From 89da895a6498469bd458c8913c23c073ce047e47 Mon Sep 17 00:00:00 2001
From: Kalev Lember <klember@redhat.com>
Date: Wed, 14 Apr 2021 22:28:16 +0200
Subject: [PATCH] Disable system env generator to work around selinux denials

The system env generator is used to get the list of flatpak apps in
gnome-initial-setup for parental controls support. We don't have
parental controls enabled in F33 and F34 (although it's planned for
F35), so we can just disable the system env generator to work around the
selinux denials for now while we don't have the selinux policy side
changes figured out.

https://bugzilla.redhat.com/show_bug.cgi?id=1947214
https://bugzilla.redhat.com/show_bug.cgi?id=1916652
https://github.com/flatpak/flatpak/issues/4128
---
 flatpak.spec | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/flatpak.spec b/flatpak.spec
index 5574b02..bbd7472 100644
--- a/flatpak.spec
+++ b/flatpak.spec
@@ -3,7 +3,7 @@
 
 Name:           flatpak
 Version:        1.10.2
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Application deployment framework for desktop apps
 
 License:        LGPLv2+
@@ -156,6 +156,11 @@ install -D -t %{buildroot}%{_unitdir} %{SOURCE1}
 rm -f %{buildroot}%{_libdir}/libflatpak.la
 %find_lang %{name}
 
+# Work around selinux denials, see
+# https://github.com/flatpak/flatpak/issues/4128 for details. Note that we are
+# going to need the system env generator if we should enable malcontent support
+# in the future.
+rm %{buildroot}%{_systemd_system_env_generator_dir}/60-flatpak-system-only
 
 %pre
 getent group flatpak >/dev/null || groupadd -r flatpak
@@ -232,7 +237,6 @@ fi
 %{_unitdir}/flatpak-system-helper.service
 %{_userunitdir}/flatpak-oci-authenticator.service
 %{_userunitdir}/flatpak-portal.service
-%{_systemd_system_env_generator_dir}/60-flatpak-system-only
 %{_systemd_user_env_generator_dir}/60-flatpak
 
 %files devel
@@ -264,6 +268,9 @@ fi
 
 
 %changelog
+* Wed Apr 14 2021 Kalev Lember <klember@redhat.com> - 1.10.2-3
+- Disable system env generator to work around selinux denials (#1947214)
+
 * Mon Apr 05 2021 Kalev Lember <klember@redhat.com> - 1.10.2-2
 - OCI: Switch to pax format for tar archives