Re: Flatpak and apparmor.


On Sun, Apr 07, 2019 at 04:59:41PM +0300, Georgios wrote:
> Thanks for your help!
> So flatpak and apparmor are not compatible.

So it seems so far. I haven't looked at bwrap code, it's possible they
set some Apparmor policy there (LXC does it, for instance). Or not,
considering who wrote flatpak.

> Well what about selinux?

And the SELinux is based on filesystem labels.
I suppose that it's possible to relabel the contents of /var/lib/flatpak
with the custom labels after installs/upgrades (and maybe even do it
automatically), and build your policy based on those labels.

But I cannot help you here - my SELinux skills are somewhat rusty - it's
been nearly ten years since I dealt with SELinux on daily basis.

> I was thinking moving from apparmor to selinux sooner or later but I
> already had a working system that I didn't want to mess.
> If selinux is supported I guess I should consider making the transition.

I'd be surprised if flatpak did not have such support - the thing's
written by Red Hat (goto guys for SELinux).