feat: add flatpak policy #1
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
secureblue-bot
force-pushed
the
f42-secureblue
branch
from
a79c23f to
09778e1
Compare
secureblue-bot
force-pushed
the
f42-secureblue
branch
from
09778e1 to
37e7bbf
Compare
HastD
force-pushed
the
flatpak
branch
2 times, most recently
from
3791472 to
92fe350
Compare
This workflow runs the following steps daily: * Pull tags from upstream; * Rebase the default branch onto the latest tag for the current Fedora version; * Push the changes to the default branch, including tags. If the rebase encounters conflicts, the job will abort and conflicts will need to be resolved manually. Signed-off-by: Daniel Hast <[email protected]>
This makes the action sync the repo with the upstream tag that the selinux-policy RPM spec for the current Fedora version uses, not the most recent tag (which is often only on rawhide, not stable). Signed-off-by: Daniel Hast <[email protected]>
Extract the commit hash from the selinux-policy RPM spec for the current Fedora version and use that as the base for the rebase. This ensures that the upstream sync works even if the commit isn't tagged. Signed-off-by: Daniel Hast <[email protected]>
e -> f Signed-off-by: Daniel Hast <[email protected]>
…ue#9) * ci: push merged lightweight tags in sync workflow Since `--follow-tags` only pushes annotated tags, we need to separately list merged tags and push them by name. Signed-off-by: Daniel Hast <[email protected]> * ci: skip unnecessary rebases in sync workflow If the commit we would rebase to is already present on the working branch, we skip the rebase since that means we wouldn't be pushing any new commits. --------- Signed-off-by: Daniel Hast <[email protected]>
* chore: add bot for rebasing * newbotmethod
secureblue-bot
force-pushed
the
f42-secureblue
branch
from
e46d04b to
6a429ff
Compare
Currently flatpak is not compatible with SELinux confined users: the flatpak executable does not have the necessary permissions to create the sandbox. This policy solves this by confining the flatpak program itself (and the helper programs it calls, such as bwrap) in an application domain with the necessary permissions, which transitions back into the user domain to run the sandboxed flatpak application. For example, if a `staff_u` user runs a flatpak application from the user domain `staff_t`, flatpak will run in `staff_flatpak_t`, while the app will run in `staff_t`. The policy also includes more fine-grained labeling for flatpak app library files, data files, cache files, and temporary files. Signed-off-by: Daniel Hast <[email protected]>
Fixes denials that newly show up with this policy in Fedora 43.
Fixes an AVC denial.
Also correctly mark them as templates rather than interfaces.
secureblue-bot
force-pushed
the
f42-secureblue
branch
from
6a429ff to
64199ab
Compare
secureblue-bot
force-pushed
the
f42-secureblue
branch
from
64199ab to
81dae83
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently flatpak is not compatible with SELinux confined users: the flatpak executable does not have the necessary permissions to create the sandbox. This policy solves this by confining the flatpak program itself (and the helper programs it calls, such as bwrap) in an application domain with the necessary permissions, which transitions back into the user domain to run the sandboxed flatpak application.
For example, if a
staff_uuser runs a flatpak application from the user domainstaff_t, flatpak will run instaff_flatpak_t, while the app will run instaff_t.The policy also includes more fine-grained labeling for flatpak app library files, data files, cache files, and temporary files.
A couple logistical notes:
flatpak-system-helper, and we don't want to accidentally override that policy.