blob: 0bb776314ddb0b078db324c74113e445531af5c7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
policy_module(flatpak, 0.0.1)
# The flatpak-system helper used to be a regular unconfined_service_t
# but this failed because it was not allowed to pass a unix socket fd
# over dbus-daemon. This module fixes that by creating an unconfined
# domain with some additional dbus permissions.
# I did try to make the domain confined, but it needs a lot of
# permissions and my selinux-foo just isn't good enough.
type flatpak_helper_t;
type flatpak_helper_exec_t;
init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
auth_read_passwd(flatpak_helper_t)
ifdef(`corecmd_watch_bin_dirs',`
corecmd_watch_bin_dirs(flatpak_helper_t)
')
optional_policy(`
dbus_stub()
dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t)
# Allow passing the revokefs socket over dbus
allow system_dbusd_t flatpak_helper_t:unix_stream_socket rw_stream_socket_perms;
')
optional_policy(`
policykit_dbus_chat(flatpak_helper_t)
')
optional_policy(`
unconfined_domain(flatpak_helper_t)
')
|