From bb46c1dbd63ff4b314836721267a1cf609f23ce8 Mon Sep 17 00:00:00 2001 From: Alexander Larsson Date: Fri, 5 Apr 2019 16:01:10 +0200 Subject: Add selinux module to allow system-helper to work with revokefs Historycally the system helper has been running in a generic unconfined_service_t domain. However, this caused problems with the new revokefs support, because passing the revokefs unix domain socket over the system bus got it kicked of the bus, because to do this dbus-daemon needs rw rights to the socket. So, this module creates a custom domain flatpak_helper_t, which allows us to add special permissions to dbus-daemon to allow access to its sockets. The domain is otherwise uncontained just like before. I did try to make it contained, but that is a lot of work as the permissions it needs are very complex. Note to packagers on selinux systems, for flatpak to work well you need to install this module and relabel the system-helper binary. In my testing on fedora I used something like this: %post %selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2 %postun if [ $1 -eq 0 ]; then %selinux_modules_uninstall %{_datadir}/selinux/packages/flatpak.pp.bz2 fi With these new files: %{_datadir}/selinux/packages/flatpak.pp.bz2 %{_datadir}/selinux/devel/include/contrib/flatpak.if Closes: #2657 Approved by: alexlarsson --- Makefile.am | 1 + 1 file changed, 1 insertion(+) (limited to 'Makefile.am') diff --git a/Makefile.am b/Makefile.am index b354e0bd..c52f0bac 100644 --- a/Makefile.am +++ b/Makefile.am @@ -99,6 +99,7 @@ include portal/Makefile.am.inc include system-helper/Makefile.am.inc include icon-validator/Makefile.am.inc include revokefs/Makefile.am.inc +include selinux/Makefile.am.inc include tests/Makefile.am.inc if !WITH_SYSTEM_DBUS_PROXY -- cgit v1.2.1