Description of problem: started a session SELinux is preventing gnome-shell from 'watch' accesses on the directory /var/lib/flatpak. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow gnome-shell to have watch access on the flatpak directory Then you need to change the label on /var/lib/flatpak Do # semanage fcontext -a -t FILE_TYPE '/var/lib/flatpak' where FILE_TYPE is one of the following: abrt_var_cache_t, auth_cache_t, auth_home_t, cache_home_t, cgroup_t, config_home_t, data_home_t, dbus_home_t, etc_t, faillog_t, fonts_cache_t, gconf_home_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, gnome_home_t, gstreamer_home_t, icc_data_home_t, locale_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, pam_var_run_t, user_tmp_t, usr_t, var_auth_t, xdm_home_t, xdm_log_t, xdm_spool_t, xdm_tmpfs_t, xdm_var_lib_t, xdm_var_run_t, xkb_var_lib_t, xserver_log_t. Then execute: restorecon -v '/var/lib/flatpak' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that gnome-shell should be allowed watch access on the flatpak directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell # semodule -X 300 -i my-gnomeshell.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib/flatpak [ dir ] Source gnome-shell Source Path gnome-shell Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages flatpak-1.10.1-3.fc34.x86_64 SELinux Policy RPM selinux-policy-targeted-3.14.7-23.fc34.noarch Local Policy RPM selinux-policy-targeted-3.14.7-23.fc34.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.11.0-156.fc34.x86_64 #1 SMP Wed Feb 17 08:31:59 UTC 2021 x86_64 x86_64 Alert Count 9 First Seen 2021-02-26 13:10:16 WET Last Seen 2021-02-26 15:56:42 WET Local ID e52014ab-f7c2-4a86-9179-f79cfbad5de7 Raw Audit Messages type=AVC msg=audit(1614355002.689:775): avc: denied { watch } for pid=1383 comm="gmain" path="/var/lib/flatpak" dev="dm-2" ino=3801861 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0 Hash: gnome-shell,xdm_t,var_lib_t,dir,watch Version-Release number of selected component: selinux-policy-targeted-3.14.7-23.fc34.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.11.0-156.fc34.x86_64 type: libreport Potential duplicate: bug 1928548
*** This bug has been marked as a duplicate of bug 1928548 ***