In case of re-execution, snapd snap has to be
mounted. apparmor.service has a dependency to local-fs.target which is
enough in theory. But in case this dependency dispappears, it is
better to have an explicit dependency to snapd.mount.target in the
unit.
In case of re-execution, snapd snap has to be
mounted. apparmor.service has a dependency to local-fs.target which is
enough in theory. But in case this dependency dispappears, it is
better to have an explicit dependency to snapd.mount.target in the
unit.
The selinux-clean test started failing in fedora and centos recently.
It is caused by a change in the polkit_agent interface where now the
polkit-agent-helper-1 is located here
/usr/lib{exec,/polkit-1}/polkit-agent-helper-1
The change has been introduced in:
https://github.com/snapcore/snapd/pull/13261
The denial produced is the following:
type=AVC msg=audit(1698154354.527:12577): avc: denied { getattr } for
pid=82525 comm="snapd" path="/usr/lib/polkit-1/polkit-agent-helper-1"
dev="sda5" ino=109823 scontext=system_u:system_r:snappy_t:s0
tcontext=system_u:object_r:policykit_auth_exec_t:s0 tclass=file
permissive=1
Update the selinux policy to fix the denial which is shown in centos 7
type=AVC msg=audit(09/26/23 12:44:11.492:315) : avc: denied { rename }
for pid=28207 comm=snapd name=lxd.lxc.yLBQbN9J4LrW~ dev="sda2"
ino=17679133 scontext=system_u:system_r:snappy_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file permissive=1
* data: fix snapd.aa-prompt-ui.service to actually get started
The current snapd.aa-prompt-ui.service user service is dbus activated.
However this does not work with the latest prompt design.
* packaing: add snapd.aa-prompt-ui.service to auto-start
This is required by upower-observe interface.
Some tests are failing in centos and fedora after the
upowerObserveInterface was update in this way.
func (iface *upowerObserveInterface) StaticInfo() interfaces.StaticInfo
{
...
ImplicitOnCore:
osutil.IsExecutable("/usr/libexec/upowerd"),
...
}
This is to avoid this denial:
type=SYSCALL msg=audit(1679948376.046:1319): arch=c000003e syscall=262
success=yes exit=0 a0=ffffffffffffff9c a1=c0001e47b0 a2=c0001246b8 a3=0
items=0 ppid=1 pid=40320 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="snapd"
exe="/usr/libexec/snapd/snapd" subj=system_u:system_r:snappy_t:s0
key=(null)
type=AVC msg=audit(1679948376.046:1319): avc: denied { getattr } for
pid=40320 comm="snapd" path="/usr/libexec/upowerd" dev="sda2"
ino=2180887 scontext=system_u:system_r:snappy_t:s0
tcontext=system_u:object_r:devicekit_power_exec_t:s0 tclass=file
permissive=1
This commit ensures that the snapcraft icon is shown in the lock screen notifications. Unfortunately, to make it work it requires to be modified in the .deb package; it seems that there is no way of doing this in the snap package because the required change must be set in the "first" .desktop file, and /usr/share(/applications) is before than /var/lib/snapd/desktop(/applications) in the XDG_DATA_DIRS order.
Jira: DT-862
Use systemd-tmpfiles to create the private tmp mount namespace root
dir (/tmp/snap-private-tmp) on boot as owned by root with restrictive
permissions. We can use this as a known location to then create per-snap
private tmp mount namespace dirs (/tmp/snap-private-tmp/snap.$SNAP_INSTANCE)
etc.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
