Many users install Steam to play games. Steam (and the games distributed via its service), being proprietary, might have security flaws we are unaware of. It would make sense to make sure Steam won't be able to touch security-critical files in the user's home directory, such as browser config/cookies/cache, the .ssh folder, and the keyring folders. Right now Steam runs in an "unconfined" domain. While the proper secure solution to offer users is to run Steam in a sandbox, this will have negative effects on the performance of games, and the user experience of the sandbox, especially when sandboxing X applications, is not great. I'm not even sure the SELinux sandbox allows OpenGL to be used by sandboxed apps, as it uses a nested X server. Some people might suggest to simply run Steam in a separate user, but that's not optimal because people want to browse the web and chat with their friends while playing, or between games without having to switch user sessions all the time. I think that making this change to the default policy makes sense, as there is no chance in the world any Steam game would need to read user's keyring, ssh keys, or browser history/cookies. We have the tools (selinux) to protect the privacy and security of our users by default, so I think we should use them.
Does steam games always use the same directories for content?
Depends on what you define as content. For game binaries, data, and excutables, they use $HOME/.local/share/Steam/SteamApps by default, but users can choose to install games in different directories when they install a game with the exception of only one Steam directory per partition (so in most cases users will not install the games anywhere else) For game save/progress data, some games use $HOME/.local/share, but others will create random dirs in your home directory.
That is where the problems start, but I don't have a problem with that. If the defaults made sense. Steam storing content in $HOME/.local/share/Steam/SteamApps is great. If we could get the games to store data in ~/.local/share/Steam/* THen we could begin to do a good job of securing it. Of course there would also need to be questions of what network access is required?
It would be difficult to convince game authors / porters to do the right thing. From what I see, most of them use ~/.local/share/$developer_name/$game_name (replace $developer_name with the name of the developer, and $game_name with the name of the game) for game save/progress data. As for network access, games do quite a lot of network access, with each games doing it's own thing - either for multiplayer, high scores, or analytics. It would be very difficult to restrict this. Since we don't know exactly what games would access, wouldn't it be better if we block their access to directories we know they don't, such as Firefox's profile directory, .ssh, and the GNOME keyring files? It won't be perfect security, but it should be a little bit better than what we have now, right?
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.