As far as understand, fedora’s selinux is configured to confine specific apps/resources.
If an app that has a selinux policy (when it is installed through rpm-ostree/dnf) is installed through flatpak instead, does it get the same selinux label as the rpm-ostree/dnf version?
Is it for example preferable from a security perspective to use the rpm-ostree/dnf firefox (that is presumably confined with selinux) or firefox from flatpak (that has some ‘isolation/containerization’ through flatpak and maybe in addition some confinement through selinux)?
thank you, I forgot about that! At least the flathub firefox doesn’t have the mozille/firefox selinux label. Maybe fedora’s flatpak version of mozilla has it - haven’t yet tried that.
Is redhat/fedora working on integrating selinux labels into the flatpak packages?
One simple approach (if we can simply re-use the same policy form a non-flatpack package), would be to label the flatpak files with their corresponding selinux label (would probably need a 1:1 mapping between the files of the rpm-ostree package and the flatpack package - which might not exist).