secureblue · HastD · Sep 15, 2025 · Oct 17, 2025 · Oct 19, 2025 · Nov 1, 2025
@@ -0,0 +1,21 @@
+/usr/bin/flatpak			--	gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/bin/flatpak-bisect			--	gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/bin/flatpak-coredumpctl		--	gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/libexec/flatpak-oci-authenticator	--	gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/libexec/flatpak-portal		--	gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/libexec/flatpak-session-helper	--	gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/libexec/flatpak-validate-icon	--	gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/libexec/revokefs-fuse		--	gen_context(system_u:object_r:flatpak_exec_t,s0)
+
+/var/lib/flatpak(/.*)?				gen_context(system_u:object_r:flatpak_var_lib_t,s0)
+HOME_DIR/\.local/share/flatpak(/.*)?		gen_context(system_u:object_r:flatpak_data_home_t,s0)
+/root/\.local/share/flatpak(/.*)?		gen_context(system_u:object_r:flatpak_data_home_t,s0)
+HOME_DIR/\.cache/flatpak(/.*)?			gen_context(system_u:object_r:flatpak_cache_home_t,s0)
+/root/\.cache/flatpak(/.*)?			gen_context(system_u:object_r:flatpak_cache_home_t,s0)
+HOME_DIR/\.var(/.*)?				gen_context(system_u:object_r:var_home_t,s0)
+/root/\.var(/.*)?				gen_context(system_u:object_r:var_home_t,s0)
+HOME_DIR/\.var/app(/.*)?			gen_context(system_u:object_r:flatpak_var_home_t,s0)
+/root/\.var/app(/.*)?				gen_context(system_u:object_r:flatpak_var_home_t,s0)
+/run/user/%{USERID}/app(/.*)?			gen_context(system_u:object_r:flatpak_user_tmp_t,s0)
+/run/user/%{USERID}/\.flatpak(/.*)?		gen_context(system_u:object_r:flatpak_user_tmp_t,s0)
+/run/user/%{USERID}/\.flatpak-helper(/.*)?	gen_context(system_u:object_r:flatpak_user_tmp_t,s0)
@@ -0,0 +1,297 @@
+## <summary>flatpak packaging system</summary>
+
+########################################
+## <summary>
+##	Allow role to run flatpak from the given domain, transitioning to a given domain.
+## </summary>
+## <param name="domain_prefix">
+##	<summary>
+##	The prefix of the domain (e.g., user is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role (or role attribute) allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain to transition from.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain to transition to.
+##	</summary>
+## </param>
+#
+template(`flatpak_role_template',`
+	gen_require(`
+		attribute_role flatpak_roles;
+		type flatpak_exec_t;
+		type flatpak_tmpfs_t;
+		type flatpak_var_lib_t;
+		type flatpak_data_home_t;
+		type flatpak_var_home_t;
+	')
+
+	type $1_flatpak_t;
+	role $2 types $1_flatpak_t;
+	roleattribute $2 flatpak_roles;
+
+	userdom_user_application_domain($1_flatpak_t, flatpak_exec_t)
+	domain_entry_file($4, flatpak_var_lib_t)
+	domain_entry_file($4, flatpak_data_home_t)
+	domain_entry_file($4, flatpak_var_home_t)
+	flatpak_domtrans($3, $1_flatpak_t)
+	flatpak_generic_app_domtrans($1_flatpak_t, $4)
+
+	allow $3 $1_flatpak_t:process { signal_perms getpgid };
+	tunable_policy(`deny_ptrace',`',`
+		allow $3 $1_flatpak_t:process ptrace;
+	')
+	allow $3 $1_flatpak_t:file rw_file_perms;
+
+	allow $4 $1_flatpak_t:process signal_perms;
+	allow $4 $1_flatpak_t:unix_stream_socket { server_stream_socket_perms connectto };
+
+	allow $1_flatpak_t $4:process { signal_perms noatsecure siginh rlimitinh };
+	allow $1_flatpak_t $4:process2 { nnp_transition nosuid_transition };
+
+	kernel_read_system_state($1_flatpak_t)
+	logging_send_syslog_msg($1_flatpak_t)
+
+	read_files_pattern($3, $1_flatpak_t, $1_flatpak_t)
+	rw_fifo_files_pattern($1_flatpak_t, $3, $3)
+
+	mmap_rw_files_pattern($4, flatpak_tmpfs_t, flatpak_tmpfs_t)
+	read_files_pattern($4, $1_flatpak_t, $1_flatpak_t)
+	write_fifo_files_pattern($4, $1_flatpak_t, $1_flatpak_t)
+
+	flatpak_exec_apps($4)
+')
+
+########################################
+## <summary>
+##	Allow user domain to run flatpaks.
+## </summary>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user is the prefix for user_t).
+##	</summary>
+## </param>
+#
+template(`flatpak_user_template',`
+	gen_require(`
+		role $1_r;
+		type $1_t;
+	')
+
+	flatpak_role_template($1, $1_r, $1_t, $1_t)
+')
+
+########################################
+## <summary>
+##	Execute flatpak in a provided domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Flatpak domain to transition to.
+##	</summary>
+## </param>
+#
+interface(`flatpak_domtrans',`
+	gen_require(`
+		type flatpak_exec_t;
+		attribute flatpak_domain;
+	')
+	typeattribute $2 flatpak_domain;
+	domtrans_pattern($1, flatpak_exec_t, $2)
+')
+
+########################################
+## <summary>
+##	Execute generic flatpak apps and runtimes in a provided domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain to transition to.
+##	</summary>
+## </param>
+#
+interface(`flatpak_generic_app_domtrans',`
+	gen_require(`
+		attribute flatpak_generic_app_exec_type;
+	')
+	domtrans_pattern($1, flatpak_generic_app_exec_type, $2)
+')
+
+########################################
+## <summary>
+##	Execute flatpak in a provided domain, with generic flatpak apps
+##	transitioning back to the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Flatpak domain to transition to.
+##	</summary>
+## </param>
+#
+interface(`flatpak_generic_domtrans',`
+	gen_require(`
+		attribute flatpak_generic_app_exec_type;
+	')
+	flatpak_domtrans($1, $2)
+	# Only apply this to generic flatpak app exec types to make it possible to
+	# apply app-specific confinement with a transition to a different domain.
+	flatpak_generic_app_domtrans($2, $1)
+')
+
+########################################
+## <summary>
+##	Allow domain to read flatpak applications and runtimes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`flatpak_read_apps',`
+	gen_require(`
+		type flatpak_tmpfs_t;
+		attribute flatpak_lib_type;
+	')
+	watch_dirs_pattern($1, flatpak_lib_type, flatpak_lib_type)
+	list_dirs_pattern($1, flatpak_lib_type, flatpak_lib_type)
+	read_files_pattern($1, flatpak_lib_type, flatpak_lib_type)
+	read_lnk_files_pattern($1, flatpak_lib_type, flatpak_lib_type)
+
+	list_dirs_pattern($1, flatpak_tmpfs_t, flatpak_tmpfs_t)
+	read_files_pattern($1, flatpak_tmpfs_t, flatpak_tmpfs_t)
+	read_lnk_files_pattern($1, flatpak_tmpfs_t, flatpak_tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to manage flatpak applications and runtimes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`flatpak_manage_apps',`
+	gen_require(`
+		attribute flatpak_lib_type;
+	')
+	manage_dirs_pattern($1, flatpak_lib_type, flatpak_lib_type)
+	manage_files_pattern($1, flatpak_lib_type, flatpak_lib_type)
+	manage_lnk_files_pattern($1, flatpak_lib_type, flatpak_lib_type)
+	mmap_rw_files_pattern($1, flatpak_lib_type, flatpak_lib_type)
+	list_dirs_pattern($1, flatpak_tmpfs_t, flatpak_tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to execute flatpak app and runtime files without a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`flatpak_exec_apps',`
+	gen_require(`
+		attribute flatpak_app_exec_type;
+	')
+	exec_files_pattern($1, flatpak_app_exec_type, flatpak_app_exec_type)
+')
+
+########################################
+## <summary>
+##	Create objects in a flatpak system app directory with an automatic type
+##	transition to a specified private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`flatpak_var_lib_filetrans',`
+	gen_require(`
+		type flatpak_var_lib_t;
+	')
+
+	allow $1 flatpak_var_lib_t:dir search_dir_perms;
+	filetrans_pattern($1, flatpak_var_lib_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Create objects in a flatpak user app directory with an automatic type
+##	transition to a specified private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`flatpak_data_home_filetrans',`
+	gen_require(`
+		type flatpak_data_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 flatpak_data_home_t:dir search_dir_perms;
+	filetrans_pattern($1, flatpak_data_home_t, $2, $3, $4)
+')