feat(selinux): Get rid of all file WX of Trivalent's Selinux trivalent_domain

[PhysicsIsAwesome]

This gets rid of all file WX of Trivalent's Selinux trivalent_domain I could find:

• cache_home_t
• chrome_sandbox_home_t
• config_home_t
• trivalent_home_t
• trivalent_domain itself

It introduces a new on-by-default tunable trivalent_exec_flatpaks so people can disable execution of Flatpaks. Execution is needed for certain extensions being able to talk to their app counterpart like Keepassxc.

Additionally there is a tunable trivalent_drm which is on by-default. This allows file WX and needs to be turned off by users who want W^X at the expense of not being able to use DRM restricted content.

Testing done:

• Started Trivalent
• Visited a few websites including video content (Youtube)
• Checked AVC logs
• Deleted trivalent's folder in .config
• Might need additional testing for edge cases
• RPM spec file is untested, since it would take a very long time to build Trivalent on my device and I have little experience with spec files. Review and testing is needed.

Basically secureblue/secureblue#2029 plus the tmpfiles.d file

[RoyalOughtness]

@PhysicsIsAwesome did you confirm that protected content still works with this?

[HastD]

The policy changes look fine to me; just a few nitpicks about the packaging.

[PhysicsIsAwesome]

@PhysicsIsAwesome did you confirm that protected content still works with this?

Yes. With trivalent_drm set to on, it works as expected. With off, websites still sometimes report that drm works, but, if you actually try to play drm protected content, it does not work.

[RKNF404]

Lgtm

[codacy-production]

Not up to standards ⛔

🔴 Issues 1 medium

Alerts:
⚠ 1 issue (≤ 0 issues of at least minor severity)

Results:
1 new issue

Category	Results
BestPractice	1 medium

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}