flatpak/selinux/flatpak.te

policy_module(flatpak, 0.0.1)

# The flatpak-system helper used to be a regular unconfined_service_t
# but this failed because it was not allowed to pass a unix socket fd
# over dbus-daemon. This module fixes that by creating an unconfined
# domain with some additional dbus permissions.

# I did try to make the domain confined, but it needs a lot of
# permissions and my selinux-foo just isn't good enough.

type flatpak_helper_t;
type flatpak_helper_exec_t;
init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)

auth_read_passwd(flatpak_helper_t)
files_list_var_lib(flatpak_helper_t)
files_read_var_lib_files(flatpak_helper_t)
files_read_var_lib_symlinks(flatpak_helper_t)

ifdef(`corecmd_watch_bin_dirs',`
    corecmd_watch_bin_dirs(flatpak_helper_t)
')

optional_policy(`
    dbus_stub()
    dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t)

    # Allow passing the revokefs socket over dbus
    allow system_dbusd_t flatpak_helper_t:unix_stream_socket rw_stream_socket_perms;
')

optional_policy(`
   policykit_dbus_chat(flatpak_helper_t)
')

optional_policy(`
   systemd_userdbd_stream_connect(flatpak_helper_t)
')

optional_policy(`                   
    unconfined_domain(flatpak_helper_t)
')