mirror of
https://github.com/flatpak/flatpak.git
synced 2026-03-26 19:04:56 -04:00
b7c1b7e208
The fedora selinux-policy (and therefor also the openSUSE one) has a named file transition that relabels folders in ~/.local/share/ with the type `systemd_home_t` when they are called "systemd". This is unfortunate as this means it will also relabel the directory under `.local/share/flatpak/.*/systemd`, as it matches the directory name. As the systemd filetrans looks valid and it is a shortcoming of SELinux in general, this is the easiest fix that would make the folders below .local/share/flatpak not be labelled incorrectly i would say. Additionally, this will need a fix in the main selinux-policy. What happens if we don't fix it? - Users will have some of the files in .local/share/flatpak pop up when running `restorecon` which might confuse them - At least in regular targeted mode, it will likely not make an impact in the sense that some access gets denied, so it just "looks ugly" Reproducer openSUSE Tumbleweed: ``` $ rm -rf ~/.local/share/flatpak $ flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo $ flatpak install --user flathub org.gnome.Builder $ restorecon -Rvn ~/.local/share/flatpak ... Would relabel /home/<user>/.local/share/flatpak/app/org.gnome.Builder/x86_64/stable/327753f4701dbb9046bfb0c0c9c05b16edea0fbd8df7f368525c461d8d30b5a4/files/lib/systemd from unconfined_u:object_r:systemd_home_t:s0 to unconfined_u:object_r:data_home_t:s0 ... ```