autofs mount point limited to /var (/media & /mnt cannot be used) : issue when using Flatpak Apps

[carpediem29]

i'm using an uptodate SilverBlue 39 system and I'm facing an issue experienced since I installed SilverBlue - it was 38 back then.

Describe the bug I set-up autofs to access my NAS shares but with Silverblue can just use /var as top mount point .
/mnt and /media cannot be used. This is a big issue when using Flatpak apps (gThumb, XnView MP, Czkawka for instance) as /var is not accessible from Flatpak apps. Either a SeLinux configuration or restriction elsewhere on mount points.

To Reproduce When configuring autofs to use /mnt or /media - for instance configuring /etc/auto.master with such content :

#/mnt/nas    /etc/auto.cifs   --timeout=60 --ghost
/media/nas    /etc/auto.cifs   --timeout=60 --ghost

Error message is clear : mount failed & umount_autofs_indirect:252: ioctl failed: Bad file descriptor

mars 09 10:36:15 faithnomore systemd[1]: Started autofs.service - Automounts filesystems on demand.
mars 09 10:36:15 faithnomore automount[63652]: handle_mounts: mount of /media/nas failed!
mars 09 10:36:15 faithnomore automount[63652]: umount_autofs_indirect:252: ioctl failed: Bad file descriptor
mars 09 10:36:15 faithnomore automount[63652]: master_do_mount: failed to startup mount

Expected behavior I expect /media and /mnt to be usable with autofs on Silverblue so I can access files on my NAs through Flatpak apps.

Screenshots Not needed

OS version:

State: idle
BootedDeployment:
● fedora:fedora/39/x86_64/silverblue
                  Version: 39.20240308.0 (2024-03-08T00:41:47Z)
               BaseCommit: b06a657ae19d9b3fa0257347aac79e0db71e539a2afd0946295d25fec65432ef
             GPGSignature: Valid signature by E8F23996F23218640CB44CBE75CF5AC418B8E74C
          LayeredPackages: autofs distrobox file-roller-nautilus gnome-tweaks gstreamer1-plugin-openh264 gthumb inxi langpacks-fr nomacs openssl p7zip p7zip-plugins sxiv tcpdump
             InitramfsEtc: /etc/vconsole.conf

Additional context Not needed

[travier]

You should be able to mount things in /var/foo and then grant access to that folder to selected Flatpaks with Flatseal.

[carpediem29]

Do you mean reconfigure all Flatpaks to access /var/nas for instance ? Isn't had overkill. How should it be done ? I don't see a way right now.

By default /var in Flatpaks do not list my NAS directory :

$ flatpak run   --command=bash     com.github.qarmin.czkawka  
[📦 com.github.qarmin.czkawka ~]$ ls /var
cache  config  data  db  home  mnt  opt  run  srv  tmp
[📦 com.github.qarmin.czkawka ~]$ exit
exit
$  flatpak --command=bash run  com.xnview.XnViewMP
[📦 com.xnview.XnViewMP ~]$ ls /var
cache  config  data  db  home  run  tmp

Any reason for not using /mnt or /media instead of /var for mount points with SilverBlue ? I know we want data in /etc and /var mainly but some extra mount points are popular especially for those migrating.

[travier]

Applications in Flatpaks should access files via portals (https://flatpak.github.io/xdg-desktop-portal/).

For those that don't, you need to give them access directly, usually using Flatseal (https://flathub.org/apps/com.github.tchx84.Flatseal) or the command line.

Example:

$ flatpak override --user --filesystem=/var/nas:ro org.kde.kcalc
$ flatpak override --user --show org.kde.kcalc
[Context]
filesystems=/var/nas:ro;
$ flatpak run --command=bash org.kde.kcalc
# ls -d /var/nas
...

[carpediem29]

Understood. So strategy for SilverBlue users to use NAS shares is to mount under /var/foo subdirectories (only /var top directory can be selected) and use Flatpak override feature (by CLI or Flatseal). Will mark this bug as Closed.

[travier]

You can mount anywhere under /var and share it with Flatpaks.