Snapd updates in Fedora


#1

As there doesn’t appear to be a topic for this now (mainly because I’ve historically co-opted the main release cycle thread), I’ve decided to finally create a topic for snapd updates in Fedora.

To start things off, I’ve just submitted snapd-2.31.1 and snapd-glib-1.38 as updates to Fedora:

These should be pushed out to the mirror network within the next 12-24 hours.

These updates are a bit different than usual, as they will obsolete snapd-login-service if it exists on your system. Also, snapd-glib now conflicts with all known versions of snapd-login-service to prevent it from being installed again.

The primary consumer of snapd-login-service was GNOME Software. So I’d appreciate folks who use GNOME Software on Fedora testing this update, to ensure that the snap plugin doesn’t break with the transition. It shouldn’t, as I’ve been assured by @robert.ancell that it shouldn’t need it anymore.

From now on, if you attempt to install snapd-login-service, you will get snapd instead. This is by design to not break the gnome-software-snap package.

To test this update, do the following:

# Fedora 27
$ sudo dnf --enablerepo=updates-testing --refresh upgrade --advisory=FEDORA-2018-b097392ad2
# Fedora 26
$ sudo dnf --enablerepo=updates-testing --refresh upgrade --advisory=FEDORA-2018-7df5579f77

And of course, if any other issues come up, feel free to mention them here!


#2

It’s that time again! New snapd and snapd-glib updates for Fedora!

This go around, I’ve updated to snapd-2.32.4 and snapd-glib-1.39.

The big change here is that this update should reduce the amount of warnings from SELinux with regards to snapd accessing more parts of the operating system.

Updates have been proposed for Fedora 26, 27, and 28:

These should be pushed out to the mirror network within the next 12-24 hours.


#3

I will try the F27 update in the evening. Thank you for making this Neal :slight_smile:


#4

The update works very well. I have added one bit of feedback about SELinux that I think is worth including in 2.23.5. Have a look.


#5

snapd and snapd-glib updates for everyone on Fedora!

I’ve bumped it to snapd-2.33.1 and snapd-glib-1.41.

Once again, there’s been some more work on the SELinux policy to reduce the warnings and be a bit more permissive.

Updates have been proposed for Fedora 27 and 28:

These should be pushed out to the mirror network within the next 24 hours.


#6

Another round of snapd and snapd-glib updates for Fedorans is here!

I’ve bumped it to snapd-2.35 and snapd-glib-1.43.

Updates have been proposed for Fedora 27 and 28:

There’s been a bit more work on SELinux policy improvements this round, as well. However, the big thing for this release is that it includes the fixes for supporting a proper Fedora base snap, which @zyga and I are working on.

Note that for the moment, the new snapd is not yet available for Fedora 29 or Fedora Rawhide (F30), due to RH#1622312. This will hopefully be resolved soon.


#7

With the update to golang-1.11 final, I was able to finally able to build snapd for Fedora 29 and Rawhide.

As we’re past the Bodhi activation point in the development schedule, I’ve submitted an update for Fedora 29: https://bodhi.fedoraproject.org/updates/FEDORA-2018-d6660293c6.


#8

Another round of snapd and snapd-glib updates for Fedorans is here!

I’ve bumped it to snapd-2.36 and snapd-glib-1.44 .

Updates have been proposed for Fedora 27, 28, and 29:

The main thing with this update is that the man pages all moved to section 8, which removes some conflicts with other tools. This is also the last snapd and snapd-glib update for Fedora 27, which will EOL in approximately a month.

These should be pushed out to the mirror network within the next 24 hours.


#9

I am getting SELinux error messages on Fedora 28:

SELinux is preventing pmdalinux from search access on the directory /var/lib/snapd.
➜  ~ sealert -l 631aca24-94b1-4614-9829-fa526694f508
SELinux is preventing pmdalinux from search access on the directory /var/lib/snapd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that pmdalinux should be allowed search access on the snapd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pmdalinux' --raw | audit2allow -M my-pmdalinux
# semodule -X 300 -i my-pmdalinux.pp


Additional Information:
Source Context                system_u:system_r:pcp_pmcd_t:s0
Target Context                system_u:object_r:snappy_var_lib_t:s0
Target Objects                /var/lib/snapd [ dir ]
Source                        pmdalinux
Source Path                   pmdalinux
Port                          <Unknown>
Host                          blackred
Source RPM Packages           
Target RPM Packages           snapd-2.36.3-1.fc29.x86_64
Policy RPM                    selinux-policy-3.14.2-44.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     blackred
Platform                      Linux blackred 4.19.10-300.fc29.x86_64 #1 SMP Mon
                              Dec 17 15:34:44 UTC 2018 x86_64 x86_64
Alert Count                   1571
First Seen                    2018-12-25 18:20:20 +03
Last Seen                     2018-12-25 18:50:12 +03
Local ID                      631aca24-94b1-4614-9829-fa526694f508

Raw Audit Messages
type=AVC msg=audit(1545753012.796:5572): avc:  denied  { search } for  pid=1840 comm="pmdalinux" name="snapd" dev="sdb3" ino=657548 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:snappy_var_lib_t:s0 tclass=dir permissive=0


Hash: pmdalinux,pcp_pmcd_t,snappy_var_lib_t,dir,search

Is there a way to fix it?


#10

Another round of snapd and snapd-glib updates for Fedorans is here!

I’ve bumped it to snapd-2.38 and snapd-glib-1.47 .

Updates have been proposed for Fedora 28, 29, and 30:

There’s not much change here, so it’s a rather routine update.


#11

Freshly baked snapd updates for Fedorans is now available.

snapd-2.39 has been proposed for Fedora 29 and 30

This release is special, as it includes a completely revamped SELinux policy and rudimentary SELinux integration in snap-confine. It doesn’t do too much yet, but it lays the foundations for improvements later.

Due to the large array of changes, I’m not auto-pushing this when it reaches karma limit.

In addition, due to the upcoming EOL of Fedora 28, I have not supplied an update for that. snapd-2.38 was the end of the line for Fedora 28.


#12

Thank you for the update!

Installed some basic snaps and LXD. Things generally work ok, with one particular problem I’ve described below. All tests were done with SELinux in enforcing mode.

There is a systemd bug related to SELinux policy: https://bugzilla.redhat.com/show_bug.cgi?id=1699087 TLDR, when a policy for init_t is updated, the changes will not be immediately picked up. One has to either call systemctl daemon-reexec or reboot. This breaks installation of the LXD snap right after having installed snapd. The logs state:

May 13 05:59:39 localhost systemd[1]: snap.lxd.daemon.unix.socket: Failed to create listening socket (/var/snap/lxd/common/lxd/unix.socket): Permission denied                
May 13 05:59:39 localhost systemd[1]: snap.lxd.daemon.unix.socket: Failed to listen on sockets: Permission denied                                                             
May 13 05:59:39 localhost systemd[1]: snap.lxd.daemon.unix.socket: Failed with result 'resources'.                

And there is a relevant entry in the audit log too:

type=AVC msg=audit(05/13/2019 05:55:30.839:197) : 
   avc:  denied  { create } for  pid=1 comm=systemd
   name=unix.socket scontext=system_u:system_r:init_t:s0
   tcontext=system_u:object_r:var_t:s0 tclass=sock_file permissive=0  

#13

Due to an unfortunate uncaught bug with the new SELinux integration (RH#1708991), snapd-2.39.1 with a backported fix has been proposed as an update for Fedora 29 and Fedora 30.

Please test!


#14

More SELinux policy fixes coming down the pipeline with this new snapd-2.39.2 update with a backported fix.

Please test!