Does SELinux confine Flatpack apps?

As far as understand, fedora’s selinux is configured to confine specific apps/resources.

If an app that has a selinux policy (when it is installed through rpm-ostree/dnf) is installed through flatpak instead, does it get the same selinux label as the rpm-ostree/dnf version?

Is it for example preferable from a security perspective to use the rpm-ostree/dnf firefox (that is presumably confined with selinux) or firefox from flatpak (that has some ‘isolation/containerization’ through flatpak and maybe in addition some confinement through selinux)?

You can check SELinux labels with -Z switch of ls command, e.g. ls -lZ "flatpak-directory"

thank you, I forgot about that! At least the flathub firefox doesn’t have the mozille/firefox selinux label. Maybe fedora’s flatpak version of mozilla has it - haven’t yet tried that.

Is redhat/fedora working on integrating selinux labels into the flatpak packages?

One simple approach (if we can simply re-use the same policy form a non-flatpack package), would be to label the flatpak files with their corresponding selinux label (would probably need a 1:1 mapping between the files of the rpm-ostree package and the flatpack package - which might not exist).

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.