I want to execute a shell script that can back up and restore files from a user profile to an external USB drive. I used the Termux app for that, and on the owner profile, it worked without any problems.
However, on a different secondary user profile, Termux no longer works because SELinux policies are now more restrictive (Termux now runs in the untrusted_app_25 context instead of untrusted_app).
It probably also needs access to /storage/emulated/0 for the current user’s path. According to some sources online, if an app tries to access /storage/emulated/0 but is running under a different user (e.g., user 10), the path is automatically redirected to the correct location for that user (in this case, /storage/emulated/10). Probably Termux do also expect this behavior.
I also tried the optional Terminal in GrapheneOS, but unfortunately, it always crashes on secondary user. Additionally, it seems that it runs on an isolated environment, which makes it harder to access the real file storage (of the user).
From my understanding, there shouldn’t be a major issue with adding an option in the owner’s profile to allow a specific app in a specific user profile to run under the untrusted_app context. Due to multi-user isolation, this should still be a safe option.
Or is there a specific reason why all apps on secondary user profiles must allways run in the untrusted_app_25 context?
This Option would FIX Termux on second User , allowing the usage of a reliable Terminal Emulator for every user.