New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
data/selinux: allow messages from policykit #4404
Conversation
snapd talks to polkitd over DBus and calls org.freedesktop.PolicyKit1.Authority.CheckAuthorization() method. The default SELinux policy prevents polkitd from sending a reply back to snapd. Resolves: https://forum.snapcraft.io/t/selinux-blocking-snapd-since-update-on-fedora-27/3002 Quoting dbus-daemon manual (SELinux section): > First, any time a message is routed from one connection to another connection, > the bus daemon will check permissions with the security context of the first > connection as source, security context of the second connection as target, > object class "dbus" and requested permission "send_msg". The change adds adjusts the policy to allow DBus messages (dbus send_msg) to be sent from processes with type polkit_t (polkitd) to processes with type snappy_t (snapd). Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
@bboozzoo It looks good to me, but is there any need for a corresponding policy declaration for |
Codecov Report
@@ Coverage Diff @@
## master #4404 +/- ##
==========================================
+ Coverage 78.03% 78.04% +<.01%
==========================================
Files 449 449
Lines 30906 30906
==========================================
+ Hits 24118 24120 +2
+ Misses 4775 4774 -1
+ Partials 2013 2012 -1
Continue to review full report at Codecov.
|
@bboozzoo Can you please bump the version of the snapd-selinux policy? https://github.com/snapcore/snapd/blob/master/data/selinux/snappy.te#L20 |
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Bumped the policy version to 0.0.13
I went through https://github.com/fedora-selinux/selinux-policy-contrib and the pattern is to use |
Add an optional policy to allow policykit_dbus_chat(). Enables sending to and receiving messages from policykit. Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
ac55b2a
to
0cdff0e
Compare
🎉 |
@mvo5 Can you make sure to cherry-pick this back into 2.30 branch? |
snapd talks to polkitd over DBus and calls
org.freedesktop.PolicyKit1.Authority.CheckAuthorization() method. The default
SELinux policy prevents polkitd from sending a reply back to snapd.
Resolves: https://forum.snapcraft.io/t/selinux-blocking-snapd-since-update-on-fedora-27/3002
Quoting dbus-daemon manual (SELinux section):
The change adds adjusts the policy to allow DBus messages (dbus send_msg) to be
sent from processes with type polkit_t (polkitd) to processes with type
snappy_t (snapd).
@Conan-Kudo this affects the SELinux policy files.