From 6e8a1c77071a541f876beb0167b7b5d2e6e045a2 Mon Sep 17 00:00:00 2001
From: Kalev Lember <klember@redhat.com>
Date: Wed, 14 Apr 2021 22:28:16 +0200
Subject: [PATCH] Disable system env generator to work around selinux denials

The system env generator is used to get the list of flatpak apps in
gnome-initial-setup for parental controls support. We don't have
parental controls enabled in F33 and F34 (although it's planned for
F35), so we can just disable the system env generator to work around the
selinux denials for now while we don't have the selinux policy side
changes figured out.

https://bugzilla.redhat.com/show_bug.cgi?id=1947214
https://bugzilla.redhat.com/show_bug.cgi?id=1916652
https://github.com/flatpak/flatpak/issues/4128

Resolves: #1951122

(cherry picked from Fedora commit 89da895a6498469bd458c8913c23c073ce047e47)
---
 flatpak.spec | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/flatpak.spec b/flatpak.spec
index 4e02323..e40ab6f 100644
--- a/flatpak.spec
+++ b/flatpak.spec
@@ -3,7 +3,7 @@
 
 Name:           flatpak
 Version:        1.10.2
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Application deployment framework for desktop apps
 
 License:        LGPLv2+
@@ -156,6 +156,11 @@ install -D -t %{buildroot}%{_unitdir} %{SOURCE1}
 rm -f %{buildroot}%{_libdir}/libflatpak.la
 %find_lang %{name}
 
+# Work around selinux denials, see
+# https://github.com/flatpak/flatpak/issues/4128 for details. Note that we are
+# going to need the system env generator if we should enable malcontent support
+# in the future.
+rm %{buildroot}%{_systemd_system_env_generator_dir}/60-flatpak-system-only
 
 %pre
 getent group flatpak >/dev/null || groupadd -r flatpak
@@ -232,7 +237,6 @@ fi
 %{_unitdir}/flatpak-system-helper.service
 %{_userunitdir}/flatpak-oci-authenticator.service
 %{_userunitdir}/flatpak-portal.service
-%{_systemd_system_env_generator_dir}/60-flatpak-system-only
 %{_systemd_user_env_generator_dir}/60-flatpak
 
 %files devel
@@ -264,6 +268,9 @@ fi
 
 
 %changelog
+* Fri May 07 2021 Kalev Lember <klember@redhat.com> - 1.10.2-4
+- Disable system env generator to work around selinux denials (#1947214)
+
 * Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.10.2-3
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937