Snapd updates in Fedora


#1

As there doesn’t appear to be a topic for this now (mainly because I’ve historically co-opted the main release cycle thread), I’ve decided to finally create a topic for snapd updates in Fedora.

To start things off, I’ve just submitted snapd-2.31.1 and snapd-glib-1.38 as updates to Fedora:

These should be pushed out to the mirror network within the next 12-24 hours.

These updates are a bit different than usual, as they will obsolete snapd-login-service if it exists on your system. Also, snapd-glib now conflicts with all known versions of snapd-login-service to prevent it from being installed again.

The primary consumer of snapd-login-service was GNOME Software. So I’d appreciate folks who use GNOME Software on Fedora testing this update, to ensure that the snap plugin doesn’t break with the transition. It shouldn’t, as I’ve been assured by @robert.ancell that it shouldn’t need it anymore.

From now on, if you attempt to install snapd-login-service, you will get snapd instead. This is by design to not break the gnome-software-snap package.

To test this update, do the following:

# Fedora 27
$ sudo dnf --enablerepo=updates-testing --refresh upgrade --advisory=FEDORA-2018-b097392ad2
# Fedora 26
$ sudo dnf --enablerepo=updates-testing --refresh upgrade --advisory=FEDORA-2018-7df5579f77

And of course, if any other issues come up, feel free to mention them here!


#2

It’s that time again! New snapd and snapd-glib updates for Fedora!

This go around, I’ve updated to snapd-2.32.4 and snapd-glib-1.39.

The big change here is that this update should reduce the amount of warnings from SELinux with regards to snapd accessing more parts of the operating system.

Updates have been proposed for Fedora 26, 27, and 28:

These should be pushed out to the mirror network within the next 12-24 hours.


#3

I will try the F27 update in the evening. Thank you for making this Neal :slight_smile:


#4

The update works very well. I have added one bit of feedback about SELinux that I think is worth including in 2.23.5. Have a look.


#5

snapd and snapd-glib updates for everyone on Fedora!

I’ve bumped it to snapd-2.33.1 and snapd-glib-1.41.

Once again, there’s been some more work on the SELinux policy to reduce the warnings and be a bit more permissive.

Updates have been proposed for Fedora 27 and 28:

These should be pushed out to the mirror network within the next 24 hours.


#6

Another round of snapd and snapd-glib updates for Fedorans is here!

I’ve bumped it to snapd-2.35 and snapd-glib-1.43.

Updates have been proposed for Fedora 27 and 28:

There’s been a bit more work on SELinux policy improvements this round, as well. However, the big thing for this release is that it includes the fixes for supporting a proper Fedora base snap, which @zyga and I are working on.

Note that for the moment, the new snapd is not yet available for Fedora 29 or Fedora Rawhide (F30), due to RH#1622312. This will hopefully be resolved soon.


#7

With the update to golang-1.11 final, I was able to finally able to build snapd for Fedora 29 and Rawhide.

As we’re past the Bodhi activation point in the development schedule, I’ve submitted an update for Fedora 29: https://bodhi.fedoraproject.org/updates/FEDORA-2018-d6660293c6.


#8

Another round of snapd and snapd-glib updates for Fedorans is here!

I’ve bumped it to snapd-2.36 and snapd-glib-1.44 .

Updates have been proposed for Fedora 27, 28, and 29:

The main thing with this update is that the man pages all moved to section 8, which removes some conflicts with other tools. This is also the last snapd and snapd-glib update for Fedora 27, which will EOL in approximately a month.

These should be pushed out to the mirror network within the next 24 hours.


#9

I am getting SELinux error messages on Fedora 28:

SELinux is preventing pmdalinux from search access on the directory /var/lib/snapd.
➜  ~ sealert -l 631aca24-94b1-4614-9829-fa526694f508
SELinux is preventing pmdalinux from search access on the directory /var/lib/snapd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that pmdalinux should be allowed search access on the snapd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pmdalinux' --raw | audit2allow -M my-pmdalinux
# semodule -X 300 -i my-pmdalinux.pp


Additional Information:
Source Context                system_u:system_r:pcp_pmcd_t:s0
Target Context                system_u:object_r:snappy_var_lib_t:s0
Target Objects                /var/lib/snapd [ dir ]
Source                        pmdalinux
Source Path                   pmdalinux
Port                          <Unknown>
Host                          blackred
Source RPM Packages           
Target RPM Packages           snapd-2.36.3-1.fc29.x86_64
Policy RPM                    selinux-policy-3.14.2-44.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     blackred
Platform                      Linux blackred 4.19.10-300.fc29.x86_64 #1 SMP Mon
                              Dec 17 15:34:44 UTC 2018 x86_64 x86_64
Alert Count                   1571
First Seen                    2018-12-25 18:20:20 +03
Last Seen                     2018-12-25 18:50:12 +03
Local ID                      631aca24-94b1-4614-9829-fa526694f508

Raw Audit Messages
type=AVC msg=audit(1545753012.796:5572): avc:  denied  { search } for  pid=1840 comm="pmdalinux" name="snapd" dev="sdb3" ino=657548 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:snappy_var_lib_t:s0 tclass=dir permissive=0


Hash: pmdalinux,pcp_pmcd_t,snappy_var_lib_t,dir,search

Is there a way to fix it?