feat: copy existing conf from secureblue repo (#18)

RoyalOughtness · secureblue-bot · commit 7c74672b3c64 · 2025-12-03T03:22:09.000Z
diff --git a/README.md b/README.md
@@ -1,26 +1,3 @@
-# Fedora SELinux policy
+# selinux-policy
 
-This is SELinux policy based on [refpolicy](https://github.com/SELinuxProject/refpolicy) used in Fedora, Red Hat Enterprise Linux and CentOS Stream.
-
-## Installation
-
-The installation process is described in [INSTALL](INSTALL).
-
-The default policy is installed to `/etc/selinux/fedora-selinux` and `/var/lib/selinux/fedora-selinux`.
-
-The name and other options can be changed using variables like `NAME`, `TYPE`, ... variables, for more details see [README.build](README.build).
-E.g. Fedora `targeted` policy uses the following options:
-
-    DISTRO=redhat UBAC=n DIRECT_INITRC=n MONOLITHIC=n MLS_CATS=1024 MCS_CATS=1024 UNK_PERMS=allow NAME=targeted TYPE=mcs
-
-## Contributing
-
-There are several ways how to contribute:
-
-### Report bugs
-
-Either open issue in this project or file a bug in [Fedora Bugzilla](https://bugzilla.redhat.com)
-
-### Pull requests
-
-You can fork this repo and open a PR. Please use  good practices and use descriptive commit messages.
+This is secureblue's SELinux policy based on [Fedora's policy](https://github.com/fedora-selinux/selinux-policy).
diff --git a/cil/grant_fm_userns.cil b/cil/grant_fm_userns.cil
@@ -0,0 +1,7 @@
+(typeattribute file_manager_type)
+(typeattributeset file_manager_type (nautilus_t thunar_t))
+
+(typeattribute file_manager_exec_type)
+(typeattributeset file_manager_exec_type (nautilus_exec_t thunar_exec_t))
+
+(allow file_manager_type self (user_namespace (create)))
diff --git a/cil/grant_systemd_flatpak_exec.cil b/cil/grant_systemd_flatpak_exec.cil
@@ -0,0 +1,5 @@
+;; SPDX-FileCopyrightText 2025 The Secureblue Authors
+;;
+;; SPDX-License-Identifier: Apache-2.0 OR MIT
+
+(allow init_t flatpak_exec_t (file (execute execute_no_trans open read map)))
diff --git a/cil/grant_userns.cil b/cil/grant_userns.cil
@@ -0,0 +1,6 @@
+;; SPDX-FileCopyrightText 2025 The Secureblue Authors
+;;
+;; SPDX-License-Identifier: Apache-2.0 OR MIT
+
+(allow colord_t self (user_namespace (create)))
+(allow devicekit_power_t self (user_namespace (create)))
diff --git a/cil/harden_container_userns.cil b/cil/harden_container_userns.cil
@@ -0,0 +1,6 @@
+;; SPDX-FileCopyrightText 2025 The Secureblue Authors
+;;
+;; SPDX-License-Identifier: Apache-2.0 OR MIT
+
+(deny container_domain self (user_namespace (create)))
+(deny container_runtime_domain self (user_namespace (create)))
diff --git a/cil/harden_userns.cil b/cil/harden_userns.cil
@@ -0,0 +1,6 @@
+;; SPDX-FileCopyrightText 2025 The Secureblue Authors
+;;
+;; SPDX-License-Identifier: Apache-2.0 OR MIT
+
+(deny userdomain self (user_namespace (create)))
+(deny unconfined_service_t self (user_namespace (create)))
diff --git a/cil/userns_deny_unconfined_relabels.cil b/cil/userns_deny_unconfined_relabels.cil
@@ -0,0 +1,19 @@
+;; SPDX-FileCopyrightText 2025 The Secureblue Authors
+;;
+;; SPDX-License-Identifier: Apache-2.0 OR MIT
+
+(typeattribute userns_privileged_file_type)
+(typeattributeset userns_privileged_file_type (colord_exec_t container_runtime_exec_t devicekit_power_exec_t docker_exec_t file_manager_exec_type flatpak_exec_t kubelet_exec_t systemsettings_exec_t trivalent_exec_t trivalent_script_exec_t))
+
+(typeattribute userns_relabel_allowed)
+(typeattributeset userns_relabel_allowed (init_t initrc_t install_t kernel_t))
+
+(typeattribute userns_relabel_restricted)
+(typeattributeset userns_relabel_restricted (and (domain) (not (userns_relabel_allowed))))
+
+(deny userns_relabel_restricted userns_privileged_file_type (blk_file (relabelfrom relabelto)))
+(deny userns_relabel_restricted userns_privileged_file_type (chr_file (relabelfrom relabelto)))
+(deny userns_relabel_restricted userns_privileged_file_type (dir (relabelfrom relabelto)))
+(deny userns_relabel_restricted userns_privileged_file_type (fifo_file (relabelfrom relabelto)))
+(deny userns_relabel_restricted userns_privileged_file_type (file (relabelfrom relabelto)))
+(deny userns_relabel_restricted userns_privileged_file_type (lnk_file (relabelfrom relabelto)))
diff --git a/dist/targeted/modules.conf b/dist/targeted/modules.conf
@@ -3060,3 +3060,44 @@ ktls = module
 #
 #
 switcheroo = module
+
+# Layer: contrib
+# Module: trivalent
+#
+# Policy for trivalent: A security-focused Chromium-based browser
+#
+#
+trivalent = module
+
+# Layer: contrib
+# Module: thunar
+#
+# Policy for thunar: A file manager for XFCE
+#
+#
+thunar = module
+
+# Layer: contrib
+# Module: nautilus
+#
+# Policy for nautilus: A file manager for GNOME
+#
+#
+nautilus = module
+
+# Layer: contrib
+# Module: systemsettings
+#
+# Policy for systemsettings: KDE system settings application
+#
+#
+systemsettings = module
+
+
+# Layer: contrib
+# Module: flatpakfull
+#
+# Policy for flatpakfull: Application sandboxing and distribution
+#
+#
+flatpakfull = module
diff --git a/policy/modules/contrib/flatpakfull.fc b/policy/modules/contrib/flatpakfull.fc
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText 2025 The Secureblue Authors
+#
+# SPDX-License-Identifier: Apache-2.0 OR MIT
+
+/usr/bin/flatpak	--	gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/bin/flatpak-bisect	--	gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/bin/flatpak-coredumpctl	--	gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/libexec/flatpak-oci-authenticator	--	gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/libexec/flatpak-portal	--	gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/libexec/flatpak-session-helper	--	gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/libexec/flatpak-validate-icon	--	gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/libexec/revokefs-fuse	--	gen_context(system_u:object_r:flatpak_exec_t,s0)
diff --git a/policy/modules/contrib/flatpakfull.if b/policy/modules/contrib/flatpakfull.if
@@ -0,0 +1,49 @@
+## <summary>flatpak packaging system</summary>
+
+# SPDX-FileCopyrightText 2025 The Secureblue Authors
+#
+# SPDX-License-Identifier: Apache-2.0 OR MIT
+
+########################################
+## <summary>
+##	Execute flatpak in the flatpak domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`flatpak_domtrans',`
+	gen_require(`
+		type flatpak_t, flatpak_exec_t;
+	')
+
+	domtrans_pattern($1, flatpak_exec_t, flatpak_t)
+')
+
+
+########################################
+## <summary>
+##	Execute flatpak in the flatpak domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`flatpak_run',`
+	gen_require(`
+		type flatpak_t;
+        attribute_role flatpak_roles;
+	')
+
+	flatpak_domtrans($1)
+	roleattribute $2 flatpak_roles;
+')
diff --git a/policy/modules/contrib/flatpakfull.te b/policy/modules/contrib/flatpakfull.te
@@ -0,0 +1,46 @@
+policy_module(flatpakfull, 1.0.0)
+
+# SPDX-FileCopyrightText 2025 The Secureblue Authors
+#
+# SPDX-License-Identifier: Apache-2.0 OR MIT
+
+########################################
+#
+# Declarations
+#
+
+attribute_role flatpak_roles;
+roleattribute object_r flatpak_roles;
+
+
+
+type flatpak_t;
+type flatpak_exec_t;
+domain_type(flatpak_t, flatpak_exec_t)
+application_domain(flatpak_t, flatpak_exec_t)
+
+role flatpak_roles types flatpak_t;
+
+allow flatpak_t self:user_namespace create;
+unconfined_domain_noaudit(flatpak_t)
+
+optional_policy(`
+	rtkit_scheduled(flatpak_t)
+')
+
+optional_policy(`
+	gen_require(`
+		type unconfined_t;
+		attribute trivalent_domain;
+		role unconfined_r;
+	')
+
+	flatpak_run(unconfined_t, unconfined_r)
+	flatpak_run(trivalent_domain, unconfined_r)
+
+	# required for trivalent/flatpak clipboard sharing
+	allow trivalent_domain flatpak_t:fifo_file write;
+
+	# required for trivalent/flatpak integration
+	allow trivalent_domain flatpak_t:process2 { nnp_transition nosuid_transition };
+')
diff --git a/policy/modules/contrib/nautilus.fc b/policy/modules/contrib/nautilus.fc
@@ -0,0 +1,5 @@
+# SPDX-FileCopyrightText 2025 The Secureblue Authors
+#
+# SPDX-License-Identifier: Apache-2.0 OR MIT
+
+/usr/bin/nautilus	--	gen_context(system_u:object_r:nautilus_exec_t,s0)
diff --git a/policy/modules/contrib/nautilus.if b/policy/modules/contrib/nautilus.if
@@ -0,0 +1,50 @@
+## <summary>nautilus file manager</summary>
+
+# SPDX-FileCopyrightText 2025 The Secureblue Authors
+#
+# SPDX-License-Identifier: Apache-2.0 OR MIT
+
+
+########################################
+## <summary>
+##	Execute nautilus in the nautilus domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nautilus_domtrans',`
+	gen_require(`
+		type nautilus_t, nautilus_exec_t;
+	')
+
+	domtrans_pattern($1, nautilus_exec_t, nautilus_t)
+')
+
+
+########################################
+## <summary>
+##	Execute nautilus in the nautilus domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`nautilus_run',`
+	gen_require(`
+		type nautilus_t;
+        attribute_role nautilus_roles;
+	')
+
+	nautilus_domtrans($1)
+	roleattribute $2 nautilus_roles;
+')
diff --git a/policy/modules/contrib/nautilus.te b/policy/modules/contrib/nautilus.te
@@ -0,0 +1,33 @@
+policy_module(nautilus, 1.0.0)
+
+# SPDX-FileCopyrightText 2025 The Secureblue Authors
+#
+# SPDX-License-Identifier: Apache-2.0 OR MIT
+
+########################################
+#
+# Declarations
+#
+
+attribute_role nautilus_roles;
+roleattribute object_r nautilus_roles;
+
+type nautilus_t;
+type nautilus_exec_t;
+domain_type(nautilus_t, nautilus_exec_t)
+application_domain(nautilus_t, nautilus_exec_t)
+
+role nautilus_roles types nautilus_t;
+
+unconfined_domain_noaudit(nautilus_t)
+
+optional_policy(`
+	gen_require(`
+		type unconfined_t;
+		attribute trivalent_domain;
+		role unconfined_r;
+	')
+
+	nautilus_run(unconfined_t, unconfined_r)
+	nautilus_run(trivalent_domain, unconfined_r)
+')
diff --git a/policy/modules/contrib/systemsettings.fc b/policy/modules/contrib/systemsettings.fc
@@ -0,0 +1,5 @@
+# SPDX-FileCopyrightText 2025 The Secureblue Authors
+#
+# SPDX-License-Identifier: Apache-2.0 OR MIT
+
+/usr/bin/systemsettings	--	gen_context(system_u:object_r:systemsettings_exec_t,s0)
diff --git a/policy/modules/contrib/systemsettings.if b/policy/modules/contrib/systemsettings.if
@@ -0,0 +1,49 @@
+## <summary>systemsettings policy</summary>
+
+# SPDX-FileCopyrightText 2025 The Secureblue Authors
+#
+# SPDX-License-Identifier: Apache-2.0 OR MIT
+
+########################################
+## <summary>
+##	Execute systemsettings in the systemsettings domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`systemsettings_domtrans',`
+	gen_require(`
+		type systemsettings_t, systemsettings_exec_t;
+	')
+
+	domtrans_pattern($1, systemsettings_exec_t, systemsettings_t)
+')
+
+
+########################################
+## <summary>
+##	Execute systemsettings in the systemsettings domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemsettings_run',`
+	gen_require(`
+		type systemsettings_t;
+		attribute_role systemsettings_roles;
+	')
+
+	systemsettings_domtrans($1)
+	roleattribute $2 systemsettings_roles;
+')
diff --git a/policy/modules/contrib/systemsettings.te b/policy/modules/contrib/systemsettings.te
diff --git a/policy/modules/contrib/thunar.fc b/policy/modules/contrib/thunar.fc
diff --git a/policy/modules/contrib/thunar.if b/policy/modules/contrib/thunar.if
diff --git a/policy/modules/contrib/thunar.te b/policy/modules/contrib/thunar.te
diff --git a/policy/modules/contrib/trivalent.fc b/policy/modules/contrib/trivalent.fc
diff --git a/policy/modules/contrib/trivalent.if b/policy/modules/contrib/trivalent.if
diff --git a/policy/modules/contrib/trivalent.te b/policy/modules/contrib/trivalent.te
