module creates a custom domain flatpak_helper_t, which
allows us to add special permissions to dbus-daemon to allow
access to its sockets.
The domain is otherwise uncontained just like before. I did try
to make it contained, but that is a lot of work as the permissions
it needs are very complex.
Note to packagers on selinux systems, for flatpak to work well
you need to install this module and relabel the system-helper
binary.
In my testing on fedora I used something like this:
%post
%selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2
%postun
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall %{_datadir}/selinux/packages/flatpak.pp.bz2
fi
With these new files:
%{_datadir}/selinux/packages/flatpak.pp.bz2
%{_datadir}/selinux/devel/include/contrib/flatpak.if
Closes: #2657
Approved by: alexlarsson
|