Install portmaster to /var

install_portmaster_to_var_V2.sh

#!/usr/bin/env bash
########################################################################################################################
### credits to WinkelCode for orginal script and the portmaster team for the awesome software!
###	See 
### https://gist.github.com/zany130/ba610a7391fcee4e4e7a20cbd06bc754?permalink_comment_id=5758560#gistcomment-5758560
### for installation steps from S7venLights
### you may have issues with portmaster service starting on reboot and SElinux see installation steps for details.
########################################################################################################################

set -e # Exit on error

if [ "$EUID" -ne 0 ]; then
	echo "To ensure correct permissions, this script must be run as root."
	exit 1
fi

# Paths to use for portmaster install Must not include trailing slash
data_dir="/var/lib/portmaster"
log_dir="/var/lib/portmaster/logs"
bin_dir="/var/lib/portmaster/bin"
systemd_dir="/etc/systemd/system"
autostart_dir="/etc/xdg/autostart"
exports_dir="${bin_dir}/exports"

# ===================================
# STEP 1: Install Portmaster
# (install all necessary files)
# ===================================

# Create directory for binaries
mkdir -p "${bin_dir}"
cd "${bin_dir}"

# Download Portmaster UpdateManager utility
echo "[+] Downloading Portmaster UpdateManager..."
wget https://updates.safing.io/latest/linux_amd64/updatemgr/updatemgr
chmod a+x updatemgr

# Download latest binaries
echo "[+] Downloading Portmaster binaries..."
./updatemgr download https://updates.safing.io/stable.v3.json "${bin_dir}"
chmod a+x "${bin_dir}/portmaster"        # Ensure binary is executable
chmod a+x "${bin_dir}/portmaster-core"   # Ensure binary is executable

# Download latest data files
echo "[+] Downloading Portmaster data files..."
mkdir -p "${data_dir}"/intel
./updatemgr download https://updates.safing.io/intel.v3.json "${data_dir}/intel"

# (Optional)
# If the SELinux module is enabled, set correct SELinux context for the Portmaster core binary.
# This ensures the binary can be executed properly under SELinux policies, avoiding permission issues.
if command -v semanage >/dev/null 2>&1; then
    echo "[ ] Fixing SELinux permissions"
    semanage fcontext -a -t bin_t -s system_u "$(realpath "${bin_dir}")" || :
    restorecon -R "${bin_dir}/portmaster-core" 2>/dev/null >&2 || :1
fi

# Clean up
rm -f "${bin_dir}/updatemgr"

# Done
echo "[i] At this point, Portmaster is installed."
echo "    You can start manually running the Portmaster daemon with:"
echo "        ${bin_dir}/portmaster-core --log-stdout"
echo "    To start User Interface, run:"
echo "        ${bin_dir}/portmaster"

# ===================================
# STEP 2: Register Portmaster service
# (for systemd-based systems)
# ===================================

mkdir -p "${exports_dir}/units"

echo "[+] Registering Portmaster service"
cat <<EOF > "${systemd_dir}/portmaster.service"
[Unit]
Description=Portmaster by Safing
Documentation=https://safing.io
Documentation=https://docs.safing.io
Before=nss-lookup.target network.target shutdown.target
After=systemd-networkd.service
Conflicts=shutdown.target
Conflicts=firewalld.service
Wants=nss-lookup.target

[Service]
Type=simple
Restart=on-failure
RestartSec=10
RestartPreventExitStatus=24
LockPersonality=yes
MemoryDenyWriteExecute=yes
MemoryLow=2G
NoNewPrivileges=yes
PrivateTmp=yes
PIDFile=${data_dir}/core-lock.pid
Environment=LOGLEVEL=info
Environment=PORTMASTER_ARGS=
EnvironmentFile=-/etc/default/portmaster
ProtectSystem=true
ReadWritePaths=${data_dir}
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictNamespaces=yes
ProtectHome=read-only
ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
PrivateDevices=yes
AmbientCapabilities=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_net_broadcast cap_net_raw cap_sys_module cap_sys_ptrace cap_dac_override cap_fowner cap_fsetid cap_sys_resource cap_bpf cap_perfmon
CapabilityBoundingSet=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_net_broadcast cap_net_raw cap_sys_module cap_sys_ptrace cap_dac_override cap_fowner cap_fsetid cap_sys_resource cap_bpf cap_perfmon
StateDirectory=portmaster
WorkingDirectory=${data_dir}
ExecStart=${bin_dir}/portmaster-core --log-dir=${log_dir} --bin-dir ${bin_dir} --data-dir ${data_dir} -- $PORTMASTER_ARGS
ExecStopPost=-${bin_dir}/portmaster-core -recover-iptables

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable portmaster

ln -s "${systemd_dir}/portmaster.service" "${exports_dir}/units/portmaster.service"
# ===================================
# STEP 3: Register Portmaster UI
# (for desktop environments)
# ===================================

# Install Portmaster UI start script
echo "[+] Installing Portmaster UI start script"

cat <<EOF > "${bin_dir}/portmaster-ui-start.sh"
#!/bin/sh
WEBKIT_DISABLE_COMPOSITING_MODE=1 ${bin_dir}/portmaster "$@"
EOF

chmod a+x "${bin_dir}/portmaster-ui-start.sh"

# Register Portmaster UI in the system
echo "[+] Registering Portmaster UI .desktop file"

mkdir -p "${exports_dir}/share/applications"

cat <<EOF > "${exports_dir}/share/applications/portmaster.desktop"
[Desktop Entry]
Name=Portmaster
GenericName=Application Firewall
Exec=${bin_dir}/portmaster-ui-start.sh --with-prompts --with-notifications
Icon=portmaster
StartupWMClass=portmaster
Terminal=false
Type=Application
Categories=System
EOF


# Register Portmaster UI to automatically start on login
echo "[+] Registering Portmaster UI to start on login"

mkdir -p "${autostart_dir}"

cat <<EOF > "${autostart_dir}/portmaster-autostart.desktop"
[Desktop Entry]
Name=Portmaster
GenericName=Application Firewall Notifier
Exec=${bin_dir}/portmaster-ui-start.sh --with-prompts --with-notifications --background
Icon=portmaster
Terminal=false
Type=Application
Categories=System
NoDisplay=true
EOF

# Register Portmaster icon
echo "[+] Registering Portmaster icon"
wget https://raw.githubusercontent.com/safing/portmaster-packaging/master/linux/portmaster_logo.png -O "${exports_dir}/share/icons/portmaster.png"

# Adding install_location to XDG_DATA_DIRS to show desktop entries (applies after next login)"
echo "-> Adding '${exports_dir}' to \$XDG_DATA_DIRS to show desktop entries (applies after next login)"
echo "XDG_DATA_DIRS=${exports_dir}/share:\$XDG_DATA_DIRS" >/etc/profile.d/zzz-portmaster-to-xdg-data-dirs.sh # We prepend 'zzz' since profile.d scripts aren't numbered on Fedora, and we want to run after any other scripts that modify XDG_DATA_DIRS.

Edit* The below issue stopped presenting after a system reboot, so you can probably ignore it.

I just updated my bazzite.gg OS:
Operating System: Bazzite 43 (Adapted version of Fedora)
KDE Plasma Version: 6.5.1
KDE Frameworks Version: 6.19.0
Qt Version: 6.10.0
Kernel Version: 6.17.7-ba01.fc43.x86_64 (64-bit)
Graphics Platform: Wayland

and Portmaster UI seems to have failed/frozen at reboot
Core is running but when I try to run Portmaster UI from CLI:
`WEBKIT_DISABLE_COMPOSITING_MODE=1 /var/lib/portmaster/bin/portmaster ""
I got this output:
[2025-11-03][07:41:08][arboard::platform::linux][WARN] Tried to initialize the wayland data control protocol clipboard, but failed. Falling back to the X11 clipboard protocol. The error was: Unknown error while interacting with the clipboard: A required Wayland protocol (zwlr_data_control_manager_v1 version 1) is not supported by the compositor

I also tried without 'WEBKIT_DISABLE_COMPOSITING_MODE=1' and got the same result

I also tried:
sudo /var/lib/portmaster/bin/portmaster-core --log-stdout

2025-11-03 10:26:12.512 running Portmaster 2.0.25 (linux/amd64; built with go1.24.7 [gc -cgo] from a66544959c689599ab118b34ffd94ea261aa86c9 [clean] at 2025-09-05T08:17:28Z)
error creating an instance: create updates module: create update target directory: /var/lib/portmaster/download_binaries

Maybe it's a Portmaster or OS issue, but I thought I'd share here too.