This may just be noise, but may not considering the operation that is trying to be performed. /run/mount/utab is problematic and discussed here:
- Namespace awareness of /run/mount/utab (and libmount)
- https://github.com/snapcore/snapd/pull/5340#issuecomment-398071797
@jamesh - do you know if portals requires this access (cc @zyga-snapd for awareness)?
This is intended to be allowed by the desktop interface which has:
# Allow access to xdg-desktop-portal and xdg-document-portal
dbus (receive, send)
bus=session
interface=org.freedesktop.portal.*
path=/org/freedesktop/portal/{desktop,documents}{,/**}
peer=(label=unconfined),
Perhaps org.freedesktop.portal.Desktop is DBus activated and at the time of the denial it isn’t running yet (there is no ‘peer_label’ in the denial which seems to indicate this)? This might explain some of the intermittentness you are seeing since if it is already running it will work but if it isn’t it won’t.
@jamesh, perhaps this rule should be changed to:
dbus (receive, send)
bus=session
interface=org.freedesktop.portal.*
path=/org/freedesktop/portal/{desktop,documents}{,/**},
@jamesh - what do you think about adding peer=(name=org.freedesktop.portal.Desktop)? Are there times when DBus unique connections names will be used instead (and therefore we shouldn’t use name=)?