Update the selinux policy to fix the denial which is shown in centos 7
type=AVC msg=audit(09/26/23 12:44:11.492:315) : avc: denied { rename }
for pid=28207 comm=snapd name=lxd.lxc.yLBQbN9J4LrW~ dev="sda2"
ino=17679133 scontext=system_u:system_r:snappy_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file permissive=1
* data: fix snapd.aa-prompt-ui.service to actually get started
The current snapd.aa-prompt-ui.service user service is dbus activated.
However this does not work with the latest prompt design.
* packaing: add snapd.aa-prompt-ui.service to auto-start
This is required by upower-observe interface.
Some tests are failing in centos and fedora after the
upowerObserveInterface was update in this way.
func (iface *upowerObserveInterface) StaticInfo() interfaces.StaticInfo
{
...
ImplicitOnCore:
osutil.IsExecutable("/usr/libexec/upowerd"),
...
}
This is to avoid this denial:
type=SYSCALL msg=audit(1679948376.046:1319): arch=c000003e syscall=262
success=yes exit=0 a0=ffffffffffffff9c a1=c0001e47b0 a2=c0001246b8 a3=0
items=0 ppid=1 pid=40320 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="snapd"
exe="/usr/libexec/snapd/snapd" subj=system_u:system_r:snappy_t:s0
key=(null)
type=AVC msg=audit(1679948376.046:1319): avc: denied { getattr } for
pid=40320 comm="snapd" path="/usr/libexec/upowerd" dev="sda2"
ino=2180887 scontext=system_u:system_r:snappy_t:s0
tcontext=system_u:object_r:devicekit_power_exec_t:s0 tclass=file
permissive=1
This commit ensures that the snapcraft icon is shown in the lock screen notifications. Unfortunately, to make it work it requires to be modified in the .deb package; it seems that there is no way of doing this in the snap package because the required change must be set in the "first" .desktop file, and /usr/share(/applications) is before than /var/lib/snapd/desktop(/applications) in the XDG_DATA_DIRS order.
Jira: DT-862
Use systemd-tmpfiles to create the private tmp mount namespace root
dir (/tmp/snap-private-tmp) on boot as owned by root with restrictive
permissions. We can use this as a known location to then create per-snap
private tmp mount namespace dirs (/tmp/snap-private-tmp/snap.$SNAP_INSTANCE)
etc.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
`snapd.mounts-pre.target` will be before any mount unit,
`snapd.mounts.target`. Now we can schedule before or after mounts
without needing to modify the mount units.
We also install those mounts to `snapd.mounts.target` so that we can
make snapd.service for example, "want" all mounts.
The implementation of these services is not yet ready, but in order to
be able to deliver it in a snap package, we need to have at least the
service files installed on the system by the distribution package.
These stubs just reexecute the binaries from the snap.
* tests: add spread test for reexec of prompt services
* packaging: update distros for prompt services
Ship them in Debian and Ubuntu, remove them elsewhere.
* cmd: update error message with unimplemented prompt services
* tests: do not disable prompt-reexec tests in UC
* many: disable prompting for 14.04
The kernel changes will most likely not land there.
* many: install prompt services for Ubuntu Core
* tests: exclude UC16 from reexec-prompt test
The services are installed, but disabled; enabling them is not trivial
and not worth the effort, since prompting will most likely not be
backported there.
* wrappers/core18: don't fail if the prompt service is missing in snapd
This fixes a spread failure in the tests/core/snapd-refresh-vs-services
test, where we install an old version of snapd (2.49) which does not
have the Prompt service.
* tests: fix typo in comment
Thanks @pedronis.
* cmd: add license header
Thanks @Meulengracht
Commit 5545f79af9 introduced a check for
WSL that causes our spread tests (in particular, selinux-clean) to fail
on Fedora and CentOS.
Add the rules from `audit2allow -a` to the SELinux rules, to suppress
those warnings.
This fixes an error occurring in our spread tests on Centos:
2022-08-17T12:52:45.7861235Z type=AVC msg=audit(08/17/22 12:52:06.099:6583) : avc: denied { open } for pid=71804 comm=snap path=/etc/pki/tls/openssl.cnf dev="sda2" ino=33578739 scontext=system_u:system_r:snappy_cli_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
2022-08-17T12:52:45.7898682Z type=AVC msg=audit(08/17/22 12:52:06.099:6583) : avc: denied { read } for pid=71804 comm=snap name=openssl.cnf dev="sda2" ino=33578739 scontext=system_u:system_r:snappy_cli_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
2022-08-17T12:52:45.7899442Z type=AVC msg=audit(08/17/22 12:52:06.099:6583) : avc: denied { search } for pid=71804 comm=snap name=pki dev="sda2" ino=50341665 scontext=system_u:system_r:snappy_cli_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
Note that with this change we are not removing the call to
miscfiles_read_all_certs(snappy_t)
because it was actually present twice in this file.
When collecting preseeded data, include also snapd/mounts.
This directory contains layout info and is essential to have
a correct layout functionality on preseeded system.
Signed-off-by: Ondrej Kubik <ondrej.kubik@canonical.com>
