Today it's possible to use write access through p11-kit-trust.so to write to the "Default Trust" token, which results in data being written into the /usr directory. (Requires root permission.) I think it should never write to /usr, because: - /usr may be read only on many systems - /usr isn't supposed to get local system configuration, as the name implies it should limit to the default configuration (installed as part of RPM packages)
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle. Changing version to '28'.
This should be fixed in p11-kit-0.23.10-1.