When running in a Xen guest, systemd-detect-virt when invoked by snapd may
trigger the following denial:
type=PROCTITLE msg=audit(1640771959.147:236972): proctitle="systemd-detect-virt"
type=AVC msg=audit(1640771959.147:236972): avc: denied { search } for pid=21113
comm="systemd-detect-" name="xen" dev="proc"
ino=4026532003
scontext=system_u:system_r:snappy_t:s0
tcontext=system_u:object_r:proc_xen_t:s0
tclass=dir permissive=1
See https://forum.snapcraft.io/t/snapd-unavailable-red-hat-enterprise-linux/28004/15
for details.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Snapd needs to poke the org.freedesktop.timedate1 service to find out whether
NTP was synchronized. That DBus API is provide by systemd-timesyncd (most
systems) or timedatex (CentOS mostly). The SELinux policy does not currently
allow talking to either service, so upon startup snapd will enter a deadlock
after getting blocked in the timeutil.IsNTPSynchronized() waiting for dbus
messages, while this is called in a code path that acquired state.Lock(), thus
blocking all Ensure() calls and interaction through the snapd socket.
Extend the SELinux policy to allow dbus communication to either timedate1
provider service.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
The SELinux reference policy has a new set of access vectors for watch*. The
support in core policy landed in
https://github.com/fedora-selinux/selinux-policy/pull/546 on 07.02.2021. Present
in selinux-policy 3.14.7 in Fedora 34 and Rawhide.
Snapd sets up /var/lib/snapd/dbus-1/services to be watched by the system dbus.
However, dbus trying to watch those directories triggers new watch permissions
to be checked. The snappy.te policy does not allow this access, thus on Rawhide
dbus fails like this:
systemd[1]: Starting D-Bus System Message Bus...
dbus-broker-launch[7728]: ERROR dirwatch_add @ ../src/util/dirwatch.c +122: Permission denied
dbus-broker-launch[7728]: launcher_load_service_dir @ ../src/launch/launcher.c +763
dbus-broker-launch[7728]: launcher_load_services @ ../src/launch/launcher.c +978
dbus-broker-launch[7728]: launcher_run @ ../src/launch/launcher.c +1306
dbus-broker-launch[7728]: run @ ../src/launch/main.c +152
dbus-broker-launch[7728]: main @ ../src/launch/main.c +178
dbus-broker-launch[7728]: Exiting due to fatal error: -13
systemd[1]: dbus-broker.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: dbus-broker.service: Failed with result 'exit-code'.
Triggering the following denial:
type=AVC msg=audit(1613393808.456:478): avc: denied { watch } for
pid=7728 comm="dbus-broker-lau"
path="/var/lib/snapd/dbus-1/system-services" ...
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:snappy_var_lib_t:s0
tclass=dir permissive=0
Fixes: https://bugs.launchpad.net/snappy/+bug/1915642
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
When PATH contain spaces, which is a really bad idea anyway, the export will
most likely set it to a value up to the first space. Use quoting to prevent
that.
Note, shellcheck does not complain about that, but try this:
sh-5.1$ export foo=foo bar baz
sh-5.1$ echo $foo
foo
sh-5.1$ export foo="foo bar baz"
sh-5.1$ echo $foo
foo bar baz
sh-5.1$
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Some distros, eg. CentOS 7 do not have /tmp on tmpfs. Because of this, the
policy rules for tmpfs are not effective and the following denial can be
observed when disconnecting the x11 interface (which mounts /tmp/.X11-unix from
the host):
type=AVC msg=audit(1606220902.660:1383): avc: denied { rmdir } for
pid=28575 comm="snap-update-ns" name=".X11-unix" dev="sda2"
ino=17552915
scontext=system_u:system_r:snappy_mount_t:s0
tcontext=system_u:object_r:tmp_t:s0
tclass=dir permissive=1
We need to extend the policy to explicitly allow poking generic tmp_t files and
directories.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
* Testing new fedora 33 image
* packaging/fedora: align with Fedora source tree
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
* Skip tests on f33 due to it uses cgroupv2
* data/selinux: account for s-c unmounting things
The snap-confine helper unmounts some locations which are actually a tmpfs with
a different label. Update the policy to allow that.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
* tests/main: Fedora 33 nsswitch uses resolved first for host resolution
Make sure that we also stop or flush resolved caches when disabling blocking DNS
or clearing resolve.conf.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
* tests/main/snap-network-errors: tweak to account for older systemd versions
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
* spread: Fedora 31 is EOL on 24.11
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Co-authored-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
We stumbled on the fact that snapd cannot effectively kill stuck hooks
while debugging other permissions errors.
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
The sudo secure_path setting resets the PATH to some predefined value for
commands executed under sudo. We have tried to workaround
https://bugzilla.redhat.com/show_bug.cgi?id=1691996 by trying to extend the
secure_path in a drop in conf files. This approach does not work for 2 reasons:
- the file is incorrectly named
- secure_path is a string and += append only works on lists (eg. env_keep)
Since there is no clear way to fix the problem other than talking with
distributions, drop the workaround. We can always revert the patch when needed.
Fixes: https://bugs.launchpad.net/snapd/+bug/1882215
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Add interface definitions for listing and reading files and directories under
/var/lib/snapd.
Allow system dbus to read snappy_var_lib_t. This enables the dbus-daemon process
to service definition files under /var/lib/snapd/dbus.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
