New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
data/selinux, tests/main/selinux-clean: fine tune the policy, make sure that no denials are raised #6661
data/selinux, tests/main/selinux-clean: fine tune the policy, make sure that no denials are raised #6661
Commits on Mar 28, 2019
-
tests/main/selinux-clean: keep SELinux denials in check
Add a spread test to monitor if basic snap management raises any SELinux denials. Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
-
tests/main/selinux-clean: install fonts to catch fc-cache invocation …
…issues Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
-
tests/main/selinux-clean: verify that socket activated snaps work
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
-
tests/main/selinux-clean: leave a note about snap logs
Snap logs will trigger snapd to run journalct. On a SELinux system, this will cause a domain transition to journalctl_t. However, the policy does not allow journalctl to poke /proc data of pid 1, thus causing denials to appear in the log. Until this is fixed, all we can do is have a TODO note as a reminder. Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
-
data/selinux: allow sys_admin for snap-confine
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
-
data/selinux: tune SELinux policy
- allow snap to exec snap-seccomp (for deriving system-key) - allow snap to manage directories/links/files under ~/snap - tweak snapd permissions to add remove links under /usr/share/bash-completion/completions (which is of usr_t type) - tweak permissions of snap-confine (can do a great deal with tmp_t, but reads were not enabled) Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
-
tests/lib/snaps/socket-activation: create a second socket in a subdir…
…ectory Add a second socket to the snap, but this time it should be created in a subdirectory. This should help uncover any problems with SELinux policy preventing systemd from creating subdirectories under $SNAP_{DATA,COMMON}. Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Commits on Apr 1, 2019
-
Merge remote-tracking branch 'origin/master' into bboozzoo/selinux-fi…
…nal-policy-update-clean-test
Commits on Apr 2, 2019
-
data/selinux: update the policy
- allow managing char files under /var/snap, those could have been created by snaps such as lxd - allow fowner capabilty for snapd (snapshots?) - allow snap-{update,discard}-ns to read tmpfs symlinks, etc. /etc/os-release which is from /etc bind mounted on top of tmpfs Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
-
data/selinux: more policy tweaks
- allow querying SELinux enforcement mode - use proper interfaces to allow service reload/start/stop/enable/disable - account for cloud-init instance data access - account for /proc/sys/fs/may_detach_mounts probe in sanity - allow unliking incorrectly labeled socket files under /var/snap - account for polkit support poking /proc/<pid>/stat of the calling process Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
-
data/selinux: final tweak to the policy
- allow snap-confine to create directories in ~/snap - allow dac_override for snap, when running as root Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
-
Merge remote-tracking branch 'origin/master' into bboozzoo/selinux-fi…
…nal-policy-update-clean-test
-
tests/main/selinux-clean: execute snap stop/start
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Commits on Apr 5, 2019
-
tests/main/selinux-clean: correctly SELinux enforcing mode
Instead of assuming the mode should be permissive, restore to whatever was set before the test. Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
-
Merge remote-tracking branch 'origin/master' into bboozzoo/selinux-fi…
…nal-policy-update-clean-test
Commits on Apr 11, 2019
-
Merge remote-tracking branch 'origin/master' into bboozzoo/selinux-fi…
…nal-policy-update-clean-test
-
data/selinux: account for improved cwd handling in snap-confine
Services are started with their WorkingDirectory set to $SNAP_DATA. Since snap-confine performs more checks on cwd now, we need to account for that in the policy. Relevant SELinux denial: type=AVC msg=audit(1554975937.636:129): avc: denied { getattr } for pid=1099 comm="snap-confine" path="/var/snap/test-snapd-service/x1" dev="vda1" ino=393657 scontext=system_u:system_r:snappy_confine_t:s0 tcontext=system_u:object_r:snappy_var_t:s0 tclass=dir permissive=1 Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>