From 002e4455d80fdf692a8feb88b563e5ab37340220 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Tue, 12 Apr 2022 20:28:29 +0200 Subject: [PATCH] selinux: Let the system helper have read access to /etc/passwd The system-helper (ie., the `flatpak-system-helper` process) is labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t domain, and needs to be able to read /etc/passwd. This explicitly permits it to do so to avoid running into SELinux denials. https://bugzilla.redhat.com/show_bug.cgi?id=2070350 --- selinux/flatpak.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/selinux/flatpak.te b/selinux/flatpak.te index 2bcc507b..871ffa29 100644 --- a/selinux/flatpak.te +++ b/selinux/flatpak.te @@ -12,6 +12,8 @@ type flatpak_helper_t; type flatpak_helper_exec_t; init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t) +auth_read_passwd(flatpak_helper_t) + optional_policy(` dbus_stub() dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t)