diff --git a/Makefile.am b/Makefile.am index b354e0bd..c52f0bac 100644 --- a/Makefile.am +++ b/Makefile.am @@ -99,6 +99,7 @@ include portal/Makefile.am.inc include system-helper/Makefile.am.inc include icon-validator/Makefile.am.inc include revokefs/Makefile.am.inc +include selinux/Makefile.am.inc include tests/Makefile.am.inc if !WITH_SYSTEM_DBUS_PROXY diff --git a/configure.ac b/configure.ac index ca49ceb1..f01afc7e 100644 --- a/configure.ac +++ b/configure.ac @@ -236,6 +236,17 @@ AS_IF([ test x$have_gpgme = xno ], [ AC_MSG_ERROR([Need GPGME_PTHREAD version $LIBGPGME_DEPENDENCY or later]) ]) +AC_ARG_ENABLE(selinux-module, + [AS_HELP_STRING([--enable-selinux-module],[Enable selinux module for system-helper])], + enable_selinux_module=$enableval, enable_selinux_module=auto) +if test x$enable_selinux_module = xauto ; then + AC_CHECK_FILE([/usr/share/selinux/devel/Makefile], [enable_selinux_module=yes], [enable_selinux_module=no]) +fi +if test x$enable_selinux_module = xyes ; then + AC_CHECK_FILE([/usr/share/selinux/devel/Makefile], [], [AC_MSG_ERROR([selinux-policy-devel needed to build selinux module])]) +fi +AM_CONDITIONAL(BUILD_SELINUX_MODULE, test x$enable_selinux_module = xyes) + AC_ARG_ENABLE([system-helper], AC_HELP_STRING([--disable-system-helper], [Disable system helper]), @@ -506,6 +517,7 @@ echo " Flatpak $FLATPAK_VERSION" echo " =============" echo "" echo " Build system helper: $enable_system_helper" +echo " Build selinux module: $enable_selinux_module" echo " Build bubblewrap: $build_bwrap" echo " Build dbus-proxy: $build_dbus_proxy" echo " Use sandboxed triggers: $enable_sandboxed_triggers" diff --git a/selinux/Makefile.am.inc b/selinux/Makefile.am.inc new file mode 100644 index 00000000..d3580dde --- /dev/null +++ b/selinux/Makefile.am.inc @@ -0,0 +1,24 @@ +selinux_moduledir = ${datadir}/selinux/packages +selinux_module_DATA = $(NULL) + +selinux_develdir = ${datadir}/selinux/devel/include/contrib +selinux_devel_DATA = $(NULL) + +flatpak.pp.bz2: selinux/flatpak.te selinux/flatpak.fc + $(eval TMP := $(shell mktemp -d selinux-build-XXXXXX)) + cp $^ $(TMP)/ + cd $(TMP) && make -f /usr/share/selinux/devel/Makefile flatpak.pp + bzip2 -9 $(TMP)/flatpak.pp + cp $(TMP)/flatpak.pp.bz2 . + rm -rf $(TMP) + +if BUILD_SELINUX_MODULE +selinux_module_DATA += flatpak.pp.bz2 +selinux_devel_DATA += selinux/flatpak.if +endif + +EXTRA_DIST += \ + selinux/flatpak.te \ + selinux/flatpak.fc \ + selinux/flatpak.if \ + $(NULL) diff --git a/selinux/flatpak.fc b/selinux/flatpak.fc new file mode 100644 index 00000000..dc5b3bf8 --- /dev/null +++ b/selinux/flatpak.fc @@ -0,0 +1 @@ +/usr/libexec/flatpak-system-helper -- gen_context(system_u:object_r:flatpak_helper_exec_t,s0) diff --git a/selinux/flatpak.if b/selinux/flatpak.if new file mode 100644 index 00000000..3eb6a305 --- /dev/null +++ b/selinux/flatpak.if @@ -0,0 +1 @@ +## diff --git a/selinux/flatpak.te b/selinux/flatpak.te new file mode 100644 index 00000000..74bf8452 --- /dev/null +++ b/selinux/flatpak.te @@ -0,0 +1,27 @@ +policy_module(flatpak, 0.0.1) + +# The flatpak-system helper used to be a regular unconfined_service_t +# but this failed because it was not allowed to pass a unix socket fd +# over dbus-daemon. This module fixes that by creating an unconfined +# domain with some additional dbus permissions. + +# I did try to make the domain confined, but it needs a lot of +# permissions and my selinux-foo just isn't good enough. + +type flatpak_helper_t; +type flatpak_helper_exec_t; +init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t) + +unconfined_domain(flatpak_helper_t) + +optional_policy(` + dbus_stub() + dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t) + + # Allow passing the revokefs socket over dbus + allow system_dbusd_t flatpak_helper_t:unix_stream_socket rw_stream_socket_perms; +') + +optional_policy(` + policykit_dbus_chat(flatpak_helper_t) +')