github.com/rigado/snapd@v2.42.5-go-mod+incompatible/data/selinux/snappy.te (about) 1 # This file is part of snapd-selinux 2 # Skeleton derived from Fedora selinux-policy, Copyright (C) 2016 Red Hat, Inc. 3 # Copyright (C) 2016 Neal Gompa 4 # 5 # This program is free software; you can redistribute it and/or modify 6 # it under the terms of the GNU General Public License as published by 7 # the Free Software Foundation; either version 2 of the License, or 8 # (at your option) any later version. 9 # 10 # This program is distributed in the hope that it will be useful, 11 # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 # GNU Library General Public License for more details. 14 # 15 # You should have received a copy of the GNU General Public License 16 # along with this program; if not, write to the Free Software 17 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 18 19 20 policy_module(snappy,0.1.0) 21 22 ######################################## 23 # 24 # Declarations 25 # 26 27 attribute_role snappy_roles; 28 29 # snapd 30 type snappy_t; 31 type snappy_exec_t; 32 # allow init domain to transition to snappy_t by executing snappy_exec_t 33 init_daemon_domain(snappy_t, snappy_exec_t) 34 35 role snappy_roles types snappy_t; 36 37 type snappy_config_t; 38 files_config_file(snappy_config_t) 39 40 type snappy_home_t; 41 typealias snappy_home_t alias { user_snappy_home_t staff_snappy_home_t sysadm_snappy_home_t }; 42 typealias snappy_home_t alias { auditadm_snappy_home_t secadm_snappy_home_t }; 43 userdom_user_home_content(snappy_home_t) 44 45 type snappy_var_t; 46 files_type(snappy_var_t) 47 48 type snappy_var_lib_t; 49 files_type(snappy_var_lib_t) 50 51 type snappy_var_cache_t; 52 files_type(snappy_var_cache_t) 53 54 type snappy_var_run_t; 55 files_pid_file(snappy_var_run_t) 56 57 type snappy_unit_file_t; 58 systemd_unit_file(snappy_unit_file_t) 59 60 type snappy_tmp_t; 61 files_tmp_file(snappy_tmp_t) 62 63 # actual snap 64 type snappy_snap_t; 65 # XXX: snappy_snap_t should be declared a filesystem, but due to how modules are 66 # handled we cannot generate required contexts with genfscon outside of core 67 # policy 68 # fs_type(snappy_snap_t) 69 files_type(snappy_snap_t) 70 files_mountpoint(snappy_snap_t) 71 72 # CLI tools: snap, snapctl 73 type snappy_cli_t; 74 type snappy_cli_exec_t; 75 domain_type(snappy_cli_t) 76 domain_entry_file(snappy_cli_t, snappy_cli_exec_t) 77 78 # helper tools: snap-{update,discard}-ns 79 type snappy_mount_t; 80 type snappy_mount_exec_t; 81 domain_type(snappy_mount_t) 82 domain_entry_file(snappy_mount_t, snappy_mount_exec_t) 83 84 # helper tool: snap-confine 85 type snappy_confine_t; 86 type snappy_confine_exec_t; 87 domain_type(snappy_confine_t) 88 domain_entry_file(snappy_confine_t, snappy_confine_exec_t) 89 90 type snappy_unconfined_snap_t; 91 unconfined_domain(snappy_unconfined_snap_t) 92 93 ######################################## 94 # 95 # snappy snapd local policy 96 # 97 98 # For development purposes, snappy_t domain is to be marked permissive 99 permissive snappy_t; 100 101 # Allow transitions from init_t to snappy for sockets 102 # init_named_socket_activation() is not supported by core policy in RHEL7 103 gen_require(` 104 type init_t; 105 type var_run_t; 106 ') 107 filetrans_pattern(init_t, var_run_t, snappy_var_run_t, sock_file, "snapd.socket") 108 filetrans_pattern(init_t, var_run_t, snappy_var_run_t, sock_file, "snapd-snap.socket") 109 110 # Allow init_t to read snappy data 111 allow init_t snappy_var_lib_t:dir read; 112 113 # Allow snapd to read procfs 114 gen_require(` 115 type proc_t; 116 ') 117 allow snappy_t proc_t:file { getattr open read }; 118 119 # Allow snapd to read sysfs 120 dev_read_sysfs(snappy_t) 121 dev_search_sysfs(snappy_t) 122 123 # This silences a read AVC denial event on the lost+found directory. 124 gen_require(` 125 type lost_found_t; 126 ') 127 dontaudit snappy_t lost_found_t:dir read; 128 129 # Allow snapd to read SSL cert store 130 miscfiles_read_all_certs(snappy_t) 131 132 # Allow snapd to read config files 133 read_files_pattern(snappy_t, snappy_config_t, snappy_config_t) 134 135 # Allow snapd to manage snaps' homedir data 136 admin_pattern(snappy_t, snappy_home_t) 137 userdom_search_user_home_dirs(snappy_t) 138 userdom_list_user_home_dirs(snappy_t) 139 140 # Allow snapd to read DNS config 141 sysnet_dns_name_resolve(snappy_t) 142 143 # When managed by NetworkManager, DNS config is in its rundata 144 gen_require(` 145 type NetworkManager_var_run_t; 146 ') 147 allow snappy_t NetworkManager_var_run_t:dir search; 148 149 # Allow snapd to read sysctl files 150 kernel_read_net_sysctls(snappy_t) 151 kernel_search_network_sysctl(snappy_t) 152 153 # Allow snapd to query SELinux status 154 selinux_get_enforce_mode(snappy_t) 155 156 # Allow snapd to manage D-Bus config files for snaps 157 optional_policy(` 158 dbus_read_config(snappy_t) 159 allow snappy_t dbusd_etc_t:file { write create rename unlink }; 160 allow snappy_t dbusd_etc_t:lnk_file { read }; 161 ') 162 163 # Allow snapd to manage udev rules for snaps and trigger events 164 optional_policy(` 165 udev_manage_rules_files(snappy_t) 166 udev_manage_pid_files(snappy_t) 167 udev_exec(snappy_t) 168 udev_domtrans(snappy_t) 169 udev_create_kobject_uevent_socket(snappy_t) 170 ') 171 allow snappy_t self:netlink_kobject_uevent_socket { create_socket_perms read }; 172 173 # Allow snapd to read/write systemd units and use systemctl for managing snaps 174 systemd_config_all_services(snappy_t) 175 systemd_manage_all_unit_files(snappy_t) 176 systemd_manage_all_unit_lnk_files(snappy_t) 177 systemd_exec_systemctl(snappy_t) 178 systemd_reload_all_services(snappy_t) 179 init_reload_services(snappy_t) 180 init_enable_services(snappy_t) 181 init_disable_services(snappy_t) 182 183 # Allow snapd to execute unsquashfs 184 corecmd_exec_bin(snappy_t) 185 186 # Allow snappy to exec helpers 187 can_exec(snappy_t, snappy_exec_t) 188 can_exec(snappy_t, snappy_mount_exec_t) 189 can_exec(snappy_t, snappy_cli_exec_t) 190 corecmd_search_bin(snappy_t) 191 # allow transition to snap cli domain 192 snappy_cli_domtrans(snappy_t) 193 # allow transition to mount helpers domain 194 snappy_mount_domtrans(snappy_t) 195 # allow transition to snap-confine domain 196 snappy_confine_domtrans(snappy_t) 197 198 # Allow snapd to get FUSE device attributes 199 storage_getattr_fuse_dev(snappy_t) 200 201 # Read l10n files? 202 miscfiles_read_localization(snappy_t) 203 204 # Allow snapd to read its run files, those files are managed elsewhere 205 read_files_pattern(snappy_t, snappy_var_run_t, snappy_var_run_t) 206 getattr_files_pattern(snappy_t, snappy_var_run_t, snappy_var_run_t) 207 208 gen_require(` 209 type user_tmp_t; 210 ') 211 allow snappy_t user_tmp_t:dir { read }; 212 213 # Allow snapd to clean up /run/user sockets 214 userdom_manage_tmp_dirs(snappy_t) 215 userdom_manage_tmp_sockets(snappy_t) 216 217 gen_require(` 218 type systemd_unit_file_t; 219 ') 220 allow snappy_t systemd_unit_file_t:dir { rmdir }; 221 222 gen_require(` 223 type home_root_t; 224 ') 225 allow snappy_t home_root_t:dir { read }; 226 227 # Allow snapd to manage its persistent data 228 admin_pattern(snappy_t, snappy_var_cache_t) 229 # for r/w to commands.db 230 mmap_rw_files_pattern(snappy_t, snappy_var_cache_t, snappy_var_cache_t) 231 admin_pattern(snappy_t, snappy_var_lib_t) 232 # for r/w to errtracker.db 233 mmap_rw_files_pattern(snappy_t, snappy_var_lib_t, snappy_var_lib_t) 234 # snap data files 235 admin_pattern(snappy_t, snappy_var_t) 236 # auto transition /var/snap when created at runtime 237 files_var_filetrans(snappy_t, snappy_var_t, dir, "snap") 238 # some snaps may create character files, eg. lxd creates /dev/full in the 239 # container's rootfs 240 manage_chr_files_pattern(snappy_t, snappy_var_t, snappy_var_t) 241 # And search/read mounted snaps 242 allow snappy_t snappy_snap_t:dir { list_dir_perms }; 243 allow snappy_t snappy_snap_t:file { read_file_perms }; 244 allow snappy_t snappy_snap_t:lnk_file { read_lnk_file_perms }; 245 246 # Grant snapd access to /tmp 247 admin_pattern(snappy_t, snappy_tmp_t) 248 files_tmp_filetrans(snappy_t, snappy_tmp_t, { file dir }) 249 250 # snap command completions, symlinks going back to snap mount directory 251 gen_require(` 252 type usr_t; 253 ') 254 allow snappy_t usr_t:dir { write remove_name add_name }; 255 allow snappy_t usr_t:lnk_file { create unlink }; 256 257 # Allow snapd to use ssh-keygen 258 ssh_exec_keygen(snappy_t) 259 260 # Allow snapd to access passwd file for lookup 261 auth_read_passwd(snappy_t) 262 263 # because /run/snapd/ns/*.mnt gets a label of the process context 264 gen_require(` type unconfined_t; ') 265 allow snappy_t unconfined_t:file getattr; 266 allow snappy_t snappy_confine_t:file getattr; 267 268 logging_send_syslog_msg(snappy_t) 269 270 allow snappy_t self:capability { dac_read_search dac_override fowner }; 271 allow snappy_t self:process { setpgid }; 272 273 # Various socket permissions 274 allow snappy_t self:fifo_file rw_fifo_file_perms; 275 allow snappy_t self:netlink_route_socket create_netlink_socket_perms; 276 allow snappy_t self:unix_stream_socket create_stream_socket_perms; 277 allow snappy_t self:tcp_socket create_stream_socket_perms; 278 allow snappy_t self:udp_socket create_stream_socket_perms; 279 allow snappy_t self:unix_dgram_socket create_socket_perms; 280 allow snappy_t self:capability2 block_suspend; 281 282 # snapd needs to check for ipv6 support 283 gen_require(` 284 type node_t; 285 ') 286 allow snappy_t node_t:tcp_socket node_bind; 287 288 corenet_all_recvfrom_unlabeled(snappy_t) 289 corenet_all_recvfrom_netlabel(snappy_t) 290 corenet_tcp_sendrecv_generic_if(snappy_t) 291 corenet_tcp_sendrecv_generic_node(snappy_t) 292 293 corenet_tcp_sendrecv_http_port(snappy_t) 294 corenet_tcp_connect_http_port(snappy_t) 295 corenet_tcp_sendrecv_http_cache_port(snappy_t) 296 corenet_tcp_connect_http_cache_port(snappy_t) 297 298 # snapd has its own internal DNS resolver 299 corenet_tcp_sendrecv_dns_port(snappy_t) 300 corenet_udp_sendrecv_dns_port(snappy_t) 301 corenet_tcp_connect_dns_port(snappy_t) 302 corenet_sendrecv_dns_client_packets(snappy_t) 303 304 # allow communication with polkit over dbus 305 optional_policy(` 306 policykit_dbus_chat(snappy_t) 307 ') 308 309 # allow communication with system bus 310 optional_policy(` 311 dbus_system_bus_client(snappy_t) 312 ') 313 314 # allow reading sssd files 315 optional_policy(` 316 sssd_read_public_files(snappy_t) 317 sssd_stream_connect(snappy_t) 318 ') 319 320 # for sanity checks 321 optional_policy(` 322 mount_run(snappy_t, snappy_roles) 323 ') 324 325 # snapd runs journalctl to fetch logs 326 optional_policy(` 327 journalctl_run(snappy_t, snappy_roles) 328 # and kills journalctl once the logs have been fetched 329 allow snappy_t journalctl_t:process sigkill; 330 ') 331 332 # only pops up in cloud images where cloud-init.target is incorrectly labeled 333 allow snappy_t init_var_run_t:lnk_file read; 334 335 # snapd may need to run helpers from the snaps, eg. fontconfig helper 336 can_exec(snappy_t, snappy_snap_t) 337 # fontconfig cache setup 338 miscfiles_manage_fonts_cache(snappy_t) 339 files_var_filetrans(snappy_t, fonts_cache_t, dir, "fontconfig") 340 # fontconfig cache is in /usr/lib/fontconfig/cache, but its labeling is 341 # incorrect, see https://bugzilla.redhat.com/show_bug.cgi?id=1659905 342 libs_manage_lib_dirs(snappy_t) 343 libs_manage_lib_files(snappy_t) 344 fs_getattr_xattr_fs(snappy_t) 345 # snapd checks whether <snap>.mnt exists before running the mount namespace 346 # helper tool 347 # fs_getattr_nsfs_files() is not available in selinux devel on CentOS 7.x 348 getattr_files_pattern(snappy_t, nsfs_t, nsfs_t) 349 350 # snapd attempts to read /run/cloud-init/instance-data.json 351 sysnet_read_config(snappy_t) 352 # however older policy may be missing the transition rules, and 353 # /run/cloud-init/instance-data.json ends up as var_run_t 354 files_read_generic_pids(snappy_t) 355 356 # snapd attempts to check /proc/sys/fs/may_detach_mounts during sanity testing 357 kernel_read_fs_sysctls(snappy_t) 358 359 # socket activated services may have their socket files created under 360 # $SNAP_COMMON, but lacking auto transition, they end up labeled as var_t 361 allow snappy_t var_t:sock_file unlink; 362 363 # snapd picks the process start time from /proc/<pid>/stat for polkit 364 allow snappy_t unconfined_t:dir search; 365 allow snappy_t unconfined_t:file { open read }; 366 367 # snapd executes runuser to take snapshots of user's snap data 368 allow snappy_t self:capability { setuid setgid }; 369 allow snappy_t self:process setsched; 370 # runuser uses kernel keyring 371 allow snappy_t self:key { search write }; 372 # runuser logs to audit 373 logging_send_audit_msgs(snappy_t) 374 375 ######################################## 376 # 377 # snap-update-ns, snap-dicsard-ns local policy 378 # 379 permissive snappy_mount_t; 380 381 role system_r types snappy_mount_t; 382 383 admin_pattern(snappy_mount_t, snappy_var_run_t) 384 files_pid_filetrans(snappy_mount_t, snappy_var_run_t, {file dir}) 385 386 # Allow snap-{update,discard}-ns to manage mounts 387 gen_require(` 388 type fs_t; 389 type mount_var_run_t; 390 ') 391 allow snappy_mount_t fs_t:filesystem { mount unmount }; 392 allow snappy_mount_t mount_var_run_t:dir { add_name remove_name write search }; 393 allow snappy_mount_t mount_var_run_t:file { create getattr setattr open read write rename unlink lock }; 394 # for discard-ns, because a preserved mount ns is a bind-mounted /proc/<pid>/ns/mnt 395 gen_require(` 396 type proc_t; 397 ') 398 allow snappy_mount_t proc_t:filesystem { getattr unmount }; 399 400 allow snappy_mount_t self:capability { sys_chroot sys_admin }; 401 402 manage_files_pattern(snappy_mount_t, snappy_snap_t, snappy_snap_t) 403 manage_dirs_pattern(snappy_mount_t, snappy_snap_t, snappy_snap_t) 404 405 read_files_pattern(snappy_mount_t, snappy_var_lib_t, snappy_var_lib_t) 406 getattr_files_pattern(snappy_mount_t, snappy_var_lib_t, snappy_var_lib_t) 407 read_lnk_files_pattern(snappy_mount_t, snappy_var_lib_t, snappy_var_lib_t) 408 409 fs_getattr_all_fs(snappy_mount_t) 410 fs_getattr_tmpfs(snappy_mount_t) 411 fs_getattr_xattr_fs(snappy_mount_t) 412 # snap-discard-ns pokes, reads and unmounts the mount ns captured at <snap>.mnt 413 fs_read_nsfs_files(snappy_mount_t) 414 fs_unmount_nsfs(snappy_mount_t) 415 416 # freezer 417 fs_manage_cgroup_dirs(snappy_mount_t) 418 fs_manage_cgroup_files(snappy_mount_t) 419 # TODO: further tweaks may be needed for layouts 420 # reading tmpfs symlinks, eg. /etc/os-release 421 fs_read_tmpfs_symlinks(snappy_mount_t) 422 423 # because /run/snapd/ns/*.mnt gets a label of the process context 424 gen_require(` 425 type unconfined_t; 426 ') 427 allow snappy_mount_t unconfined_t:file { open read getattr }; 428 allow snappy_mount_t snappy_confine_t:file { open read getattr }; 429 430 # Go runtime artifacts 431 kernel_read_system_state(snappy_mount_t) 432 kernel_read_net_sysctls(snappy_mount_t) 433 kernel_search_network_sysctl(snappy_mount_t) 434 dev_read_sysfs(snappy_mount_t) 435 436 ######################################## 437 # 438 # snap-confine local policy 439 # 440 permissive snappy_confine_t; 441 442 role system_r types snappy_confine_t; 443 snappy_mount_domtrans(snappy_confine_t) 444 allow snappy_confine_t snappy_mount_t:process2 nosuid_transition; 445 446 admin_pattern(snappy_confine_t, snappy_var_run_t) 447 448 allow snappy_confine_t snappy_var_lib_t:dir { list_dir_perms }; 449 allow snappy_confine_t snappy_var_lib_t:file { read_file_perms }; 450 allow snappy_confine_t snappy_var_lib_t:lnk_file { read_lnk_file_perms }; 451 452 files_pid_filetrans(snappy_confine_t, snappy_var_run_t, {file dir}) 453 454 allow snappy_confine_t snappy_home_t:dir { create_dir_perms list_dir_perms add_entry_dir_perms }; 455 allow snappy_confine_t snappy_home_t:file { read_file_perms }; 456 allow snappy_confine_t snappy_home_t:lnk_file { manage_lnk_file_perms }; 457 userdom_user_home_dir_filetrans(snappy_confine_t, snappy_home_t, dir, "snap") 458 userdom_admin_home_dir_filetrans(snappy_confine_t, snappy_home_t, dir, "snap") 459 460 allow snappy_confine_t snappy_snap_t:process transition; 461 462 allow snappy_confine_t self:process { setexec }; 463 allow snappy_confine_t self:capability { setgid setuid sys_admin sys_chroot dac_read_search dac_override }; 464 465 init_read_state(snappy_confine_t) 466 467 # libudev 468 udev_manage_pid_dirs(snappy_confine_t) 469 470 # basic access to system info in /proc 471 kernel_read_system_state(snappy_confine_t) 472 473 fs_getattr_all_fs(snappy_confine_t) 474 dev_getattr_fs(snappy_confine_t) 475 dev_getattr_sysfs_fs(snappy_confine_t) 476 fs_getattr_cgroup(snappy_confine_t) 477 fs_getattr_hugetlbfs(snappy_confine_t) 478 fs_getattr_tmpfs(snappy_confine_t) 479 fs_getattr_xattr_fs(snappy_confine_t) 480 fs_manage_cgroup_dirs(snappy_confine_t) 481 fs_write_cgroup_files(snappy_confine_t) 482 kernel_getattr_debugfs(snappy_confine_t) 483 kernel_getattr_proc(snappy_confine_t) 484 fs_read_nsfs_files(snappy_confine_t) 485 term_getattr_pty_fs(snappy_confine_t) 486 # term_getattr_generic_ptys() is not supported by core policy in RHEL7 487 allow snappy_confine_t devpts_t:chr_file getattr; 488 term_search_ptys(snappy_confine_t) 489 490 # because /run/snapd/ns/*.mnt gets a label of the process context 491 allow snappy_confine_t unconfined_t:file getattr; 492 493 # mount ns setup 494 gen_require(` 495 type ptmx_t; 496 type modules_object_t; 497 type ifconfig_var_run_t; 498 type var_log_t; 499 type lib_t; 500 ') 501 allow snappy_confine_t admin_home_t:dir mounton; 502 allow snappy_confine_t bin_t:dir mounton; 503 allow snappy_confine_t cert_t:dir { getattr mounton }; 504 allow snappy_confine_t device_t:filesystem unmount; 505 allow snappy_confine_t devpts_t:dir mounton; 506 allow snappy_confine_t etc_t:file mounton; 507 allow snappy_confine_t home_root_t:dir mounton; 508 allow snappy_confine_t ifconfig_var_run_t:dir mounton; 509 allow snappy_confine_t modules_object_t:dir mounton; 510 allow snappy_confine_t lib_t:dir mounton; 511 allow snappy_confine_t ptmx_t:chr_file { getattr mounton }; 512 allow snappy_confine_t snappy_snap_t:dir { mounton read }; 513 allow snappy_confine_t snappy_snap_t:file mounton; 514 allow snappy_confine_t snappy_snap_t:lnk_file read; 515 allow snappy_confine_t snappy_var_lib_t:dir mounton; 516 allow snappy_confine_t snappy_var_run_t:dir mounton; 517 allow snappy_confine_t snappy_var_run_t:file mounton; 518 allow snappy_confine_t snappy_var_t:dir { getattr mounton search }; 519 allow snappy_confine_t tmp_t:dir { add_name create mounton remove_name rmdir setattr write read }; 520 allow snappy_confine_t usr_t:dir mounton; 521 allow snappy_confine_t var_log_t:dir mounton; 522 allow snappy_confine_t var_run_t:dir mounton; 523 dev_mounton(snappy_confine_t) 524 dev_mounton_sysfs(snappy_confine_t) 525 dev_unmount_sysfs_fs(snappy_confine_t) 526 files_mounton_etc(snappy_confine_t) 527 files_mounton_mnt(snappy_confine_t) 528 files_mounton_rootfs(snappy_confine_t) 529 fs_unmount_xattr_fs(snappy_confine_t) 530 kernel_mounton_proc(snappy_confine_t) 531 kernel_unmount_proc(snappy_confine_t) 532 seutil_read_file_contexts(snappy_confine_t) 533 term_mount_pty_fs(snappy_confine_t) 534 535 # device group 536 fs_manage_cgroup_dirs(snappy_confine_t) 537 fs_manage_cgroup_files(snappy_confine_t) 538 # snap-update-ns and snap-confine use tmpfs when setting up the namespace, 539 # things may end up keeping tmpfs_t label 540 fs_read_tmpfs_symlinks(snappy_confine_t) 541 542 # restoring file contexts 543 seutil_read_file_contexts(snappy_confine_t) 544 seutil_read_default_contexts(snappy_confine_t) 545 seutil_read_config(snappy_confine_t) 546 547 can_exec(snappy_confine_t, snappy_snap_t) 548 read_files_pattern(snappy_confine_t, snappy_snap_t, snappy_snap_t) 549 # and allow transition by snap-confine 550 allow snappy_confine_t snappy_unconfined_snap_t:process { noatsecure rlimitinh siginh transition dyntransition }; 551 gen_require(` 552 type unconfined_service_t; 553 ') 554 allow snappy_confine_t unconfined_service_t:process { noatsecure rlimitinh siginh transition dyntransition }; 555 556 # for classic snaps, snap-confine executes snap-exec from the host (labeled as 557 # snappy_exec_t) 558 can_exec(snappy_confine_t, snappy_exec_t) 559 # allow snappy_exec_t to be an entrypoint to unconfined_service_t, only 560 # snap-confine is allowed to transition this way 561 domain_entry_file(unconfined_service_t, snappy_exec_t) 562 563 ######################################## 564 # 565 # snap, snapctl local policy 566 # 567 permissive snappy_cli_t; 568 569 role system_r types snappy_cli_t; 570 snappy_confine_domtrans(snappy_cli_t) 571 # services are started through 'snap run ...' wrapper 572 snappy_cli_domtrans(init_t) 573 574 relabel_dirs_pattern(snappy_cli_t, user_home_t, snappy_home_t) 575 relabel_files_pattern(snappy_cli_t, user_home_t, snappy_home_t) 576 relabel_dirs_pattern(snappy_cli_t, admin_home_t, snappy_home_t) 577 relabel_files_pattern(snappy_cli_t, admin_home_t, snappy_home_t) 578 579 manage_files_pattern(snappy_cli_t, snappy_home_t, snappy_home_t) 580 manage_lnk_files_pattern(snappy_cli_t, snappy_home_t, snappy_home_t) 581 manage_dirs_pattern(snappy_cli_t, snappy_home_t, snappy_home_t) 582 userdom_user_home_dir_filetrans(snappy_cli_t, snappy_home_t, dir, "snap") 583 userdom_admin_home_dir_filetrans(snappy_cli_t, snappy_home_t, dir, "snap") 584 585 allow snappy_cli_t snappy_snap_t:dir {list_dir_perms }; 586 allow snappy_cli_t snappy_snap_t:file { read_file_perms }; 587 allow snappy_cli_t snappy_snap_t:lnk_file { read_lnk_file_perms }; 588 589 allow snappy_cli_t snappy_var_lib_t:dir { list_dir_perms }; 590 allow snappy_cli_t snappy_var_lib_t:file { read_file_perms }; 591 allow snappy_cli_t snappy_var_lib_t:lnk_file { read_lnk_file_perms }; 592 593 # allow reading passwd 594 auth_read_passwd(snappy_cli_t) 595 # allow reading sssd files 596 optional_policy(` 597 sssd_read_public_files(snappy_cli_t) 598 sssd_stream_connect(snappy_cli_t) 599 ') 600 601 # restorecon, matchpathcon 602 seutil_domtrans_setfiles(snappy_cli_t) 603 seutil_read_file_contexts(snappy_cli_t) 604 seutil_read_default_contexts(snappy_cli_t) 605 seutil_read_config(snappy_cli_t) 606 selinux_load_policy(snappy_cli_t) 607 selinux_validate_context(snappy_cli_t) 608 corecmd_exec_bin(snappy_cli_t) 609 610 allow snappy_cli_t proc_t:file { getattr open read }; 611 allow snappy_cli_t snappy_exec_t:file { read_file_perms }; 612 allow snappy_cli_t self:capability { dac_override }; 613 614 # go runtime poking at things 615 init_ioctl_stream_sockets(snappy_cli_t) 616 kernel_read_net_sysctls(snappy_cli_t) 617 kernel_search_network_sysctl(snappy_cli_t) 618 dev_read_sysfs(snappy_cli_t) 619 620 # talk to snapd 621 snappy_stream_connect(snappy_cli_t) 622 623 # check stuff in /run/user 624 userdom_search_user_tmp_dirs(snappy_cli_t) 625 626 # execute snapd internal tools 627 # needed to grab a version information from snap-seccomp 628 can_exec(snappy_cli_t, snappy_exec_t) 629 630 ######################################## 631 # 632 # snappy (unconfined snap) local policy 633 # 634 permissive snappy_unconfined_snap_t; 635 636 # allow unconfined snap service to run as a system service 637 role system_r types snappy_unconfined_snap_t; 638 can_exec(snappy_unconfined_snap_t, snappy_snap_t) 639 domain_entry_file(snappy_unconfined_snap_t, snappy_snap_t) 640 domain_entry_file(unconfined_service_t, snappy_snap_t) 641 642 # for journald 643 gen_require(` 644 type syslogd_t; 645 ') 646 allow syslogd_t snappy_unconfined_snap_t:dir search_dir_perms; 647 648 allow snappy_unconfined_snap_t self:process { fork getsched }; 649 650 # allow snappy_unconfined_snap_t snappy_snap_t:dir { list_dir_perms }; 651 # allow snappy_unconfined_snap_t snappy_snap_t:file { read_file_perms }; 652 # allow snappy_unconfined_snap_t snappy_snap_t:lnk_file { read_lnk_file_perms }; 653 654 # snap can carry services, which are then started by systemd, need to allow 655 # systemd to manage them 656 allow init_t snappy_unconfined_snap_t:dir search_dir_perms; 657 allow init_t snappy_unconfined_snap_t:file { read_file_perms }; 658 allow init_t snappy_unconfined_snap_t:lnk_file { read_lnk_file_perms }; 659 allow init_t snappy_unconfined_snap_t:process { sigkill signull signal }; 660 661 ######################################## 662 # 663 # file/dir transitions for unconfined_t 664 # 665 666 # snap tools can be invoked by the regular user, make sure that things get 667 # proper labels 668 gen_require(` 669 type unconfined_t; 670 ') 671 userdom_user_home_dir_filetrans(unconfined_t, snappy_home_t, dir, "snap") 672 userdom_admin_home_dir_filetrans(unconfined_t, snappy_home_t, dir, "snap") 673 files_pid_filetrans(unconfined_t, snappy_var_run_t, dir, "snapd") 674 675 ######################################## 676 # 677 # extra policy for init_t 678 # 679 680 # support socket activation of snap services, for such snaps the socket file can 681 # only be located under $SNAP_DATA or $SNAP_COMMON, both labeled as snappy_var_t; 682 allow init_t snappy_var_t:dir manage_dir_perms; 683 allow init_t snappy_var_t:sock_file manage_sock_file_perms; 684 # the snap is started via `snap run ..` 685 allow init_t snappy_cli_t:unix_stream_socket create_stream_socket_perms; 686 # init_t will try to remount snap mount directory when starting services that 687 # use Private* directives, while init_t is allowed to remount all fs, we cannot 688 # declare fs_type(snappy_snap_t) outside of core policy, add explicit permission 689 # instead 690 allow init_t snappy_snap_t:filesystem remount; 691 692 ######################################## 693 # 694 # extra policy for mandb_t 695 # 696 gen_require(` 697 type mandb_t; 698 ') 699 # mandb cache update scans whe whole directory tree looking for 'man' 700 allow mandb_t snappy_var_lib_t:dir search_dir_perms;