diff --git a/policy/modules/contrib/flatpak-sandbox.fc b/policy/modules/contrib/flatpak-sandbox.fc
new file mode 100644
index 0000000000..e08c9d49df
--- /dev/null
+++ b/policy/modules/contrib/flatpak-sandbox.fc
@@ -0,0 +1,21 @@
+/usr/bin/flatpak -- gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/bin/flatpak-bisect -- gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/bin/flatpak-coredumpctl -- gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/libexec/flatpak-oci-authenticator -- gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/libexec/flatpak-portal -- gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/libexec/flatpak-session-helper -- gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/libexec/flatpak-validate-icon -- gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/libexec/revokefs-fuse -- gen_context(system_u:object_r:flatpak_exec_t,s0)
+
+/var/lib/flatpak(/.*)? gen_context(system_u:object_r:flatpak_var_lib_t,s0)
+HOME_DIR/\.local/share/flatpak(/.*)? gen_context(system_u:object_r:flatpak_data_home_t,s0)
+/root/\.local/share/flatpak(/.*)? gen_context(system_u:object_r:flatpak_data_home_t,s0)
+HOME_DIR/\.cache/flatpak(/.*)? gen_context(system_u:object_r:flatpak_cache_home_t,s0)
+/root/\.cache/flatpak(/.*)? gen_context(system_u:object_r:flatpak_cache_home_t,s0)
+HOME_DIR/\.var(/.*)? gen_context(system_u:object_r:var_home_t,s0)
+/root/\.var(/.*)? gen_context(system_u:object_r:var_home_t,s0)
+HOME_DIR/\.var/app(/.*)? gen_context(system_u:object_r:flatpak_var_home_t,s0)
+/root/\.var/app(/.*)? gen_context(system_u:object_r:flatpak_var_home_t,s0)
+/run/user/%{USERID}/app(/.*)? gen_context(system_u:object_r:flatpak_user_tmp_t,s0)
+/run/user/%{USERID}/\.flatpak(/.*)? gen_context(system_u:object_r:flatpak_user_tmp_t,s0)
+/run/user/%{USERID}/\.flatpak-helper(/.*)? gen_context(system_u:object_r:flatpak_user_tmp_t,s0)
diff --git a/policy/modules/contrib/flatpak-sandbox.if b/policy/modules/contrib/flatpak-sandbox.if
new file mode 100644
index 0000000000..7a41983034
--- /dev/null
+++ b/policy/modules/contrib/flatpak-sandbox.if
@@ -0,0 +1,297 @@
+## flatpak packaging system
+
+########################################
+##
+## Allow role to run flatpak from the given domain, transitioning to a given domain.
+##
+##
+##
+## The prefix of the domain (e.g., user is the prefix for user_t).
+##
+##
+##
+##
+## Role (or role attribute) allowed access.
+##
+##
+##
+##
+## Domain to transition from.
+##
+##
+##
+##
+## Domain to transition to.
+##
+##
+#
+template(`flatpak_role_template',`
+ gen_require(`
+ attribute_role flatpak_roles;
+ type flatpak_exec_t;
+ type flatpak_tmpfs_t;
+ type flatpak_var_lib_t;
+ type flatpak_data_home_t;
+ type flatpak_var_home_t;
+ ')
+
+ type $1_flatpak_t;
+ role $2 types $1_flatpak_t;
+ roleattribute $2 flatpak_roles;
+
+ userdom_user_application_domain($1_flatpak_t, flatpak_exec_t)
+ domain_entry_file($4, flatpak_var_lib_t)
+ domain_entry_file($4, flatpak_data_home_t)
+ domain_entry_file($4, flatpak_var_home_t)
+ flatpak_domtrans($3, $1_flatpak_t)
+ flatpak_generic_app_domtrans($1_flatpak_t, $4)
+
+ allow $3 $1_flatpak_t:process { signal_perms getpgid };
+ tunable_policy(`deny_ptrace',`',`
+ allow $3 $1_flatpak_t:process ptrace;
+ ')
+ allow $3 $1_flatpak_t:file rw_file_perms;
+
+ allow $4 $1_flatpak_t:process signal_perms;
+ allow $4 $1_flatpak_t:unix_stream_socket { server_stream_socket_perms connectto };
+
+ allow $1_flatpak_t $4:process { signal_perms noatsecure siginh rlimitinh };
+ allow $1_flatpak_t $4:process2 { nnp_transition nosuid_transition };
+
+ kernel_read_system_state($1_flatpak_t)
+ logging_send_syslog_msg($1_flatpak_t)
+
+ read_files_pattern($3, $1_flatpak_t, $1_flatpak_t)
+ rw_fifo_files_pattern($1_flatpak_t, $3, $3)
+
+ mmap_rw_files_pattern($4, flatpak_tmpfs_t, flatpak_tmpfs_t)
+ read_files_pattern($4, $1_flatpak_t, $1_flatpak_t)
+ write_fifo_files_pattern($4, $1_flatpak_t, $1_flatpak_t)
+
+ flatpak_exec_apps($4)
+')
+
+########################################
+##
+## Allow user domain to run flatpaks.
+##
+##
+##
+## The prefix of the user domain (e.g., user is the prefix for user_t).
+##
+##
+#
+template(`flatpak_user_template',`
+ gen_require(`
+ role $1_r;
+ type $1_t;
+ ')
+
+ flatpak_role_template($1, $1_r, $1_t, $1_t)
+')
+
+########################################
+##
+## Execute flatpak in a provided domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Flatpak domain to transition to.
+##
+##
+#
+interface(`flatpak_domtrans',`
+ gen_require(`
+ type flatpak_exec_t;
+ attribute flatpak_domain;
+ ')
+ typeattribute $2 flatpak_domain;
+ domtrans_pattern($1, flatpak_exec_t, $2)
+')
+
+########################################
+##
+## Execute generic flatpak apps and runtimes in a provided domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Domain to transition to.
+##
+##
+#
+interface(`flatpak_generic_app_domtrans',`
+ gen_require(`
+ attribute flatpak_generic_app_exec_type;
+ ')
+ domtrans_pattern($1, flatpak_generic_app_exec_type, $2)
+')
+
+########################################
+##
+## Execute flatpak in a provided domain, with generic flatpak apps
+## transitioning back to the caller domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Flatpak domain to transition to.
+##
+##
+#
+interface(`flatpak_generic_domtrans',`
+ gen_require(`
+ attribute flatpak_generic_app_exec_type;
+ ')
+ flatpak_domtrans($1, $2)
+ # Only apply this to generic flatpak app exec types to make it possible to
+ # apply app-specific confinement with a transition to a different domain.
+ flatpak_generic_app_domtrans($2, $1)
+')
+
+########################################
+##
+## Allow domain to read flatpak applications and runtimes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`flatpak_read_apps',`
+ gen_require(`
+ type flatpak_tmpfs_t;
+ attribute flatpak_lib_type;
+ ')
+ watch_dirs_pattern($1, flatpak_lib_type, flatpak_lib_type)
+ list_dirs_pattern($1, flatpak_lib_type, flatpak_lib_type)
+ read_files_pattern($1, flatpak_lib_type, flatpak_lib_type)
+ read_lnk_files_pattern($1, flatpak_lib_type, flatpak_lib_type)
+
+ list_dirs_pattern($1, flatpak_tmpfs_t, flatpak_tmpfs_t)
+ read_files_pattern($1, flatpak_tmpfs_t, flatpak_tmpfs_t)
+ read_lnk_files_pattern($1, flatpak_tmpfs_t, flatpak_tmpfs_t)
+')
+
+########################################
+##
+## Allow domain to manage flatpak applications and runtimes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`flatpak_manage_apps',`
+ gen_require(`
+ attribute flatpak_lib_type;
+ ')
+ manage_dirs_pattern($1, flatpak_lib_type, flatpak_lib_type)
+ manage_files_pattern($1, flatpak_lib_type, flatpak_lib_type)
+ manage_lnk_files_pattern($1, flatpak_lib_type, flatpak_lib_type)
+ mmap_rw_files_pattern($1, flatpak_lib_type, flatpak_lib_type)
+ list_dirs_pattern($1, flatpak_tmpfs_t, flatpak_tmpfs_t)
+')
+
+########################################
+##
+## Allow domain to execute flatpak app and runtime files without a domain transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`flatpak_exec_apps',`
+ gen_require(`
+ attribute flatpak_app_exec_type;
+ ')
+ exec_files_pattern($1, flatpak_app_exec_type, flatpak_app_exec_type)
+')
+
+########################################
+##
+## Create objects in a flatpak system app directory with an automatic type
+## transition to a specified private type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to create.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`flatpak_var_lib_filetrans',`
+ gen_require(`
+ type flatpak_var_lib_t;
+ ')
+
+ allow $1 flatpak_var_lib_t:dir search_dir_perms;
+ filetrans_pattern($1, flatpak_var_lib_t, $2, $3, $4)
+')
+
+########################################
+##
+## Create objects in a flatpak user app directory with an automatic type
+## transition to a specified private type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to create.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`flatpak_data_home_filetrans',`
+ gen_require(`
+ type flatpak_data_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 flatpak_data_home_t:dir search_dir_perms;
+ filetrans_pattern($1, flatpak_data_home_t, $2, $3, $4)
+')
diff --git a/policy/modules/contrib/flatpak-sandbox.te b/policy/modules/contrib/flatpak-sandbox.te
new file mode 100644
index 0000000000..173d48863b
--- /dev/null
+++ b/policy/modules/contrib/flatpak-sandbox.te
@@ -0,0 +1,270 @@
+policy_module(flatpak-sandbox, 0.1.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role flatpak_roles;
+
+attribute flatpak_domain;
+attribute flatpak_lib_type;
+attribute flatpak_app_exec_type;
+attribute flatpak_generic_app_exec_type;
+
+type flatpak_exec_t;
+application_type(flatpak_exec_t)
+
+type flatpak_var_lib_t, flatpak_lib_type, flatpak_app_exec_type, flatpak_generic_app_exec_type;
+files_type(flatpak_var_lib_t)
+
+type flatpak_data_home_t, flatpak_lib_type, flatpak_app_exec_type, flatpak_generic_app_exec_type;
+userdom_user_home_content(flatpak_data_home_t)
+
+type flatpak_cache_home_t;
+userdom_user_home_content(flatpak_cache_home_t)
+
+type flatpak_tmpfs_t;
+files_tmpfs_file(flatpak_tmpfs_t)
+
+type var_home_t;
+userdom_user_home_content(var_home_t)
+
+type flatpak_var_home_t, flatpak_app_exec_type, flatpak_generic_app_exec_type;
+userdom_user_home_content(flatpak_var_home_t)
+
+type flatpak_user_tmp_t;
+userdom_user_tmp_content(flatpak_user_tmp_t)
+
+
+########################################
+#
+# Local policy rules
+#
+
+allow flatpak_domain self:process { ptrace setcap setsched };
+allow flatpak_domain self:user_namespace create;
+# Necessary to allow mounting and unmounting FUSE filesystems via fusermount.
+allow flatpak_domain self:capability sys_admin;
+# This grants capabilities only inside the user namespaces managed by flatpak;
+# flatpak itself still runs as an unprivileged user process. See the section on
+# capabilities in user_namespace(7) for details.
+allow flatpak_domain self:cap_userns { dac_override dac_read_search net_admin setgid setpcap setuid sys_admin sys_chroot sys_ptrace sys_resource };
+allow flatpak_domain self:socket_class_set create_socket_perms;
+allow flatpak_domain self:netlink_route_socket nlmsg_write;
+
+allow flatpak_domain flatpak_domain:dbus send_msg;
+allow flatpak_domain flatpak_domain:process signal_perms;
+allow flatpak_domain flatpak_domain:unix_stream_socket connectto;
+
+can_exec(flatpak_domain, flatpak_exec_t)
+
+filetrans_pattern(domain, var_home_t, flatpak_var_home_t, dir, "app")
+filetrans_pattern(flatpak_domain, var_home_t, flatpak_var_home_t, dir)
+create_dirs_pattern(flatpak_domain, var_home_t, var_home_t)
+create_dirs_pattern(flatpak_domain, var_home_t, flatpak_var_home_t)
+
+manage_dirs_pattern(flatpak_domain, flatpak_lib_type, flatpak_lib_type)
+manage_files_pattern(flatpak_domain, flatpak_lib_type, flatpak_lib_type)
+manage_lnk_files_pattern(flatpak_domain, flatpak_lib_type, flatpak_lib_type)
+mmap_rw_files_pattern(flatpak_domain, flatpak_lib_type, flatpak_lib_type)
+
+manage_dirs_pattern(flatpak_domain, flatpak_tmpfs_t, flatpak_tmpfs_t)
+manage_files_pattern(flatpak_domain, flatpak_tmpfs_t, flatpak_tmpfs_t)
+manage_lnk_files_pattern(flatpak_domain, flatpak_tmpfs_t, flatpak_tmpfs_t)
+mmap_rw_files_pattern(flatpak_domain, flatpak_tmpfs_t, flatpak_tmpfs_t)
+
+manage_dirs_pattern(flatpak_domain, flatpak_cache_home_t, flatpak_cache_home_t)
+manage_files_pattern(flatpak_domain, flatpak_cache_home_t, flatpak_cache_home_t)
+manage_lnk_files_pattern(flatpak_domain, flatpak_cache_home_t, flatpak_cache_home_t)
+mmap_rw_files_pattern(flatpak_domain, flatpak_cache_home_t, flatpak_cache_home_t)
+
+manage_dirs_pattern(flatpak_domain, flatpak_var_home_t, flatpak_var_home_t)
+manage_files_pattern(flatpak_domain, flatpak_var_home_t, flatpak_var_home_t)
+manage_lnk_files_pattern(flatpak_domain, flatpak_var_home_t, flatpak_var_home_t)
+
+manage_dirs_pattern(flatpak_domain, flatpak_user_tmp_t, flatpak_user_tmp_t)
+manage_files_pattern(flatpak_domain, flatpak_user_tmp_t, flatpak_user_tmp_t)
+manage_lnk_files_pattern(flatpak_domain, flatpak_user_tmp_t, flatpak_user_tmp_t)
+manage_sock_files_pattern(flatpak_domain, flatpak_user_tmp_t, flatpak_user_tmp_t)
+mmap_rw_files_pattern(flatpak_domain, flatpak_user_tmp_t, flatpak_user_tmp_t)
+
+gen_require(`
+ attribute userdomain;
+')
+
+allow flatpak_domain userdomain:system start;
+
+manage_dirs_pattern(userdomain, flatpak_tmpfs_t, flatpak_tmpfs_t)
+manage_files_pattern(userdomain, flatpak_tmpfs_t, flatpak_tmpfs_t)
+manage_lnk_files_pattern(userdomain, flatpak_tmpfs_t, flatpak_tmpfs_t)
+mmap_rw_files_pattern(userdomain, flatpak_tmpfs_t, flatpak_tmpfs_t)
+
+kernel_rw_all_sysctls(flatpak_domain)
+
+corecmd_exec_bin(flatpak_domain)
+corecmd_watch_bin_dirs(flatpak_domain)
+
+corenet_tcp_connect_http_cache_port(flatpak_domain)
+corenet_tcp_connect_http_port(flatpak_domain)
+corenet_tcp_connect_pki_ca_port(flatpak_domain)
+
+dev_read_sysfs(flatpak_domain)
+dev_rw_dma_dev(flatpak_domain)
+dev_getattr_fs(flatpak_domain)
+
+files_list_home(flatpak_domain)
+files_read_usr_files(flatpak_domain)
+files_read_etc_files(flatpak_domain)
+files_read_etc_runtime_files(flatpak_domain)
+files_watch_etc_dirs(flatpak_domain)
+files_getattr_all_dirs(flatpak_domain)
+files_watch_root_dirs(flatpak_domain)
+files_watch_usr_dirs(flatpak_domain)
+files_read_var_lib_files(flatpak_domain)
+files_manage_generic_tmp_dirs(flatpak_domain)
+files_manage_generic_tmp_files(flatpak_domain)
+files_rw_generic_tmp_sockets(flatpak_domain)
+files_mounton_non_security(flatpak_domain)
+files_var_lib_filetrans(domain, flatpak_var_lib_t, dir, "flatpak")
+files_var_lib_filetrans(flatpak_domain, flatpak_var_lib_t, { dir fifo_file file lnk_file sock_file })
+files_tmp_filetrans(flatpak_domain, flatpak_tmpfs_t, { dir fifo_file file lnk_file sock_file })
+
+fs_getattr_all_fs(flatpak_domain)
+fs_manage_fusefs_dirs(flatpak_domain)
+fs_manage_fusefs_files(flatpak_domain)
+fs_manage_fusefs_symlinks(flatpak_domain)
+fs_mmap_fusefs_files(flatpak_domain)
+fs_mount_all_fs(flatpak_domain)
+fs_read_nsfs_files(flatpak_domain)
+fs_remount_all_fs(flatpak_domain)
+fs_tmpfs_filetrans(flatpak_domain, flatpak_tmpfs_t, { dir fifo_file file lnk_file sock_file })
+fs_unmount_all_fs(flatpak_domain)
+
+storage_rw_fuse(flatpak_domain)
+
+term_use_generic_ptys(flatpak_domain)
+
+auth_read_passwd(flatpak_domain)
+
+miscfiles_read_all_certs(flatpak_domain)
+miscfiles_watch_localization_dirs(flatpak_domain)
+
+mount_exec_fusermount(flatpak_domain)
+
+sysnet_dns_name_resolve(flatpak_domain)
+
+userdom_connectto_stream(flatpak_domain)
+userdom_create_user_home_dirs(flatpak_domain)
+userdom_dbus_send_all_users(flatpak_domain)
+userdom_list_user_home_dirs(flatpak_domain)
+userdom_manage_home_certs(flatpak_domain)
+userdom_manage_user_tmp_dirs(flatpak_domain)
+userdom_read_user_home_content_files(flatpak_domain)
+userdom_read_user_home_content_symlinks(flatpak_domain)
+userdom_rw_stream(flatpak_domain)
+userdom_rw_user_tmp_sock_files(flatpak_domain)
+userdom_use_user_terminals(flatpak_domain)
+userdom_user_home_dir_filetrans(domain, var_home_t, dir, ".var")
+userdom_user_tmp_filetrans(flatpak_domain, flatpak_user_tmp_t, { dir fifo_file file lnk_file sock_file })
+
+optional_policy(`
+ gen_require(`
+ type init_t;
+ ')
+ init_stream_connectto(flatpak_domain)
+ exec_files_pattern(init_t, flatpak_exec_t, flatpak_exec_t)
+ flatpak_manage_apps(init_t)
+')
+
+optional_policy(`
+ gen_require(`
+ attribute session_bus_type;
+ ')
+
+ list_dirs_pattern(session_bus_type, flatpak_lib_type, flatpak_lib_type)
+ read_files_pattern(session_bus_type, flatpak_lib_type, flatpak_lib_type)
+ read_lnk_files_pattern(session_bus_type, flatpak_lib_type, flatpak_lib_type)
+ watch_dirs_pattern(session_bus_type, flatpak_lib_type, flatpak_lib_type)
+
+ list_dirs_pattern(session_bus_type, flatpak_var_home_t, flatpak_var_home_t)
+ rw_files_pattern(session_bus_type, flatpak_var_home_t, flatpak_var_home_t)
+')
+
+optional_policy(`
+ accountsd_dbus_chat(flatpak_domain)
+')
+
+optional_policy(`
+ bluetooth_dbus_chat(flatpak_domain)
+')
+
+optional_policy(`
+ cups_stream_connect(flatpak_domain)
+')
+
+optional_policy(`
+ dbus_system_bus_client(flatpak_domain)
+ dbus_session_bus_client(flatpak_domain)
+ dbus_connect_session_bus(flatpak_domain)
+ dbus_write_session_tmp_sock_files(flatpak_domain)
+')
+
+optional_policy(`
+ gen_require(`
+ type flatpak_helper_t;
+ ')
+ allow flatpak_domain flatpak_helper_t:unix_stream_socket rw_stream_socket_perms;
+')
+
+optional_policy(`
+ gnome_manage_home_config(flatpak_domain)
+ gnome_map_generic_data_home_files(flatpak_domain)
+ gnome_read_generic_data_home_files(flatpak_domain)
+ gnome_watch_generic_data_home_dirs(flatpak_domain)
+ gnome_watch_home_config_dirs(flatpak_domain)
+ gnome_write_generic_cache_files(flatpak_domain)
+ gnome_data_filetrans(flatpak_domain, flatpak_data_home_t, { dir fifo_file file lnk_file sock_file })
+ gnome_cache_filetrans(flatpak_domain, flatpak_cache_home_t, { dir fifo_file file lnk_file sock_file })
+')
+
+optional_policy(`
+ gpg_exec(flatpak_domain)
+')
+
+optional_policy(`
+ networkmanager_dbus_chat(flatpak_domain)
+')
+
+optional_policy(`
+ pcscd_stream_connect(flatpak_domain)
+')
+
+optional_policy(`
+ policykit_dbus_chat(flatpak_domain)
+')
+
+optional_policy(`
+ rtkit_scheduled(flatpak_domain)
+')
+
+optional_policy(`
+ gen_require(`
+ type ssh_agent_tmp_t;
+ ')
+ allow flatpak_domain ssh_agent_tmp_t:sock_file getattr;
+')
+
+optional_policy(`
+ systemd_dbus_chat_logind(flatpak_domain)
+ systemd_dbus_chat_localed(flatpak_domain)
+ systemd_machined_stream_connect(flatpak_domain)
+ systemd_resolved_read_pid(flatpak_domain)
+ systemd_resolved_watch_pid_dirs(flatpak_domain)
+ systemd_userdbd_stream_connect(flatpak_domain)
+ systemd_write_inhibit_pipes(flatpak_domain)
+')
+
+optional_policy(`
+ systemd_homed_stream_connect(flatpak_domain)
+')
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 5fcb941e9a..e84530fa5b 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -167,6 +167,11 @@ optional_policy(`
firewallgui_dbus_chat(staff_t)
')
+optional_policy(`
+ flatpak_manage_apps(staff_t)
+ flatpak_user_template(staff)
+')
+
optional_policy(`
freqset_run(staff_t, staff_r)
')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 63e9ef38bf..f7aa1d3b15 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -303,6 +303,11 @@ optional_policy(`
firewalld_dbus_chat(sysadm_t)
')
+optional_policy(`
+ flatpak_manage_apps(sysadm_t)
+ flatpak_user_template(sysadm)
+')
+
optional_policy(`
fstools_run(sysadm_t, sysadm_r)
')
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index c2bf011ace..2438ca2385 100644
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -312,6 +312,11 @@ optional_policy(`
firstboot_run(unconfined_t, unconfined_r)
')
+optional_policy(`
+ flatpak_manage_apps(unconfined_t)
+ flatpak_user_template(unconfined)
+')
+
optional_policy(`
fsadm_manage_pid(unconfined_t)
')
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 3f5b95e877..e101b7c919 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -83,6 +83,11 @@ optional_policy(`
dirsrv_stream_connect(user_t)
')
+optional_policy(`
+ flatpak_manage_apps(user_t)
+ flatpak_user_template(user)
+')
+
optional_policy(`
fwupd_dbus_chat(user_t)
')