Skip to content

feat: add flatpak policy #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: f42-secureblue
Choose a base branch
from
Open

feat: add flatpak policy #1

wants to merge 4 commits into from

Conversation

@HastD
Copy link
Collaborator

@HastD HastD commented Sep 15, 2025

Currently flatpak is not compatible with SELinux confined users: the flatpak executable does not have the necessary permissions to create the sandbox. This policy solves this by confining the flatpak program itself (and the helper programs it calls, such as bwrap) in an application domain with the necessary permissions, which transitions back into the user domain to run the sandboxed flatpak application.

For example, if a staff_u user runs a flatpak application from the user domain staff_t, flatpak will run in staff_flatpak_t, while the app will run in staff_t.

The policy also includes more fine-grained labeling for flatpak app library files, data files, cache files, and temporary files.

A couple logistical notes:

  • The policy module is named "flatpak-sandbox" rather than just "flatpak" because flatpak itself ships with a policy module called "flatpak", which is used to grant a few extra permissions to flatpak-system-helper, and we don't want to accidentally override that policy.
  • This PR does not include Trivalent-Flatpak integration; I figure that should be part of the Trivalent policy, which in any case will need to be revised to work with confined users.

@HastD HastD force-pushed the flatpak branch 2 times, most recently from 3791472 to 92fe350 Compare October 19, 2025 17:16
HastD added 4 commits October 31, 2025 20:10
@HastD
feat: add flatpak policy
239c627 
Currently flatpak is not compatible with SELinux confined users: the
flatpak executable does not have the necessary permissions to create the
sandbox. This policy solves this by confining the flatpak program itself
(and the helper programs it calls, such as bwrap) in an application
domain with the necessary permissions, which transitions back into the
user domain to run the sandboxed flatpak application.

For example, if a `staff_u` user runs a flatpak application from the
user domain `staff_t`, flatpak will run in `staff_flatpak_t`, while
the app will run in `staff_t`.

The policy also includes more fine-grained labeling for flatpak app
library files, data files, cache files, and temporary files.

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
@HastD
fix: add init_stream_connectto(flatpak_domain)
ac5d8c2 
Fixes denials that newly show up with this policy in Fedora 43.
@HastD
fix: add term_use_generic_ptys for flatpak domain
49568a0 
Fixes an AVC denial.
@HastD
fix: add bluetooth_dbus_chat(flatpak_domain)
435e2e8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RoyalOughtness RoyalOughtness Awaiting requested review from RoyalOughtness RoyalOughtness is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@HastD