As there doesn’t appear to be a topic for this now (mainly because I’ve historically co-opted the main release cycle thread), I’ve decided to finally create a topic for snapd updates in Fedora.
To start things off, I’ve just submitted snapd-2.31.1 and snapd-glib-1.38 as updates to Fedora:
These should be pushed out to the mirror network within the next 12-24 hours.
These updates are a bit different than usual, as they will obsolete snapd-login-service if it exists on your system. Also, snapd-glib now conflicts with all known versions of snapd-login-service to prevent it from being installed again.
The primary consumer of snapd-login-service was GNOME Software. So I’d appreciate folks who use GNOME Software on Fedora testing this update, to ensure that the snap plugin doesn’t break with the transition. It shouldn’t, as I’ve been assured by @robert.ancell that it shouldn’t need it anymore.
From now on, if you attempt to install snapd-login-service, you will get snapd instead. This is by design to not break the gnome-software-snap package.
To test this update, do the following:
# Fedora 27
$ sudo dnf --enablerepo=updates-testing --refresh upgrade --advisory=FEDORA-2018-b097392ad2
# Fedora 26
$ sudo dnf --enablerepo=updates-testing --refresh upgrade --advisory=FEDORA-2018-7df5579f77
And of course, if any other issues come up, feel free to mention them here!
8 Likes
It’s that time again! New snapd and snapd-glib updates for Fedora!
This go around, I’ve updated to snapd-2.32.4 and snapd-glib-1.39.
The big change here is that this update should reduce the amount of warnings from SELinux with regards to snapd accessing more parts of the operating system.
Updates have been proposed for Fedora 26, 27, and 28:
These should be pushed out to the mirror network within the next 12-24 hours.
4 Likes
I will try the F27 update in the evening. Thank you for making this Neal 
The update works very well. I have added one bit of feedback about SELinux that I think is worth including in 2.23.5. Have a look.
snapd and snapd-glib updates for everyone on Fedora!
I’ve bumped it to snapd-2.33.1 and snapd-glib-1.41.
Once again, there’s been some more work on the SELinux policy to reduce the warnings and be a bit more permissive.
Updates have been proposed for Fedora 27 and 28:
These should be pushed out to the mirror network within the next 24 hours.
4 Likes
Another round of snapd and snapd-glib updates for Fedorans is here!
I’ve bumped it to snapd-2.35 and snapd-glib-1.43.
Updates have been proposed for Fedora 27 and 28:
There’s been a bit more work on SELinux policy improvements this round, as well. However, the big thing for this release is that it includes the fixes for supporting a proper Fedora base snap, which @zyga-snapd and I are working on.
Note that for the moment, the new snapd is not yet available for Fedora 29 or Fedora Rawhide (F30), due to RH#1622312. This will hopefully be resolved soon.
3 Likes
With the update to golang-1.11 final, I was able to finally able to build snapd for Fedora 29 and Rawhide.
As we’re past the Bodhi activation point in the development schedule, I’ve submitted an update for Fedora 29: https://bodhi.fedoraproject.org/updates/FEDORA-2018-d6660293c6.
2 Likes
Another round of snapd and snapd-glib updates for Fedorans is here!
I’ve bumped it to snapd-2.36 and snapd-glib-1.44 .
Updates have been proposed for Fedora 27, 28, and 29:
The main thing with this update is that the man pages all moved to section 8, which removes some conflicts with other tools. This is also the last snapd and snapd-glib update for Fedora 27, which will EOL in approximately a month.
These should be pushed out to the mirror network within the next 24 hours.
6 Likes
I am getting SELinux error messages on Fedora 28:
SELinux is preventing pmdalinux from search access on the directory /var/lib/snapd.
➜ ~ sealert -l 631aca24-94b1-4614-9829-fa526694f508
SELinux is preventing pmdalinux from search access on the directory /var/lib/snapd.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that pmdalinux should be allowed search access on the snapd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pmdalinux' --raw | audit2allow -M my-pmdalinux
# semodule -X 300 -i my-pmdalinux.pp
Additional Information:
Source Context system_u:system_r:pcp_pmcd_t:s0
Target Context system_u:object_r:snappy_var_lib_t:s0
Target Objects /var/lib/snapd [ dir ]
Source pmdalinux
Source Path pmdalinux
Port <Unknown>
Host blackred
Source RPM Packages
Target RPM Packages snapd-2.36.3-1.fc29.x86_64
Policy RPM selinux-policy-3.14.2-44.fc29.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name blackred
Platform Linux blackred 4.19.10-300.fc29.x86_64 #1 SMP Mon
Dec 17 15:34:44 UTC 2018 x86_64 x86_64
Alert Count 1571
First Seen 2018-12-25 18:20:20 +03
Last Seen 2018-12-25 18:50:12 +03
Local ID 631aca24-94b1-4614-9829-fa526694f508
Raw Audit Messages
type=AVC msg=audit(1545753012.796:5572): avc: denied { search } for pid=1840 comm="pmdalinux" name="snapd" dev="sdb3" ino=657548 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:snappy_var_lib_t:s0 tclass=dir permissive=0
Hash: pmdalinux,pcp_pmcd_t,snappy_var_lib_t,dir,search
Is there a way to fix it?
Another round of snapd and snapd-glib updates for Fedorans is here!
I’ve bumped it to snapd-2.38 and snapd-glib-1.47 .
Updates have been proposed for Fedora 28, 29, and 30:
There’s not much change here, so it’s a rather routine update.
1 Like
Freshly baked snapd updates for Fedorans is now available.
snapd-2.39 has been proposed for Fedora 29 and 30
This release is special, as it includes a completely revamped SELinux policy and rudimentary SELinux integration in snap-confine. It doesn’t do too much yet, but it lays the foundations for improvements later.
Due to the large array of changes, I’m not auto-pushing this when it reaches karma limit.
In addition, due to the upcoming EOL of Fedora 28, I have not supplied an update for that. snapd-2.38 was the end of the line for Fedora 28.
2 Likes
Thank you for the update!
Installed some basic snaps and LXD. Things generally work ok, with one particular problem I’ve described below. All tests were done with SELinux in enforcing mode.
There is a systemd bug related to SELinux policy: https://bugzilla.redhat.com/show_bug.cgi?id=1699087 TLDR, when a policy for init_t is updated, the changes will not be immediately picked up. One has to either call systemctl daemon-reexec or reboot. This breaks installation of the LXD snap right after having installed snapd. The logs state:
May 13 05:59:39 localhost systemd[1]: snap.lxd.daemon.unix.socket: Failed to create listening socket (/var/snap/lxd/common/lxd/unix.socket): Permission denied
May 13 05:59:39 localhost systemd[1]: snap.lxd.daemon.unix.socket: Failed to listen on sockets: Permission denied
May 13 05:59:39 localhost systemd[1]: snap.lxd.daemon.unix.socket: Failed with result 'resources'.
And there is a relevant entry in the audit log too:
type=AVC msg=audit(05/13/2019 05:55:30.839:197) :
avc: denied { create } for pid=1 comm=systemd
name=unix.socket scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=sock_file permissive=0
1 Like
Due to an unfortunate uncaught bug with the new SELinux integration (RH#1708991), snapd-2.39.1 with a backported fix has been proposed as an update for Fedora 29 and Fedora 30.
Please test!
2 Likes
More SELinux policy fixes coming down the pipeline with this new snapd-2.39.2 update with a backported fix.
Please test!
3 Likes
@Conan_Kudo are there any plane to fix https://bugzilla.redhat.com/show_bug.cgi?id=1648701 for Fedora 30 and perhaps more SELinux problems?
I can extend the policy to allow this. However, I do feel a bit uneasy about the change. The change requires that the policy we ship with snapd affect types that are normally defined in the reference policy.
Will talk to @Conan_kudo to include it in the package.
What is a reference policy and what types are affected?
It’s been a while, but I’m pleased to release snapd updates for Fedorans!
snapd-2.42 has been proposed for Fedora 29, 30, and 31
This is the last release of snapd for Fedora 29, as Fedora 29 will go EOL in a month.
Please test and give karma!
3 Likes
Tested 30 and 31. Both were pushed to stable.
I’m pleased to release snapd updates for Fedorans!
snapd-2.43.3 has been proposed for Fedora 30 and 31
Please test and give karma!
