Migrating Firefox From Native to Flatpak on Fedora
Every new Fedora install comes with Firefox pre-installed as an RPM package. For me, switching it to Flatpak is always the first step—because Flatpak leverages Bubblewrap (bwrap) to sandbox Firefox using Linux namespaces, seccomp filters, and filesystem isolation. This means Firefox runs with restricted syscalls, its own PID and network namespace, and no access to your home directory by default—a massive reduction in attack surface.
Migration Steps
Install the official Flatpak package:
flatpak install flathub org.mozilla.firefox
Migrate your profile to preserve bookmarks, extensions, and settings:
rsync -ah --info=progress2 --delete ~/.mozilla/firefox/ ~/.var/app/org.mozilla.firefox/.mozilla/firefox/
My 1.73GB profile transferred in 8 seconds:
1.73G 99% 184.24MB/s 0:00:08 (xfr#40758, to-chk=0/50329)
Remove the native RPM:
$ sudo dnf remove firefox
Package Arch Version Repository Size
Removing:
firefox x86_64 132.0.1-2.fc41 updates 226.9 MiB
Removing unused dependencies:
firefox-langpacks x86_64 132.0.1-2.fc41 updates 59.2 MiB
speech-dispatcher-utils x86_64 0.11.5-8.fc41 fedora 51.4 KiB
Transaction Summary:
Removing: 3 packages
Is this ok [y/N]: y
Flatpak integrates with your $PATH, so existing shortcuts work unchanged. On first launch, re-select your default profile via Profile Manager (right-click the Firefox icon → Open Profile Manager).
Verify the switch in About Firefox—it now reports as a Flatpak build.
Hardening Permissions with Flatseal
Use Flatseal to tighten the sandbox:
- X11/Fallback: Not needed on Fedora (Wayland default).
- Filesystem: Restrict to
~/Downloadsand any upload directories. No browser should have full home access.
Why This Matters
Bubblewrap’s sandbox means Firefox can’t access files, devices, or system calls outside its namespace—unless explicitly granted. Combined with granular Flatpak permissions, this transforms Firefox from a high-risk native app into an isolated workhorse. The migration takes 15 minutes; the security upside is permanent.