SELinux alert wants to enable the 'domain_can_mmap_files' boolean

Since F33 I regularly get a SElinux alert.

The alert details are starting with:

SELinux is preventing gnome-shell from map access on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache.

***** Plugin catchall_boolean (57.6 confidence) suggests ******************

If you want to allow domain to can mmap files
Then you must tell SELinux about this by enabling the ‘domain_can_mmap_files’ boolean.

Do
setsebool -P domain_can_mmap_files 1


Should I procede and execute the setsebool cmd?
I have no clue what exactly this cmd does, so I don’t feel confident to set se bool.

Anyone who can clarify this for me?

The error you’re seeing is related to this bug, which appears to be related to the latest flatpak package.

I worked around this problem by first downgrading to flatpak 1.8.2 and then used dnf versionlock add flatpak (which requires installing the python3-dnf-plugin-versionlock RPM package) to prevent dnf from upgrading to a newer version of flatpak.

I should note though if you use Gnome Software to install updates, it ignores the versionlock and will install the latest version of flatpak. So if you decided to downgrade and versionlock flatpak, you need to use dnf to install RPM updates until a fixed for this bug is available.

3 Likes

Thanks for the update. I will try the workaround as suggested.
But then how do I know when a patch for flatpak is released?

I’ve been checking the bug report every couple of days to see if a fix has been released.

Nice. Thanks for the solution.