Skip to content

Comments

feat: add flatpak policy#1

Open
HastD wants to merge 8 commits intosecureblue:f42-securebluefrom
HastD:flatpak
Open

feat: add flatpak policy#1
HastD wants to merge 8 commits intosecureblue:f42-securebluefrom
HastD:flatpak

Conversation

@HastD
Copy link
Collaborator

@HastD HastD commented Sep 15, 2025

Currently flatpak is not compatible with SELinux confined users: the flatpak executable does not have the necessary permissions to create the sandbox. This policy solves this by confining the flatpak program itself (and the helper programs it calls, such as bwrap) in an application domain with the necessary permissions, which transitions back into the user domain to run the sandboxed flatpak application.

For example, if a staff_u user runs a flatpak application from the user domain staff_t, flatpak will run in staff_flatpak_t, while the app will run in staff_t.

The policy also includes more fine-grained labeling for flatpak app library files, data files, cache files, and temporary files.

A couple logistical notes:

  • The policy module is named "flatpak-sandbox" rather than just "flatpak" because flatpak itself ships with a policy module called "flatpak", which is used to grant a few extra permissions to flatpak-system-helper, and we don't want to accidentally override that policy.
  • This PR does not include Trivalent-Flatpak integration; I figure that should be part of the Trivalent policy, which in any case will need to be revised to work with confined users.

@HastD HastD force-pushed the flatpak branch 2 times, most recently from 3791472 to 92fe350 Compare October 19, 2025 17:16
@secureblue-bot secureblue-bot force-pushed the f42-secureblue branch 2 times, most recently from 64199ab to 81dae83 Compare November 20, 2025 20:15
@secureblue-bot secureblue-bot force-pushed the f42-secureblue branch 2 times, most recently from 5e06ed5 to 07d2f2e Compare December 3, 2025 03:22
HastD added 7 commits December 27, 2025 21:32
@HastD
feat: add flatpak policy
c51cd66 
Currently flatpak is not compatible with SELinux confined users: the
flatpak executable does not have the necessary permissions to create the
sandbox. This policy solves this by confining the flatpak program itself
(and the helper programs it calls, such as bwrap) in an application
domain with the necessary permissions, which transitions back into the
user domain to run the sandboxed flatpak application.

For example, if a `staff_u` user runs a flatpak application from the
user domain `staff_t`, flatpak will run in `staff_flatpak_t`, while
the app will run in `staff_t`.

The policy also includes more fine-grained labeling for flatpak app
library files, data files, cache files, and temporary files.

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
@HastD
fix: add init_stream_connectto(flatpak_domain)
54afde1 
Fixes denials that newly show up with this policy in Fedora 43.
@HastD
fix: add term_use_generic_ptys for flatpak domain
51e121a 
Fixes an AVC denial.
@HastD
fix: add bluetooth_dbus_chat(flatpak_domain)
b745d6f
@HastD
feat: make flatpak templates more flexible
7bc8d87 
Also correctly mark them as templates rather than interfaces.
@HastD
fix: missing attribute_role declaration
ab0a0e0
@HastD
fix: allow reading home dir symlinks
24acb40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RoyalOughtness RoyalOughtness Awaiting requested review from RoyalOughtness RoyalOughtness is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@HastD