Tweak snapd.fish to be compatible with even older releases of fish, going back to 2.7, which was shipped with Ubuntu 18.04.
* data/env: make fish setup compatible with fish 2.7
Make the environment setup script compatible with fish 2.7 which was shipped
with Ubuntu 18.04.
Thanks to @faho for the review.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
* tests/main/user-session-env: verify env in fish shell
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
* tests/main/user-session-env: tweak comments
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
* data/env: provide reasonable default if XDG_DATA_DIRS is unset in fish shell
Fixes: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1960702
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
* tests/main/user-session-env: verify that XDG_DATA_DIRS contains reasonable defaults
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
It is possible that system.d may be missing if no services were installed on the
system yet. In which case, snapd will create the directory and thus trigger the
denial.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
During boot, the initial transaction may contain both snapd.socket and
snapd.service at the same time. In such cases, snapd.service should be
started strictly after snapd.socket (After+Requires), instead of just
simultaniously with it (Requires alone).
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Tell fish to treat XDG_DATA_DIRS as a column separated list and not space separated (default).
Otherwise, get corrupted list with mixed separators:
XDG_DATA_DIRS=/var/lib/flatpak/exports/share:/usr/local/share/:/usr/share/:/var/lib/snapd/desktop /var/lib/snapd/desktop /var/lib/snapd/desktop
When running in a Xen guest, systemd-detect-virt when invoked by snapd may
trigger the following denial:
type=PROCTITLE msg=audit(1640771959.147:236972): proctitle="systemd-detect-virt"
type=AVC msg=audit(1640771959.147:236972): avc: denied { search } for pid=21113
comm="systemd-detect-" name="xen" dev="proc"
ino=4026532003
scontext=system_u:system_r:snappy_t:s0
tcontext=system_u:object_r:proc_xen_t:s0
tclass=dir permissive=1
See https://forum.snapcraft.io/t/snapd-unavailable-red-hat-enterprise-linux/28004/15
for details.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Snapd needs to poke the org.freedesktop.timedate1 service to find out whether
NTP was synchronized. That DBus API is provide by systemd-timesyncd (most
systems) or timedatex (CentOS mostly). The SELinux policy does not currently
allow talking to either service, so upon startup snapd will enter a deadlock
after getting blocked in the timeutil.IsNTPSynchronized() waiting for dbus
messages, while this is called in a code path that acquired state.Lock(), thus
blocking all Ensure() calls and interaction through the snapd socket.
Extend the SELinux policy to allow dbus communication to either timedate1
provider service.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
The SELinux reference policy has a new set of access vectors for watch*. The
support in core policy landed in
https://github.com/fedora-selinux/selinux-policy/pull/546 on 07.02.2021. Present
in selinux-policy 3.14.7 in Fedora 34 and Rawhide.
Snapd sets up /var/lib/snapd/dbus-1/services to be watched by the system dbus.
However, dbus trying to watch those directories triggers new watch permissions
to be checked. The snappy.te policy does not allow this access, thus on Rawhide
dbus fails like this:
systemd[1]: Starting D-Bus System Message Bus...
dbus-broker-launch[7728]: ERROR dirwatch_add @ ../src/util/dirwatch.c +122: Permission denied
dbus-broker-launch[7728]: launcher_load_service_dir @ ../src/launch/launcher.c +763
dbus-broker-launch[7728]: launcher_load_services @ ../src/launch/launcher.c +978
dbus-broker-launch[7728]: launcher_run @ ../src/launch/launcher.c +1306
dbus-broker-launch[7728]: run @ ../src/launch/main.c +152
dbus-broker-launch[7728]: main @ ../src/launch/main.c +178
dbus-broker-launch[7728]: Exiting due to fatal error: -13
systemd[1]: dbus-broker.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: dbus-broker.service: Failed with result 'exit-code'.
Triggering the following denial:
type=AVC msg=audit(1613393808.456:478): avc: denied { watch } for
pid=7728 comm="dbus-broker-lau"
path="/var/lib/snapd/dbus-1/system-services" ...
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:snappy_var_lib_t:s0
tclass=dir permissive=0
Fixes: https://bugs.launchpad.net/snappy/+bug/1915642
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
When PATH contain spaces, which is a really bad idea anyway, the export will
most likely set it to a value up to the first space. Use quoting to prevent
that.
Note, shellcheck does not complain about that, but try this:
sh-5.1$ export foo=foo bar baz
sh-5.1$ echo $foo
foo
sh-5.1$ export foo="foo bar baz"
sh-5.1$ echo $foo
foo bar baz
sh-5.1$
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Some distros, eg. CentOS 7 do not have /tmp on tmpfs. Because of this, the
policy rules for tmpfs are not effective and the following denial can be
observed when disconnecting the x11 interface (which mounts /tmp/.X11-unix from
the host):
type=AVC msg=audit(1606220902.660:1383): avc: denied { rmdir } for
pid=28575 comm="snap-update-ns" name=".X11-unix" dev="sda2"
ino=17552915
scontext=system_u:system_r:snappy_mount_t:s0
tcontext=system_u:object_r:tmp_t:s0
tclass=dir permissive=1
We need to extend the policy to explicitly allow poking generic tmp_t files and
directories.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
* Testing new fedora 33 image
* packaging/fedora: align with Fedora source tree
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
* Skip tests on f33 due to it uses cgroupv2
* data/selinux: account for s-c unmounting things
The snap-confine helper unmounts some locations which are actually a tmpfs with
a different label. Update the policy to allow that.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
* tests/main: Fedora 33 nsswitch uses resolved first for host resolution
Make sure that we also stop or flush resolved caches when disabling blocking DNS
or clearing resolve.conf.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
* tests/main/snap-network-errors: tweak to account for older systemd versions
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
* spread: Fedora 31 is EOL on 24.11
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Co-authored-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
