Comment 18 for bug 2051574

Based on Marco's comment above, I suspect we need to add an AppArmor profile for gnome-shell-portal-helper.

Using the example in that blog post, this would be the simplest possible policy:

    abi <abi/4.0>,
    include <tunables/global>
    /usr/libexec/gnome-shell-portal-helper flags=(default_allow) {
      userns,
    }

Write that to a file, then load it into the kernel with "sudo apparmor_parser -r filename". That will persist until you reboot the system.

If this does indeed solve the problem, then we need to look at adding a policy to gnome-shell-portal-helper in the main packaging. It'd be worth looping in the security team, since they would probably want something a little more than this 5 line version.