github.com/meulengracht/snapd@v0.0.0-20210719210640-8bde69bcc84e/data/selinux/snappy.te

# This file is part of snapd-selinux
# Skeleton derived from Fedora selinux-policy, Copyright (C) 2016 Red Hat, Inc.
# Copyright (C) 2016 Neal Gompa
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Library General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.


policy_module(snappy,0.1.0)

########################################
#
# Declarations
#

attribute_role snappy_roles;

# snapd
type snappy_t;
type snappy_exec_t;
# allow init domain to transition to snappy_t by executing snappy_exec_t
init_daemon_domain(snappy_t, snappy_exec_t)

role snappy_roles types snappy_t;

type snappy_config_t;
files_config_file(snappy_config_t)

type snappy_home_t;
typealias snappy_home_t alias { user_snappy_home_t staff_snappy_home_t sysadm_snappy_home_t };
typealias snappy_home_t alias { auditadm_snappy_home_t secadm_snappy_home_t };
userdom_user_home_content(snappy_home_t)

type snappy_var_t;
files_type(snappy_var_t)

type snappy_var_lib_t;
files_type(snappy_var_lib_t)

type snappy_var_cache_t;
files_type(snappy_var_cache_t)

type snappy_var_run_t;
files_pid_file(snappy_var_run_t)

type snappy_unit_file_t;
systemd_unit_file(snappy_unit_file_t)

type snappy_tmp_t;
files_tmp_file(snappy_tmp_t)

# actual snap
type snappy_snap_t;
# XXX: snappy_snap_t should be declared a filesystem, but due to how modules are
# handled we cannot generate required contexts with genfscon outside of core
# policy
# fs_type(snappy_snap_t)
files_type(snappy_snap_t)
files_mountpoint(snappy_snap_t)

# CLI tools: snap, snapctl
type snappy_cli_t;
type snappy_cli_exec_t;
domain_type(snappy_cli_t)
domain_entry_file(snappy_cli_t, snappy_cli_exec_t)

# helper tools: snap-{update,discard}-ns
type snappy_mount_t;
type snappy_mount_exec_t;
domain_type(snappy_mount_t)
domain_entry_file(snappy_mount_t, snappy_mount_exec_t)

# helper tool: snap-confine
type snappy_confine_t;
type snappy_confine_exec_t;
domain_type(snappy_confine_t)
domain_entry_file(snappy_confine_t, snappy_confine_exec_t)

type snappy_unconfined_snap_t;
unconfined_domain(snappy_unconfined_snap_t)

########################################
#
# snappy snapd local policy
#

# For development purposes, snappy_t domain is to be marked permissive
permissive snappy_t;

# Allow transitions from init_t to snappy for sockets
# init_named_socket_activation() is not supported by core policy in RHEL7
gen_require(`
	type init_t;
	type var_run_t;
')
filetrans_pattern(init_t, var_run_t, snappy_var_run_t, sock_file, "snapd.socket")
filetrans_pattern(init_t, var_run_t, snappy_var_run_t, sock_file, "snapd-snap.socket")

# Allow init_t to read snappy data
allow init_t snappy_var_lib_t:dir read;

# Allow snapd to read procfs
gen_require(`
	type proc_t;
')
allow snappy_t proc_t:file { getattr open read };

# Allow snapd to read sysfs
dev_read_sysfs(snappy_t)
dev_search_sysfs(snappy_t)

# This silences a read AVC denial event on the lost+found directory.
gen_require(`
	type lost_found_t;
')
dontaudit snappy_t lost_found_t:dir read;

# Allow snapd to read SSL cert store
miscfiles_read_all_certs(snappy_t)

# Allow snapd to read config files
read_files_pattern(snappy_t, snappy_config_t, snappy_config_t)

# Allow snapd to manage snaps' homedir data
admin_pattern(snappy_t, snappy_home_t)
userdom_search_user_home_dirs(snappy_t)
userdom_list_user_home_dirs(snappy_t)

# Allow snapd to read DNS config
sysnet_dns_name_resolve(snappy_t)

# When managed by NetworkManager, DNS config is in its rundata
gen_require(`
	type NetworkManager_var_run_t;
')
allow snappy_t NetworkManager_var_run_t:dir search;

# Allow snapd to read sysctl files
kernel_read_net_sysctls(snappy_t)
kernel_search_network_sysctl(snappy_t)

# Allow snapd to query SELinux status
selinux_get_enforce_mode(snappy_t)

# Allow snapd to manage D-Bus config files for snaps
optional_policy(`
	dbus_read_config(snappy_t)
	allow snappy_t dbusd_etc_t:file { write create rename unlink };
	allow snappy_t dbusd_etc_t:lnk_file { read };
')

# Allow snapd to manage kmod-backend (/etc/modules-load.d/) files
allow snappy_t etc_t:dir { write remove_name };
allow snappy_t etc_t:file unlink;

# Allow snapd to manage udev rules for snaps and trigger events
optional_policy(`
	udev_manage_rules_files(snappy_t)
	udev_manage_pid_files(snappy_t)
	udev_exec(snappy_t)
	udev_domtrans(snappy_t)
	udev_create_kobject_uevent_socket(snappy_t)
')
allow snappy_t self:netlink_kobject_uevent_socket { create_socket_perms read };

# Allow snapd to read/write systemd units and use systemctl for managing snaps
systemd_config_all_services(snappy_t)
systemd_manage_all_unit_files(snappy_t)
systemd_manage_all_unit_lnk_files(snappy_t)
systemd_exec_systemctl(snappy_t)
systemd_reload_all_services(snappy_t)
init_reload_services(snappy_t)
init_enable_services(snappy_t)
init_disable_services(snappy_t)

# Allow snapd to execute unsquashfs
corecmd_exec_bin(snappy_t)

# Allow snappy to exec helpers
can_exec(snappy_t, snappy_exec_t)
can_exec(snappy_t, snappy_mount_exec_t)
can_exec(snappy_t, snappy_cli_exec_t)
corecmd_search_bin(snappy_t)
# allow transition to snap cli domain
snappy_cli_domtrans(snappy_t)
# allow transition to mount helpers domain
snappy_mount_domtrans(snappy_t)
# allow transition to snap-confine domain
snappy_confine_domtrans(snappy_t)

# Allow snapd to get FUSE device attributes
storage_getattr_fuse_dev(snappy_t)

# Read l10n files?
miscfiles_read_localization(snappy_t)

# Allow snapd to read its run files, those files are managed elsewhere
manage_files_pattern(snappy_t, snappy_var_run_t, snappy_var_run_t)
manage_sock_files_pattern(snappy_t, snappy_var_run_t, snappy_var_run_t)

gen_require(`
	type user_tmp_t;
')
allow snappy_t user_tmp_t:dir { read };

# Allow snapd to clean up /run/user sockets
userdom_manage_tmp_dirs(snappy_t)
userdom_manage_tmp_sockets(snappy_t)

gen_require(`
	type systemd_unit_file_t;
')
allow snappy_t systemd_unit_file_t:dir { rmdir };

gen_require(`
	type home_root_t;
')
allow snappy_t home_root_t:dir { read };

# Allow snapd to manage its persistent data
admin_pattern(snappy_t, snappy_var_cache_t)
# for r/w to commands.db
mmap_rw_files_pattern(snappy_t, snappy_var_cache_t, snappy_var_cache_t)
admin_pattern(snappy_t, snappy_var_lib_t)
# for r/w to errtracker.db
mmap_rw_files_pattern(snappy_t, snappy_var_lib_t, snappy_var_lib_t)
# snap data files
admin_pattern(snappy_t, snappy_var_t)
# auto transition /var/snap when created at runtime
files_var_filetrans(snappy_t, snappy_var_t, dir, "snap")
# some snaps may create character files, eg. lxd creates /dev/full in the
# container's rootfs
manage_chr_files_pattern(snappy_t, snappy_var_t, snappy_var_t)
# And search/read mounted snaps
allow snappy_t snappy_snap_t:dir { list_dir_perms };
allow snappy_t snappy_snap_t:file { read_file_perms };
allow snappy_t snappy_snap_t:lnk_file { read_lnk_file_perms };

# Grant snapd access to /tmp
admin_pattern(snappy_t, snappy_tmp_t)
files_tmp_filetrans(snappy_t, snappy_tmp_t, { file dir })

# snap command completions, symlinks going back to snap mount directory
gen_require(`
	type usr_t;
')
allow snappy_t usr_t:dir { write remove_name add_name };
allow snappy_t usr_t:lnk_file { create unlink };

# Allow snapd to use ssh-keygen
ssh_exec_keygen(snappy_t)

# Allow snapd to access passwd file for trivial user lookup
auth_read_passwd(snappy_t)
# also via nsswitch if called via libc
auth_use_nsswitch(snappy_t)

# because /run/snapd/ns/*.mnt gets a label of the process context
gen_require(` type unconfined_t; ')
allow snappy_t unconfined_t:file getattr;
allow snappy_t snappy_confine_t:file getattr;

logging_send_syslog_msg(snappy_t)

allow snappy_t self:capability { dac_read_search dac_override fowner };
allow snappy_t self:process { setpgid };

# Various socket permissions
allow snappy_t self:fifo_file rw_fifo_file_perms;
allow snappy_t self:netlink_route_socket create_netlink_socket_perms;
allow snappy_t self:unix_stream_socket create_stream_socket_perms;
allow snappy_t self:tcp_socket create_stream_socket_perms;
allow snappy_t self:udp_socket create_stream_socket_perms;
allow snappy_t self:unix_dgram_socket { create_socket_perms sendto };
allow snappy_t self:capability2 block_suspend;

# snapd needs to check for ipv6 support
gen_require(`
	type node_t;
')
allow snappy_t node_t:tcp_socket node_bind;

corenet_all_recvfrom_unlabeled(snappy_t)
corenet_all_recvfrom_netlabel(snappy_t)
corenet_tcp_sendrecv_generic_if(snappy_t)
corenet_tcp_sendrecv_generic_node(snappy_t)

corenet_tcp_sendrecv_http_port(snappy_t)
corenet_tcp_connect_http_port(snappy_t)
corenet_tcp_sendrecv_http_cache_port(snappy_t)
corenet_tcp_connect_http_cache_port(snappy_t)

# snapd has its own internal DNS resolver
corenet_tcp_sendrecv_dns_port(snappy_t)
corenet_udp_sendrecv_dns_port(snappy_t)
corenet_tcp_connect_dns_port(snappy_t)
corenet_sendrecv_dns_client_packets(snappy_t)

# allow communication with polkit over dbus
optional_policy(`
	policykit_dbus_chat(snappy_t)
')

# allow communication with system bus
optional_policy(`
	dbus_system_bus_client(snappy_t)
')

# allow reading sssd files
optional_policy(`
	sssd_read_public_files(snappy_t)
	sssd_stream_connect(snappy_t)
')

# for sanity checks
optional_policy(`
	mount_run(snappy_t, snappy_roles)
')

# snapd runs journalctl to fetch logs
optional_policy(`
	journalctl_run(snappy_t, snappy_roles)
	# and kills journalctl once the logs have been fetched
	allow snappy_t journalctl_t:process sigkill;
')

# only pops up in cloud images where cloud-init.target is incorrectly labeled
allow snappy_t init_var_run_t:lnk_file read;

# snapd may need to run helpers from the snaps, eg. fontconfig helper
can_exec(snappy_t, snappy_snap_t)
# fontconfig cache setup
miscfiles_manage_fonts_cache(snappy_t)
files_var_filetrans(snappy_t, fonts_cache_t, dir, "fontconfig")
# fontconfig cache is in /usr/lib/fontconfig/cache, which should be labeled as
# fonts_cache_t, but it may be incorrectly labeled as lib_t, see
# https://bugzilla.redhat.com/show_bug.cgi?id=1659905 and a corresponding bug
# for RHEL7 https://bugzilla.redhat.com/show_bug.cgi?id=1792349 (marked as
# WONTFIX, so carry the workaround for as long as we support EPEL7)
libs_manage_lib_dirs(snappy_t)
libs_manage_lib_files(snappy_t)
fs_getattr_xattr_fs(snappy_t)
# probing cgroup version, /sys/fs/cgroup is a tmpfs for v1 or cgroup for v2
fs_getattr_tmpfs(snappy_t)
fs_list_tmpfs(snappy_t)
fs_getattr_cgroup(snappy_t)
# snapd checks whether <snap>.mnt exists before running the mount namespace
# helper tool
# fs_getattr_nsfs_files() is not available in selinux devel on CentOS 7.x
getattr_files_pattern(snappy_t, nsfs_t, nsfs_t)

# lxd snap has nsfs under common directory, this works around denials triggered
# by snapshot size estimation.
allow snappy_t unconfined_service_t:file getattr;

# snapd attempts to read /run/cloud-init/instance-data.json
sysnet_read_config(snappy_t)
# however older policy may be missing the transition rules, and
# /run/cloud-init/instance-data.json ends up as var_run_t
files_read_generic_pids(snappy_t)

# snapd attempts to check /proc/sys/fs/may_detach_mounts during sanity testing
kernel_read_fs_sysctls(snappy_t)

# socket activated services may have their socket files created under
# $SNAP_COMMON, but lacking auto transition, they end up labeled as var_t
allow snappy_t var_t:sock_file unlink;

# snapd picks the process start time from /proc/<pid>/stat for polkit
allow snappy_t unconfined_t:dir search;
allow snappy_t unconfined_t:file { open read };

# snapd executes cp when copying snap data between revisions
allow snappy_t self:process { setfscreate };
allow snappy_t self:capability { fsetid chown };
# snappy_t running as system_u attempts to change the user identity of copied
# files, which typically have unconfined_u
domain_obj_id_change_exemption(snappy_t)
# snapd executes runuser to take snapshots of user's snap data
allow snappy_t self:capability { setuid setgid };
allow snappy_t self:process setsched;
# runuser uses kernel keyring
allow snappy_t self:key { search write };
# runuser logs to audit
logging_send_audit_msgs(snappy_t)

# allow snapd to remove snap specific user's data under
# /run/user/<uid>/snap.<snap> on snap remove;
# also desktop-helpers do cp -a on user-dirs.locale, what creates a config_home_t
# file inside ~/snap, which would normally be snappy_home_t
gnome_manage_home_config(snappy_t)
gnome_manage_home_config_dirs(snappy_t)
userdom_manage_user_tmp_symlinks(snappy_t)

# appstream-metadata interface checks whether /var/cache/app-info (labeled
# fwupd_cache_t) exists
# RHEL7: fwupd.if is not defined in the policy
ifndef(`distro_rhel7',`
	optional_policy(`
	  fwupd_search_cache(snappy_t)
  ')
')

# Snapd tries to kill hooks that run for over 10 minutes. Allow killing
# processes both in "snap run" and in "post-snap-confine" phases.
allow snappy_t snappy_cli_t:process { getpgid sigkill };
allow snappy_t unconfined_service_t:process { getpgid sigkill };

########################################
#
# snap-update-ns, snap-dicsard-ns local policy
#
permissive snappy_mount_t;

role system_r types snappy_mount_t;

admin_pattern(snappy_mount_t, snappy_var_run_t)
files_pid_filetrans(snappy_mount_t, snappy_var_run_t, {file dir})

# layouts are built using tmpfs
fs_manage_tmpfs_files(snappy_mount_t)
fs_manage_tmpfs_dirs(snappy_mount_t)
fs_manage_tmpfs_symlinks(snappy_mount_t)
fs_mount_tmpfs(snappy_mount_t)
fs_unmount_tmpfs(snappy_mount_t)
fs_remount_tmpfs(snappy_mount_t)
fs_getattr_tmpfs(snappy_mount_t)
# this only gives mounton on directories
fs_mounton_tmpfs(snappy_mount_t)
# layouts may need to mount on files
allow snappy_mount_t tmpfs_t:file mounton;
# or (re)create symlinks
fs_manage_tmpfs_symlinks(snappy_mount_t)

# any tmp_t files or directories get snappy_tmp_t
files_tmp_filetrans(snappy_mount_t, snappy_tmp_t, { file dir })
userdom_user_tmp_filetrans(snappy_mount_t, snappy_tmp_t, { file dir})
allow snappy_mount_t snappy_tmp_t:dir { mounton };
allow snappy_mount_t snappy_tmp_t:file { mounton };
admin_pattern(snappy_mount_t, snappy_tmp_t)
# FIXME: investigate further why transition from user_tmp_t to snappy_tmp_t may
# not happen when snap-confine is executed by unconfined_t, should we still end
# up with user_tmp_t allow acting on it
allow snappy_mount_t user_tmp_t:dir { mounton rmdir };
userdom_delete_user_tmp_files(snappy_mount_t)
# when managing some interfaces, a mount from the host /tmp may need to be set
# up and files or directories may need to be created or removed (eg. x11
# interface), in most distros the /tmp is on tmpfs and thus fs_manage_tmpfs_*
# will provide the right policy, but we still need to allow those operations
# when the host's /tmp is not a tmpfs
files_manage_generic_tmp_dirs(snappy_mount_t)
files_manage_generic_tmp_files(snappy_mount_t)

# Allow snap-{update,discard}-ns to manage mounts
gen_require(`
	type fs_t;
	type mount_var_run_t;
')
allow snappy_mount_t fs_t:filesystem { mount unmount };
allow snappy_mount_t mount_var_run_t:dir { add_name remove_name write search };
allow snappy_mount_t mount_var_run_t:file { create getattr setattr open read write rename unlink lock };
# for discard-ns, because a preserved mount ns is a bind-mounted /proc/<pid>/ns/mnt
gen_require(`
	type proc_t;
')
allow snappy_mount_t proc_t:filesystem { getattr unmount };

allow snappy_mount_t self:capability { sys_chroot sys_admin setgid };

manage_files_pattern(snappy_mount_t, snappy_snap_t, snappy_snap_t)
manage_dirs_pattern(snappy_mount_t, snappy_snap_t, snappy_snap_t)
manage_lnk_files_pattern(snappy_mount_t, snappy_snap_t, snappy_snap_t)

read_files_pattern(snappy_mount_t, snappy_var_lib_t, snappy_var_lib_t)
getattr_files_pattern(snappy_mount_t, snappy_var_lib_t, snappy_var_lib_t)
read_lnk_files_pattern(snappy_mount_t, snappy_var_lib_t, snappy_var_lib_t)
list_dirs_pattern(snappy_mount_t, snappy_var_lib_t, snappy_var_lib_t)

fs_getattr_all_fs(snappy_mount_t)
fs_getattr_xattr_fs(snappy_mount_t)
# snap-discard-ns pokes, reads and unmounts the mount ns captured at <snap>.mnt
fs_read_nsfs_files(snappy_mount_t)
fs_unmount_nsfs(snappy_mount_t)

# due to mounting /usr/libexec/snapd
allow snappy_mount_t bin_t:dir mounton;
# setting up fonts for the desktop interface
gen_require(`
	type fonts_t, fonts_cache_t;
')

allow snappy_mount_t fonts_cache_t:dir mounton;
allow snappy_mount_t fonts_t:dir mounton;
# fontconfig cache is in /usr/lib/fontconfig/cache, which should be labeled as
# fonts_cache_t, but it may be incorrectly labeled as lib_t, see
# https://bugzilla.redhat.com/show_bug.cgi?id=1659905 and a corresponding bug
# for RHEL7 https://bugzilla.redhat.com/show_bug.cgi?id=1792349 (marked as
# WONTFIX, so carry the workaround for as long as we support EPEL7)
allow snappy_mount_t lib_t:dir mounton;

# mount and unmount on top of snaps
allow snappy_mount_t snappy_snap_t:dir mounton;
allow snappy_mount_t snappy_snap_t:file mounton;
allow snappy_mount_t snappy_snap_t:filesystem { unmount remount };

# freezer
fs_manage_cgroup_dirs(snappy_mount_t)
fs_manage_cgroup_files(snappy_mount_t)

# because /run/snapd/ns/*.mnt gets a label of the process context
gen_require(`
	type unconfined_t;
')
allow snappy_mount_t unconfined_t:file { open read getattr };
allow snappy_mount_t snappy_confine_t:file { open read getattr };

# Go runtime artifacts
kernel_read_system_state(snappy_mount_t)
kernel_read_net_sysctls(snappy_mount_t)
kernel_search_network_sysctl(snappy_mount_t)
dev_read_sysfs(snappy_mount_t)

# snap-update-ns is started using a file descriptor, meaning ld.so runs in the
# mount ns and may try to read/mmap cache files inside
fs_read_tmpfs_files(snappy_mount_t)
mmap_read_files_pattern(snappy_mount_t, tmpfs_t, tmpfs_t)

# with robust mount namespace update snap-update-ns can remount filesystems that
# were mounted from the host when updating the ns
fs_remount_xattr_fs(snappy_mount_t)

# when applying update due to appstream-metadata interface, snap-update-ns ns
# whether /var/cache/app-info (labeled fwupd_cache_t) exists
# RHEL7: fwupd.if is not defined in the policy
ifndef(`distro_rhel7',`
	optional_policy(`
		fwupd_search_cache(snappy_mount_t)
	')
')

########################################
#
# snap-confine local policy
#
permissive snappy_confine_t;

role system_r types snappy_confine_t;
snappy_mount_domtrans(snappy_confine_t)
allow snappy_confine_t snappy_mount_t:process2 nosuid_transition;

admin_pattern(snappy_confine_t, snappy_var_run_t)

allow snappy_confine_t snappy_var_lib_t:dir { list_dir_perms };
allow snappy_confine_t snappy_var_lib_t:file { read_file_perms };
allow snappy_confine_t snappy_var_lib_t:lnk_file { read_lnk_file_perms };

files_pid_filetrans(snappy_confine_t, snappy_var_run_t, {file dir})

allow snappy_confine_t snappy_home_t:dir { create_dir_perms list_dir_perms add_entry_dir_perms };
allow snappy_confine_t snappy_home_t:file { read_file_perms };
allow snappy_confine_t snappy_home_t:lnk_file { manage_lnk_file_perms };
userdom_user_home_dir_filetrans(snappy_confine_t, snappy_home_t, dir, "snap")
userdom_admin_home_dir_filetrans(snappy_confine_t, snappy_home_t, dir, "snap")

allow snappy_confine_t snappy_snap_t:process transition;

allow snappy_confine_t self:process { setexec };
allow snappy_confine_t self:capability { setgid setuid sys_admin sys_chroot dac_read_search dac_override };

init_read_state(snappy_confine_t)

# libudev
udev_manage_pid_dirs(snappy_confine_t)

# basic access to system info in /proc
kernel_read_system_state(snappy_confine_t)

fs_getattr_all_fs(snappy_confine_t)
dev_getattr_fs(snappy_confine_t)
dev_getattr_sysfs_fs(snappy_confine_t)
fs_getattr_cgroup(snappy_confine_t)
fs_getattr_hugetlbfs(snappy_confine_t)
fs_getattr_tmpfs(snappy_confine_t)
# some locations that snap-confine unmounts, eg. /dev, are actually tmpfs
fs_unmount_tmpfs(snappy_confine_t)
fs_getattr_xattr_fs(snappy_confine_t)
fs_manage_cgroup_dirs(snappy_confine_t)
fs_write_cgroup_files(snappy_confine_t)
kernel_getattr_debugfs(snappy_confine_t)
kernel_getattr_proc(snappy_confine_t)
fs_read_nsfs_files(snappy_confine_t)
term_getattr_pty_fs(snappy_confine_t)
# term_getattr_generic_ptys() is not supported by core policy in RHEL7
allow snappy_confine_t devpts_t:chr_file getattr;
term_search_ptys(snappy_confine_t)

# because /run/snapd/ns/*.mnt gets a label of the process context
allow snappy_confine_t unconfined_t:file getattr;

# mount ns setup
gen_require(`
	type ptmx_t;
	type modules_object_t;
	type ifconfig_var_run_t;
	type var_log_t;
	type lib_t;
')

admin_pattern(snappy_confine_t, snappy_tmp_t)
# any tmp files or directories get snappy_tmp_t
files_tmp_filetrans(snappy_confine_t, snappy_tmp_t, { file dir })
userdom_user_tmp_filetrans(snappy_confine_t, snappy_tmp_t, { file dir})

allow snappy_confine_t snappy_tmp_t:dir mounton;

allow snappy_confine_t admin_home_t:dir mounton;
allow snappy_confine_t bin_t:dir mounton;
allow snappy_confine_t cert_t:dir { getattr mounton };
allow snappy_confine_t device_t:filesystem unmount;
allow snappy_confine_t devpts_t:dir mounton;
allow snappy_confine_t etc_t:file mounton;
allow snappy_confine_t home_root_t:dir mounton;
allow snappy_confine_t ifconfig_var_run_t:dir mounton;
allow snappy_confine_t modules_object_t:dir mounton;
allow snappy_confine_t lib_t:dir mounton;
allow snappy_confine_t ptmx_t:chr_file { getattr mounton };
allow snappy_confine_t snappy_snap_t:dir { mounton read };
allow snappy_confine_t snappy_snap_t:file mounton;
allow snappy_confine_t snappy_snap_t:lnk_file read;
allow snappy_confine_t snappy_var_lib_t:dir mounton;
allow snappy_confine_t snappy_var_run_t:dir mounton;
allow snappy_confine_t snappy_var_run_t:file mounton;
allow snappy_confine_t snappy_var_t:dir { getattr mounton search };
allow snappy_confine_t tmp_t:dir { add_name create mounton remove_name rmdir setattr write read };
allow snappy_confine_t usr_t:dir mounton;
allow snappy_confine_t var_log_t:dir mounton;
allow snappy_confine_t var_run_t:dir mounton;
dev_mounton(snappy_confine_t)
dev_mounton_sysfs(snappy_confine_t)
dev_unmount_sysfs_fs(snappy_confine_t)
files_mounton_etc(snappy_confine_t)
files_mounton_mnt(snappy_confine_t)
files_mounton_rootfs(snappy_confine_t)
fs_unmount_xattr_fs(snappy_confine_t)
kernel_mounton_proc(snappy_confine_t)
kernel_unmount_proc(snappy_confine_t)
seutil_read_file_contexts(snappy_confine_t)
term_mount_pty_fs(snappy_confine_t)

# device group
fs_manage_cgroup_dirs(snappy_confine_t)
fs_manage_cgroup_files(snappy_confine_t)
# snap-update-ns and snap-confine use tmpfs when setting up the namespace,
# things may end up keeping tmpfs_t label
fs_read_tmpfs_symlinks(snappy_confine_t)

# restoring file contexts
seutil_read_file_contexts(snappy_confine_t)
seutil_read_default_contexts(snappy_confine_t)
seutil_read_config(snappy_confine_t)

can_exec(snappy_confine_t, snappy_snap_t)
read_files_pattern(snappy_confine_t, snappy_snap_t, snappy_snap_t)
# and allow transition by snap-confine
allow snappy_confine_t snappy_unconfined_snap_t:process { noatsecure rlimitinh siginh transition dyntransition };
gen_require(`
	type unconfined_service_t;
')
allow snappy_confine_t unconfined_service_t:process { noatsecure rlimitinh siginh transition dyntransition };

# for classic snaps, snap-confine executes snap-exec from the host (labeled as
# snappy_exec_t)
can_exec(snappy_confine_t, snappy_exec_t)
# allow snappy_exec_t to be an entrypoint to unconfined_service_t, only
# snap-confine is allowed to transition this way
domain_entry_file(unconfined_service_t, snappy_exec_t)

########################################
#
# snap, snapctl local policy
#
permissive snappy_cli_t;

role system_r types snappy_cli_t;
snappy_confine_domtrans(snappy_cli_t)
# services are started through 'snap run ...' wrapper
snappy_cli_domtrans(init_t)

relabel_dirs_pattern(snappy_cli_t, user_home_t, snappy_home_t)
relabel_files_pattern(snappy_cli_t, user_home_t, snappy_home_t)
relabel_dirs_pattern(snappy_cli_t, admin_home_t, snappy_home_t)
relabel_files_pattern(snappy_cli_t, admin_home_t, snappy_home_t)

manage_files_pattern(snappy_cli_t, snappy_home_t, snappy_home_t)
manage_lnk_files_pattern(snappy_cli_t, snappy_home_t, snappy_home_t)
manage_dirs_pattern(snappy_cli_t, snappy_home_t, snappy_home_t)
userdom_user_home_dir_filetrans(snappy_cli_t, snappy_home_t, dir, "snap")
userdom_admin_home_dir_filetrans(snappy_cli_t, snappy_home_t, dir, "snap")

allow snappy_cli_t snappy_snap_t:dir {list_dir_perms };
allow snappy_cli_t snappy_snap_t:file { read_file_perms };
allow snappy_cli_t snappy_snap_t:lnk_file { read_lnk_file_perms };

allow snappy_cli_t snappy_var_lib_t:dir { list_dir_perms };
allow snappy_cli_t snappy_var_lib_t:file { read_file_perms };
allow snappy_cli_t snappy_var_lib_t:lnk_file { read_lnk_file_perms };

# allow talking to system and session bus for app tracking
dbus_system_bus_client(snappy_cli_t);
dbus_chat_system_bus(snappy_cli_t);

# allow reading passwd
auth_read_passwd(snappy_cli_t)
# allow reading sssd files
optional_policy(`
	sssd_read_public_files(snappy_cli_t)
	sssd_stream_connect(snappy_cli_t)
')

# restorecon, matchpathcon
seutil_domtrans_setfiles(snappy_cli_t)
seutil_read_file_contexts(snappy_cli_t)
seutil_read_default_contexts(snappy_cli_t)
seutil_read_config(snappy_cli_t)
selinux_load_policy(snappy_cli_t)
selinux_validate_context(snappy_cli_t)
corecmd_exec_bin(snappy_cli_t)

allow snappy_cli_t proc_t:file { getattr open read };
allow snappy_cli_t snappy_exec_t:file { read_file_perms };
allow snappy_cli_t self:capability { dac_override };

# go runtime poking at things
init_ioctl_stream_sockets(snappy_cli_t)
kernel_read_net_sysctls(snappy_cli_t)
kernel_search_network_sysctl(snappy_cli_t)
dev_read_sysfs(snappy_cli_t)

# talk to snapd
snappy_stream_connect(snappy_cli_t)

# check stuff in /run/user
userdom_search_user_tmp_dirs(snappy_cli_t)

# execute snapd internal tools
# needed to grab a version information from snap-seccomp
can_exec(snappy_cli_t, snappy_exec_t)

# probing cgroup version, /sys/fs/cgroup is a tmpfs for v1 or cgroup for v2
fs_getattr_tmpfs(snappy_cli_t)
fs_getattr_cgroup(snappy_cli_t)


########################################
#
# snappy (unconfined snap) local policy
#
permissive snappy_unconfined_snap_t;

# allow unconfined snap service to run as a system service
role system_r types snappy_unconfined_snap_t;
can_exec(snappy_unconfined_snap_t, snappy_snap_t)
domain_entry_file(snappy_unconfined_snap_t, snappy_snap_t)
domain_entry_file(unconfined_service_t, snappy_snap_t)

# for journald
gen_require(`
	type syslogd_t;
')
allow syslogd_t snappy_unconfined_snap_t:dir search_dir_perms;

allow snappy_unconfined_snap_t self:process { fork getsched };

# allow snappy_unconfined_snap_t snappy_snap_t:dir { list_dir_perms };
# allow snappy_unconfined_snap_t snappy_snap_t:file { read_file_perms };
# allow snappy_unconfined_snap_t snappy_snap_t:lnk_file { read_lnk_file_perms };

# snap can carry services, which are then started by systemd, need to allow
# systemd to manage them
allow init_t snappy_unconfined_snap_t:dir search_dir_perms;
allow init_t snappy_unconfined_snap_t:file { read_file_perms };
allow init_t snappy_unconfined_snap_t:lnk_file { read_lnk_file_perms };
allow init_t snappy_unconfined_snap_t:process { sigkill signull signal };

########################################
#
# file/dir transitions for unconfined_t
#

# snap tools can be invoked by the regular user, make sure that things get
# proper labels
gen_require(`
  type unconfined_t;
')
userdom_user_home_dir_filetrans(unconfined_t, snappy_home_t, dir, "snap")
userdom_admin_home_dir_filetrans(unconfined_t, snappy_home_t, dir, "snap")
files_pid_filetrans(unconfined_t, snappy_var_run_t, dir, "snapd")

########################################
#
# extra policy for init_t
#

# support socket activation of snap services, for such snaps the socket file can
# only be located under $SNAP_DATA or $SNAP_COMMON, both labeled as snappy_var_t;
allow init_t snappy_var_t:dir manage_dir_perms;
allow init_t snappy_var_t:sock_file manage_sock_file_perms;
# the snap is started via `snap run ..`
allow init_t snappy_cli_t:unix_stream_socket create_stream_socket_perms;
# init_t will try to remount snap mount directory when starting services that
# use Private* directives, while init_t is allowed to remount all fs, we cannot
# declare fs_type(snappy_snap_t) outside of core policy, add explicit permission
# instead
allow init_t snappy_snap_t:filesystem remount;

########################################
#
# extra policy for mandb_t
#
gen_require(`
	type mandb_t;
')
# mandb cache update scans whe whole directory tree looking for 'man'
allow mandb_t snappy_var_lib_t:dir search_dir_perms;

########################################
#
# extra policy for system dbus
#
gen_require(`
	type system_dbusd_t;
  ')
# system dbus may look info /var/lib/snapd/dbus-1
snappy_search_lib(system_dbusd_t)
snappy_read_lib(system_dbusd_t)
optional_policy(`
  gen_require(`
    # watch permission is defined only in recent versions of refpolicy
    class dir { watch };
  ')
  allow system_dbusd_t  snappy_var_lib_t:dir watch;
')