Skip to content

Commit

Permalink
data/selinux: allow snaps to read certificates (#12050)
Browse files Browse the repository at this point in the history 
This fixes an error occurring in our spread tests on Centos:

    2022-08-17T12:52:45.7861235Z type=AVC msg=audit(08/17/22 12:52:06.099:6583) : avc:  denied  { open } for  pid=71804 comm=snap path=/etc/pki/tls/openssl.cnf dev="sda2" ino=33578739 scontext=system_u:system_r:snappy_cli_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
    2022-08-17T12:52:45.7898682Z type=AVC msg=audit(08/17/22 12:52:06.099:6583) : avc:  denied  { read } for  pid=71804 comm=snap name=openssl.cnf dev="sda2" ino=33578739 scontext=system_u:system_r:snappy_cli_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
    2022-08-17T12:52:45.7899442Z type=AVC msg=audit(08/17/22 12:52:06.099:6583) : avc:  denied  { search } for  pid=71804 comm=snap name=pki dev="sda2" ino=50341665 scontext=system_u:system_r:snappy_cli_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1

Note that with this change we are not removing the call to

    miscfiles_read_all_certs(snappy_t)

because it was actually present twice in this file.
  • Loading branch information
@mardy
mardy committed Aug 22, 2022
1 parent 97b65fd commit 8fc73b9
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion data/selinux/snappy.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -819,7 +819,7 @@ fs_getattr_cgroup(snappy_cli_t)
systemd_exec_systemctl(snappy_cli_t)

# allow snap to read SSL certs
miscfiles_read_all_certs(snappy_t)
miscfiles_read_all_certs(snappy_cli_t)

########################################
#
Expand Down

0 comments on commit 8fc73b9

Please sign in to comment.