selinux/flatpak.te


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

policy_module(flatpak, 0.0.1)

# The flatpak-system helper used to be a regular unconfined_service_t
# but this failed because it was not allowed to pass a unix socket fd
# over dbus-daemon. This module fixes that by creating an unconfined
# domain with some additional dbus permissions.

# I did try to make the domain confined, but it needs a lot of
# permissions and my selinux-foo just isn't good enough.

type flatpak_helper_t;
type flatpak_helper_exec_t;
init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)

auth_read_passwd(flatpak_helper_t)

ifdef(`corecmd_watch_bin_dirs',`
    corecmd_watch_bin_dirs(flatpak_helper_t)
')

optional_policy(`
    dbus_stub()
    dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t)

    # Allow passing the revokefs socket over dbus
    allow system_dbusd_t flatpak_helper_t:unix_stream_socket rw_stream_socket_perms;
')

optional_policy(`
   policykit_dbus_chat(flatpak_helper_t)
')

optional_policy(`                   
    unconfined_domain(flatpak_helper_t)
')