Add selinux module to allow system-helper to work with revokefs

Historycally the system helper has been running in a generic unconfined_service_t domain. However, this caused problems with the new revokefs support, because passing the revokefs unix domain socket over the system bus got it kicked of the bus, because to do this dbus-daemon needs rw rights to the socket. So, this module creates a custom domain flatpak_helper_t, which allows us to add special permissions to dbus-daemon to allow access to its sockets. The domain is otherwise uncontained just like before. I did try to make it contained, but that is a lot of work as the permissions it needs are very complex. Note to packagers on selinux systems, for flatpak to work well you need to install this module and relabel the system-helper binary. In my testing on fedora I used something like this: %post %selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2 %postun if [ $1 -eq 0 ]; then %selinux_modules_uninstall %{_datadir}/selinux/packages/flatpak.pp.bz2 fi With these new files: %{_datadir}/selinux/packages/flatpak.pp.bz2 %{_datadir}/selinux/devel/include/contrib/flatpak.if Closes: #2657 Approved by: alexlarsson
2026-05-07 23:43:35 -04:00 · 2019-04-05 16:01:10 +02:00
parent 081c3400b4
commit bb46c1dbd6
6 changed files with 66 additions and 0 deletions
--- a/Makefile.am
+++ b/Makefile.am
@@ -99,6 +99,7 @@ include portal/Makefile.am.inc
 include system-helper/Makefile.am.inc
 include icon-validator/Makefile.am.inc
 include revokefs/Makefile.am.inc
+include selinux/Makefile.am.inc
 include tests/Makefile.am.inc

 if !WITH_SYSTEM_DBUS_PROXY
--- a/configure.ac
+++ b/configure.ac
@@ -236,6 +236,17 @@ AS_IF([ test x$have_gpgme = xno ], [
   AC_MSG_ERROR([Need GPGME_PTHREAD version $LIBGPGME_DEPENDENCY or later])
 ])

+AC_ARG_ENABLE(selinux-module,
+        [AS_HELP_STRING([--enable-selinux-module],[Enable selinux module for system-helper])],
+        enable_selinux_module=$enableval, enable_selinux_module=auto)
+if test x$enable_selinux_module = xauto ; then
+   AC_CHECK_FILE([/usr/share/selinux/devel/Makefile], [enable_selinux_module=yes],  [enable_selinux_module=no])
+fi
+if test x$enable_selinux_module = xyes ; then
+   AC_CHECK_FILE([/usr/share/selinux/devel/Makefile], [],  [AC_MSG_ERROR([selinux-policy-devel needed to build selinux module])])
+fi
+AM_CONDITIONAL(BUILD_SELINUX_MODULE, test x$enable_selinux_module = xyes)
+
 AC_ARG_ENABLE([system-helper],
              AC_HELP_STRING([--disable-system-helper],
                             [Disable system helper]),
@@ -506,6 +517,7 @@ echo "          Flatpak $FLATPAK_VERSION"
 echo "          ============="
 echo ""
 echo "          Build system helper:    $enable_system_helper"
+echo "          Build selinux module:   $enable_selinux_module"
 echo "          Build bubblewrap:       $build_bwrap"
 echo "          Build dbus-proxy:       $build_dbus_proxy"
 echo "          Use sandboxed triggers: $enable_sandboxed_triggers"
--- a/selinux/Makefile.am.inc
+++ b/selinux/Makefile.am.inc
@@ -0,0 +1,24 @@
+selinux_moduledir = ${datadir}/selinux/packages
+selinux_module_DATA = $(NULL)
+
+selinux_develdir = ${datadir}/selinux/devel/include/contrib
+selinux_devel_DATA = $(NULL)
+
+flatpak.pp.bz2: selinux/flatpak.te selinux/flatpak.fc
+	$(eval TMP := $(shell mktemp -d selinux-build-XXXXXX))
+	cp $^ $(TMP)/
+	cd $(TMP) && make -f /usr/share/selinux/devel/Makefile flatpak.pp
+	bzip2 -9 $(TMP)/flatpak.pp
+	cp $(TMP)/flatpak.pp.bz2 .
+	rm -rf $(TMP)
+
+if BUILD_SELINUX_MODULE
+selinux_module_DATA += flatpak.pp.bz2
+selinux_devel_DATA += selinux/flatpak.if
+endif
+
+EXTRA_DIST += \
+	selinux/flatpak.te \
+	selinux/flatpak.fc \
+	selinux/flatpak.if \
+	$(NULL)
--- a/selinux/flatpak.fc
+++ b/selinux/flatpak.fc
@@ -0,0 +1 @@
+/usr/libexec/flatpak-system-helper	--	gen_context(system_u:object_r:flatpak_helper_exec_t,s0)
--- a/selinux/flatpak.if
+++ b/selinux/flatpak.if
@@ -0,0 +1 @@
+## <summary></summary>
--- a/selinux/flatpak.te
+++ b/selinux/flatpak.te
@@ -0,0 +1,27 @@
+policy_module(flatpak, 0.0.1)
+
+# The flatpak-system helper used to be a regular unconfined_service_t
+# but this failed because it was not allowed to pass a unix socket fd
+# over dbus-daemon. This module fixes that by creating an unconfined
+# domain with some additional dbus permissions.
+
+# I did try to make the domain confined, but it needs a lot of
+# permissions and my selinux-foo just isn't good enough.
+
+type flatpak_helper_t;
+type flatpak_helper_exec_t;
+init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
+
+unconfined_domain(flatpak_helper_t)
+
+optional_policy(`
+    dbus_stub()
+    dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t)
+
+    # Allow passing the revokefs socket over dbus
+    allow system_dbusd_t flatpak_helper_t:unix_stream_socket rw_stream_socket_perms;
+')
+
+optional_policy(`
+   policykit_dbus_chat(flatpak_helper_t)
+')
				`@@ -0,0 +1 @@`
				`/usr/libexec/flatpak-system-helper -- gen_context(system_u:object_r:flatpak_helper_exec_t,s0)`