mirror of
https://github.com/flatpak/flatpak.git
synced 2026-04-20 15:00:52 -04:00
669a5bf671
Fixed bug where disabling unconfined module fails because macro unconfined_domain(flatpak_helper_t) wasn't in optional_policy block
30 lines
903 B
Plaintext
30 lines
903 B
Plaintext
policy_module(flatpak, 0.0.1)
|
|
|
|
# The flatpak-system helper used to be a regular unconfined_service_t
|
|
# but this failed because it was not allowed to pass a unix socket fd
|
|
# over dbus-daemon. This module fixes that by creating an unconfined
|
|
# domain with some additional dbus permissions.
|
|
|
|
# I did try to make the domain confined, but it needs a lot of
|
|
# permissions and my selinux-foo just isn't good enough.
|
|
|
|
type flatpak_helper_t;
|
|
type flatpak_helper_exec_t;
|
|
init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
|
|
|
|
optional_policy(`
|
|
dbus_stub()
|
|
dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t)
|
|
|
|
# Allow passing the revokefs socket over dbus
|
|
allow system_dbusd_t flatpak_helper_t:unix_stream_socket rw_stream_socket_perms;
|
|
')
|
|
|
|
optional_policy(`
|
|
policykit_dbus_chat(flatpak_helper_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
unconfined_domain(flatpak_helper_t)
|
|
')
|