Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

data/selinux: allow messages from policykit #4404

Merged
merged 5 commits into from Dec 20, 2017
Merged

data/selinux: allow messages from policykit #4404

merged 5 commits into from Dec 20, 2017

Conversation

bboozzoo
Copy link
Collaborator

snapd talks to polkitd over DBus and calls
org.freedesktop.PolicyKit1.Authority.CheckAuthorization() method. The default
SELinux policy prevents polkitd from sending a reply back to snapd.

Resolves: https://forum.snapcraft.io/t/selinux-blocking-snapd-since-update-on-fedora-27/3002

Quoting dbus-daemon manual (SELinux section):

First, any time a message is routed from one connection to another connection,
the bus daemon will check permissions with the security context of the first
connection as source, security context of the second connection as target,
object class "dbus" and requested permission "send_msg".

The change adds adjusts the policy to allow DBus messages (dbus send_msg) to be
sent from processes with type polkit_t (polkitd) to processes with type
snappy_t (snapd).

@Conan-Kudo this affects the SELinux policy files.

@bboozzoo
data/selinux: allow messages from policykit
550ebcd 
snapd talks to polkitd over DBus and calls
org.freedesktop.PolicyKit1.Authority.CheckAuthorization() method. The default
SELinux policy prevents polkitd from sending a reply back to snapd.

Resolves: https://forum.snapcraft.io/t/selinux-blocking-snapd-since-update-on-fedora-27/3002

Quoting dbus-daemon manual (SELinux section):

  > First, any time a message is routed from one connection to another connection,
  > the bus daemon will check permissions with the security context of the first
  > connection as source, security context of the second connection as target,
  > object class "dbus" and requested permission "send_msg".

The change adds adjusts the policy to allow DBus messages (dbus send_msg) to be
sent from processes with type polkit_t (polkitd) to processes with type
snappy_t (snapd).

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
@Conan-Kudo
Copy link
Contributor

Conan-Kudo commented Dec 15, 2017
edited

@bboozzoo It looks good to me, but is there any need for a corresponding policy declaration for snappy_t to send messages?

@codecov-io
Copy link

codecov-io commented Dec 15, 2017
edited

Codecov Report

Merging #4404 into master will increase coverage by <.01%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #4404      +/-   ##
==========================================
+ Coverage   78.03%   78.04%   +<.01%     
==========================================
  Files         449      449              
  Lines       30906    30906              
==========================================
+ Hits        24118    24120       +2     
+ Misses       4775     4774       -1     
+ Partials     2013     2012       -1
Impacted Files Coverage Δ
overlord/hookstate/hookmgr.go 72.83% <0%> (+1.15%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c9a0807...7328b83. Read the comment docs.

@Conan-Kudo
Copy link
Contributor

@bboozzoo Can you please bump the version of the snapd-selinux policy? https://github.com/snapcore/snapd/blob/master/data/selinux/snappy.te#L20

@bboozzoo
data/selinux: bump policy version to 0.0.13
4002cc6 
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
@bboozzoo
Copy link
Collaborator Author

Bumped the policy version to 0.0.13

@bboozzoo It looks good to me, but is there any need for a corresponding policy declaration for snappy_t to send messages?

I went through https://github.com/fedora-selinux/selinux-policy-contrib and the pattern is to use optional_policy and a *_dbus_chat interface, eg. policykit_dbus_chat(<yourtype_t>). Fixed this accordingly.

@bboozzoo
data/selinux: add policykit_dbus_chat()
0cdff0e 
Add an optional policy to allow policykit_dbus_chat(). Enables sending to and
receiving messages from policykit.

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
@mvo5 mvo5 merged commit e13f0f9 into snapcore:master Dec 20, 2017
@Conan-Kudo
Copy link
Contributor

🎉

@Conan-Kudo
Copy link
Contributor

@mvo5 Can you make sure to cherry-pick this back into 2.30 branch?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Conan-Kudo Conan-Kudo Conan-Kudo approved these changes

@mvo5 mvo5 mvo5 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@bboozzoo @Conan-Kudo @codecov-io @mvo5