Install portmaster to /var

install_portmaster_to_var_V2.sh

#!/usr/bin/env bash
########################################################################################################################
### credits to WinkelCode for orginal script and the portmaster team for the awesome software!
###	See 
### https://gist.github.com/zany130/ba610a7391fcee4e4e7a20cbd06bc754?permalink_comment_id=5758560#gistcomment-5758560
### for installation steps from S7venLights
### you may have issues with portmaster service starting on reboot and SElinux see installation steps for details.
########################################################################################################################

set -e # Exit on error

if [ "$EUID" -ne 0 ]; then
	echo "To ensure correct permissions, this script must be run as root."
	exit 1
fi

# Paths to use for portmaster install Must not include trailing slash
data_dir="/var/lib/portmaster"
log_dir="/var/lib/portmaster/logs"
bin_dir="/var/lib/portmaster/bin"
systemd_dir="/etc/systemd/system"
autostart_dir="/etc/xdg/autostart"
exports_dir="${bin_dir}/exports"

# ===================================
# STEP 1: Install Portmaster
# (install all necessary files)
# ===================================

# Create directory for binaries
mkdir -p "${bin_dir}"
cd "${bin_dir}"

# Download Portmaster UpdateManager utility
echo "[+] Downloading Portmaster UpdateManager..."
wget https://updates.safing.io/latest/linux_amd64/updatemgr/updatemgr
chmod a+x updatemgr

# Download latest binaries
echo "[+] Downloading Portmaster binaries..."
./updatemgr download https://updates.safing.io/stable.v3.json "${bin_dir}"
chmod a+x "${bin_dir}/portmaster"        # Ensure binary is executable
chmod a+x "${bin_dir}/portmaster-core"   # Ensure binary is executable

# Download latest data files
echo "[+] Downloading Portmaster data files..."
mkdir -p "${data_dir}"/intel
./updatemgr download https://updates.safing.io/intel.v3.json "${data_dir}/intel"

# (Optional)
# If the SELinux module is enabled, set correct SELinux context for the Portmaster core binary.
# This ensures the binary can be executed properly under SELinux policies, avoiding permission issues.
if command -v semanage >/dev/null 2>&1; then
    echo "[ ] Fixing SELinux permissions"
    semanage fcontext -a -t bin_t -s system_u "$(realpath "${bin_dir}")" || :
    restorecon -R "${bin_dir}/portmaster-core" 2>/dev/null >&2 || :1
fi

# Clean up
rm -f "${bin_dir}/updatemgr"

# Done
echo "[i] At this point, Portmaster is installed."
echo "    You can start manually running the Portmaster daemon with:"
echo "        ${bin_dir}/portmaster-core --log-stdout"
echo "    To start User Interface, run:"
echo "        ${bin_dir}/portmaster"

# ===================================
# STEP 2: Register Portmaster service
# (for systemd-based systems)
# ===================================

mkdir -p "${exports_dir}/units"

echo "[+] Registering Portmaster service"
cat <<EOF > "${systemd_dir}/portmaster.service"
[Unit]
Description=Portmaster by Safing
Documentation=https://safing.io
Documentation=https://docs.safing.io
Before=nss-lookup.target network.target shutdown.target
After=systemd-networkd.service
Conflicts=shutdown.target
Conflicts=firewalld.service
Wants=nss-lookup.target

[Service]
Type=simple
Restart=on-failure
RestartSec=10
RestartPreventExitStatus=24
LockPersonality=yes
MemoryDenyWriteExecute=yes
MemoryLow=2G
NoNewPrivileges=yes
PrivateTmp=yes
PIDFile=${data_dir}/core-lock.pid
Environment=LOGLEVEL=info
Environment=PORTMASTER_ARGS=
EnvironmentFile=-/etc/default/portmaster
ProtectSystem=true
ReadWritePaths=${data_dir}
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictNamespaces=yes
ProtectHome=read-only
ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
PrivateDevices=yes
AmbientCapabilities=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_net_broadcast cap_net_raw cap_sys_module cap_sys_ptrace cap_dac_override cap_fowner cap_fsetid cap_sys_resource cap_bpf cap_perfmon
CapabilityBoundingSet=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_net_broadcast cap_net_raw cap_sys_module cap_sys_ptrace cap_dac_override cap_fowner cap_fsetid cap_sys_resource cap_bpf cap_perfmon
StateDirectory=portmaster
WorkingDirectory=${data_dir}
ExecStart=${bin_dir}/portmaster-core --log-dir=${log_dir} --bin-dir ${bin_dir} --data-dir ${data_dir} -- $PORTMASTER_ARGS
ExecStopPost=-${bin_dir}/portmaster-core -recover-iptables

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable portmaster

ln -s "${systemd_dir}/portmaster.service" "${exports_dir}/units/portmaster.service"
# ===================================
# STEP 3: Register Portmaster UI
# (for desktop environments)
# ===================================

# Install Portmaster UI start script
echo "[+] Installing Portmaster UI start script"

cat <<EOF > "${bin_dir}/portmaster-ui-start.sh"
#!/bin/sh
WEBKIT_DISABLE_COMPOSITING_MODE=1 ${bin_dir}/portmaster "$@"
EOF

chmod a+x "${bin_dir}/portmaster-ui-start.sh"

# Register Portmaster UI in the system
echo "[+] Registering Portmaster UI .desktop file"

mkdir -p "${exports_dir}/share/applications"

cat <<EOF > "${exports_dir}/share/applications/portmaster.desktop"
[Desktop Entry]
Name=Portmaster
GenericName=Application Firewall
Exec=${bin_dir}/portmaster-ui-start.sh --with-prompts --with-notifications
Icon=portmaster
StartupWMClass=portmaster
Terminal=false
Type=Application
Categories=System
EOF


# Register Portmaster UI to automatically start on login
echo "[+] Registering Portmaster UI to start on login"

mkdir -p "${autostart_dir}"

cat <<EOF > "${autostart_dir}/portmaster-autostart.desktop"
[Desktop Entry]
Name=Portmaster
GenericName=Application Firewall Notifier
Exec=${bin_dir}/portmaster-ui-start.sh --with-prompts --with-notifications --background
Icon=portmaster
Terminal=false
Type=Application
Categories=System
NoDisplay=true
EOF

# Register Portmaster icon
echo "[+] Registering Portmaster icon"
wget https://raw.githubusercontent.com/safing/portmaster-packaging/master/linux/portmaster_logo.png -O "${exports_dir}/share/icons/portmaster.png"

# Adding install_location to XDG_DATA_DIRS to show desktop entries (applies after next login)"
echo "-> Adding '${exports_dir}' to \$XDG_DATA_DIRS to show desktop entries (applies after next login)"
echo "XDG_DATA_DIRS=${exports_dir}/share:\$XDG_DATA_DIRS" >/etc/profile.d/zzz-portmaster-to-xdg-data-dirs.sh # We prepend 'zzz' since profile.d scripts aren't numbered on Fedora, and we want to run after any other scripts that modify XDG_DATA_DIRS.

Pleasure :) least I could do, you did the heavy lifting. Is my point 15 correct? Maybe @WinkelCode knows what to do about SElinux?

i think point 15 is fine i never tested to see what happens if you have both installed, but i think my script replaces all systemd services and autostart files so it shouldnt be a problem (nothing will call the old v1 portmaster)

EDIT: Oh yeah, the old script did everything in an exports folder, so it's all self-contained in /var/lib/safing-portmaser I guess if you still had its systemd service loaded, it could cause issues, so it might be best to remove the exports folder or, at the very least, disable the service before hand.
And then uninstalling should be a matter of removing the old Portmaster files, as you said. I'm going to see if I can link to your post for the instruction in the op so it's more visible

it might be best to remove the exports folder or, at the very least, disable the service before hand.

As in before installing V2?
I suppose if one did that they'd risk leaks while downloading v2?

Everything seems to be running fine the way I did it. The only portmaster running on my system is the one from your V2 directory.
If I run systemctl list-units --type=service I only see 1 portmaster.service

Hmmm I've just had an issue trying to open the UI now.
Right clicked on the tray icon to open.
Window launches, but it's balck and I can't close it (non-responsive)
I tried to troubleshoot:

user@bazzite:/var/home/user$ var/lib/portmaster/bin/portmaster-core --log-stdout
bash: var/lib/portmaster/bin/portmaster-core: No such file or directory
user@bazzite:/var/home/user$ /var/lib/portmaster/bin/portmaster-core
error creating an instance: create updates module: create update target directory: /var/lib/portmaster/download_binaries
user@bazzite:/var/home/user$ sudo /var/lib/portmaster/bin/portmaster-core
[sudo] password for user:             
error creating an instance: create updates module: create update target directory: /var/lib/portmaster/download_binaries
user@bazzite:/var/home/user$ sudo chcon -t bin_t /var/lib/portmaster/bin/portmaster-core
user@bazzite:/var/home/user$ sudo /var/lib/portmaster/bin/portmaster-core
error creating an instance: create updates module: create update target directory: /var/lib/portmaster/download_binaries

I then ended the portmaster process (Not portmaster-core) in System Monitor and tried to relaunch in CLI:

user@bazzite:/var/lib/portmaster/bin/portmaster
(portmaster:1058708): libayatana-appindicator-WARNING **: 17:49:10.422: libayatana-appindicator is deprecated. Please use libayatana-appindicator-glib in newly written code.
[2025-09-14][15:49:10][portmaster::portmaster][DEBUG] not yet connected to Portmaster API, calling on_disconnect()
[2025-09-14][15:49:10][portmaster::portmaster::websocket][DEBUG] Trying to connect to websocket endpoint
[2025-09-14][15:49:10][portmaster::portmaster::websocket][INFO] Successfully connected to portmaster
[2025-09-14][15:49:10][portmaster::portmaster][DEBUG] connection to portmaster established, calling handlers
[2025-09-14][15:49:10][portmaster::portmaster][DEBUG] number of registered handlers: 1
[2025-09-14][15:49:10][portmaster::portmaster][DEBUG] executing handler.on_connect()
[2025-09-14][15:49:10][portmaster::portmaster][DEBUG] calling registered handler: main-handler
[2025-09-14][15:49:10][portmaster][INFO] connection established, creating main window
[2025-09-14][15:49:10][portmaster::window][DEBUG] [tauri] creating main window
[2025-09-14][15:49:10][portmaster][DEBUG] created main window
[2025-09-14][15:49:10][portmaster::portapi::client][DEBUG] Sending websocket frame: 0|qsub|query runtime:subsystems/
[2025-09-14][15:49:10][portmaster::portapi::client][DEBUG] Sending websocket frame: 1|qsub|query runtime:spn/status
[2025-09-14][15:49:10][portmaster::portapi::client][DEBUG] Sending websocket frame: 2|qsub|query config:spn/enable
[2025-09-14][15:49:10][portmaster::portapi::client][DEBUG] Sending websocket frame: 3|sub|query runtime:modules/core/event/shutdown
[2025-09-14][15:49:10][portmaster::portapi::client][DEBUG] Sending websocket frame: 4|qsub|query notifications:
[2025-09-14][15:49:10][portmaster::traymenu][DEBUG] SPN status update: disabled
[2025-09-14][15:49:10][portmaster::window][DEBUG] [tauri] main window page loaded: http://127.0.0.1:817/ui/modules/portmaster/
[2025-09-14][15:49:11][portmaster::window][DEBUG] [tauri] main window page loaded: http://127.0.0.1:817/ui/modules/portmaster/
[2025-09-14][15:49:11][reqwest::connect][DEBUG] starting new connection: http://127.0.0.1:817/
[2025-09-14][15:49:11][tungstenite::handshake::client][DEBUG] Client handshake done.
[2025-09-14][15:49:11][cookie_store::cookie_store][DEBUG] inserting Set-Cookie 'Cookie { cookie_string: Some("Portmaster-API-Token=cVkrvsKA31kjky-ygFaXFGJNlYETOcvQFe_DSCG-ZLU; Path=/; HttpOnly; SameSite=Strict"), name: Indexed(0, 20), value: Indexed(21, 64), expires: None, max_age: None, domain: None, path: Some(Indexed(71, 72)), secure: None, http_only: Some(true), same_site: Some(Strict), partitioned: None }'
[2025-09-14][15:49:11][portmaster::portmaster::commands][DEBUG] [tauri:rpc:should_show] application should show after bootstrap
[2025-09-14][15:49:11][reqwest::connect][DEBUG] starting new connection: http://127.0.0.1:817/
[2025-09-14][15:49:11][reqwest::connect][DEBUG] starting new connection: http://127.0.0.1:817/
[2025-09-14][15:49:11][reqwest::connect][DEBUG] starting new connection: http://127.0.0.1:817/
[2025-09-14][15:49:12][reqwest::connect][DEBUG] starting new connection: http://127.0.0.1:817/
Gdk-Message: 17:49:12.821: Error 71 (Protocol error) dispatching to Wayland display.

👆 I've had this issue before

But when launching from the start menu it launched fine 🤔

Ahh looking over my script it replaces

/etc/profile.d/zzz-portmaster-to-xdg-data-dirs.sh with the new locations of all the files not appends

So that's why the system no longer sees the old service file because it's not longer on the system path

I actually did that accidentally but it works out perfectly 😂 that file is what allows custom locations for the systems service and all that without it the custom files don't get loaded

(technically since in my script it installs the service to /etc/systemd the service will still be found even if that file doesn't exist but the old script put the service in the exports folder so needed the file)

As for your issue opening the app I just had something similar after installing a update to port master

I fixed it by re running the install script that should replace everything with the latest files.

Edit* The below issue stopped presenting after a system reboot, so you can probably ignore it.

I just updated my bazzite.gg OS:
Operating System: Bazzite 43 (Adapted version of Fedora)
KDE Plasma Version: 6.5.1
KDE Frameworks Version: 6.19.0
Qt Version: 6.10.0
Kernel Version: 6.17.7-ba01.fc43.x86_64 (64-bit)
Graphics Platform: Wayland

and Portmaster UI seems to have failed/frozen at reboot
Core is running but when I try to run Portmaster UI from CLI:
`WEBKIT_DISABLE_COMPOSITING_MODE=1 /var/lib/portmaster/bin/portmaster ""
I got this output:
[2025-11-03][07:41:08][arboard::platform::linux][WARN] Tried to initialize the wayland data control protocol clipboard, but failed. Falling back to the X11 clipboard protocol. The error was: Unknown error while interacting with the clipboard: A required Wayland protocol (zwlr_data_control_manager_v1 version 1) is not supported by the compositor

I also tried without 'WEBKIT_DISABLE_COMPOSITING_MODE=1' and got the same result

I also tried:
sudo /var/lib/portmaster/bin/portmaster-core --log-stdout

2025-11-03 10:26:12.512 running Portmaster 2.0.25 (linux/amd64; built with go1.24.7 [gc -cgo] from a66544959c689599ab118b34ffd94ea261aa86c9 [clean] at 2025-09-05T08:17:28Z)
error creating an instance: create updates module: create update target directory: /var/lib/portmaster/download_binaries

Maybe it's a Portmaster or OS issue, but I thought I'd share here too.