feat: add flatpak policy

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @RoyalOughtness

.github/dependabot.yml

@@ -0,0 +1,8 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    cooldown:
+      default-days: 7

.github/semantic.yml

@@ -0,0 +1,2 @@
+enabled: true
+titleOnly: true

.github/workflows/upstream-sync.yml

@@ -0,0 +1,80 @@
+# Copyright 2025 The Secureblue Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: upstream-sync
+permissions: {}
+on:
+  schedule:
+    - cron: "00 2 * * *" # run daily at 2:00 UTC
+  workflow_dispatch: # allow manually triggering sync
+
+jobs:
+  upstream-sync:
+    name: Sync with upstream
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write # Needed to modify repository contents
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: true # zizmor: ignore[artipacked]
+          fetch-depth: 0
+
+      - name: Import GPG key
+        uses: step-security/ghaction-import-gpg@69c854a83c7f79463f8bdf46772ab09826c560cd # v6.3.1
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.PASSPHRASE }}
+          git_user_signingkey: true
+          git_commit_gpgsign: true
+
+      - uses: step-security/ssh-agent@e0d707bd9ce1ec5725e45bd639f7dc60dbc82b39 # v0.9.2
+        with:
+            ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
+
+      - name: Pull tags from upstream and rebase
+        shell: bash
+        env:
+          FEDORA_VERSION: 42
+        run: |
+          set -euxo pipefail
+          git config user.email '236124859+secureblue-bot@users.noreply.github.com'
+          git config user.name 'secureblue-bot'
+          git config --global user.signingkey E216FE5D67C3E057
+          git config --global commit.gpgsign true
+          git config --global tag.gpgSign true
+
+          git remote add 'upstream' 'https://github.com/fedora-selinux/selinux-policy.git'
+          git fetch --tags 'upstream'
+
+          spec_url="https://src.fedoraproject.org/rpms/selinux-policy/raw/f${FEDORA_VERSION}/f/selinux-policy.spec"
+          stable_commit=$(curl -Ls "${spec_url}" | grep -E '^%global commit [0-9a-fA-F]+$')
+          stable_commit="${stable_commit#%global commit }"
+          set +e
+          git merge-base --is-ancestor "${stable_commit}" HEAD
+          status=$?
+          set -e
+          case "${status}" in
+          0) ;;
+          1)
+            git rebase "${stable_commit}"
+            git push --follow-tags --force-with-lease
+            ;;
+          *) exit "${status}" ;;
+          esac
+
+          readarray -t merged_tags < <(git tag -l "v${FEDORA_VERSION}.*" --merged)
+          git push origin "${merged_tags[@]}"

.github/workflows/zizmor.yml

@@ -0,0 +1,37 @@
+# Copyright 2025 The Secureblue Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and limitations under the License.
+
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches: ["**"]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-24.04
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
+        with:
+          persona: auditor

policy/modules/contrib/flatpak-sandbox.fc

@@ -0,0 +1,21 @@
+/usr/bin/flatpak			--	gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/bin/flatpak-bisect			--	gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/bin/flatpak-coredumpctl		--	gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/libexec/flatpak-oci-authenticator	--	gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/libexec/flatpak-portal		--	gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/libexec/flatpak-session-helper	--	gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/libexec/flatpak-validate-icon	--	gen_context(system_u:object_r:flatpak_exec_t,s0)
+/usr/libexec/revokefs-fuse		--	gen_context(system_u:object_r:flatpak_exec_t,s0)
+
+/var/lib/flatpak(/.*)?				gen_context(system_u:object_r:flatpak_var_lib_t,s0)
+HOME_DIR/\.local/share/flatpak(/.*)?		gen_context(system_u:object_r:flatpak_data_home_t,s0)
+/root/\.local/share/flatpak(/.*)?		gen_context(system_u:object_r:flatpak_data_home_t,s0)
+HOME_DIR/\.cache/flatpak(/.*)?			gen_context(system_u:object_r:flatpak_cache_home_t,s0)
+/root/\.cache/flatpak(/.*)?			gen_context(system_u:object_r:flatpak_cache_home_t,s0)
+HOME_DIR/\.var(/.*)?				gen_context(system_u:object_r:var_home_t,s0)
+/root/\.var(/.*)?				gen_context(system_u:object_r:var_home_t,s0)
+HOME_DIR/\.var/app(/.*)?			gen_context(system_u:object_r:flatpak_var_home_t,s0)
+/root/\.var/app(/.*)?				gen_context(system_u:object_r:flatpak_var_home_t,s0)
+/run/user/%{USERID}/app(/.*)?			gen_context(system_u:object_r:flatpak_user_tmp_t,s0)
+/run/user/%{USERID}/\.flatpak(/.*)?		gen_context(system_u:object_r:flatpak_user_tmp_t,s0)
+/run/user/%{USERID}/\.flatpak-helper(/.*)?	gen_context(system_u:object_r:flatpak_user_tmp_t,s0)