~mvo/snapd/+git/snapd-mvo:release-2.39

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

dea93a5... by Michael Vogt on 2019-05-04

Merge remote-tracking branch 'upstream/master' into release-2.39

7e37021... by Samuele Pedroni on 2019-05-04

packaging: fix changelog typo

5a0a871... by Sergio Cazzolato on 2019-05-03

Fix "Placeholer" is a misspelling of "Placeholder" issue

This is failing on master.

a799cf3... by Michael Vogt on 2019-05-03

Merge remote-tracking branch 'upstream/master' into HEAD

d1e5a8d... by Michael Vogt on 2019-05-03

debian: add placeholder 2.39 changelog

5a9245d... by Michael Vogt on 2019-05-03

releasing package snapd version 2.39

e82b051... by Maciej Borzecki on 2019-04-18

spread, tests: make ausearch interpret audit entries for easier debugging

This should have been enabled from the start. Makes audit entries like this:

time->Thu Apr 18 07:25:33 2019
type=PROCTITLE msg=audit(1555572333.539:193):
proctitle=2F7573722F7362696E2F72756E75736572002D75006775657374002D2D00746172002D2D637265617465002D2D737061727365002D2D677A6970002D2D6469726563746F7279002F686F6D652F67756573742F736E61702F746573742D736E6170642D746F6F6C732F003600636F6D6D6F6E

type=SYSCALL msg=audit(1555572333.539:193): arch=c000003e syscall=250
success=yes exit=0 a0=8 a1=fffffffc a2=fffffffd a3=0 items=0 ppid=22643
pid=23027 auid=4294967295 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="runuser" exe="/usr/sbin/runuser"
subj=system_u:system_r:snappy_t:s0 key=(null)

type=AVC msg=audit(1555572333.539:193): avc: denied { write } for pid=23027
comm="runuser" scontext=system_u:system_r:snappy_t:s0
tcontext=system_u:system_r:snappy_t:s0 tclass=key permissive=1

be printed like so:

type=PROCTITLE msg=audit(04/18/2019 07:25:33.539:193) :
proctitle=/usr/sbin/runuser -u guest -- tar --create --sparse --gzip --directory /home/guest/snap/test-snapd-tools/ 6 common

type=SYSCALL msg=audit(04/18/2019 07:25:33.539:193) : arch=x86_64 syscall=keyctl
success=yes exit=0 a0=0x8 a1=0xfffffffc a2=0xfffffffd a3=0x0 items=0 ppid=22643
pid=23027 auid=unset uid=guest gid=guest euid=root suid=root fsuid=root
egid=root sgid=root fsgid=root tty=(none) ses=unset comm=runuser
exe=/usr/sbin/runuser subj=system_u:system_r:snappy_t:s0 key=(null)

type=AVC msg=audit(04/18/2019 07:25:33.539:193) : avc: denied { write } for
pid=23027 comm=runuser scontext=system_u:system_r:snappy_t:s0
tcontext=system_u:system_r:snappy_t:s0 tclass=key permissive=1

Signed-off-by: Maciej Borzecki <email address hidden>

3e946a7... by Maciej Borzecki on 2019-04-18

data/selinux: allow runuser keyring access, allow searching devpts

Allow runuser to use the kernel keyring, similar adjustments are already present
in the core policy for logrotate: https://access.redhat.com/solutions/1240253

Allow snap-confine to search devpts.

Relevant denials:

type=AVC msg=audit(1555529616.501:2750): avc: denied { search } for pid=2441
comm="snap-confine" name="/" dev="devpts" ino=1
scontext=system_u:system_r:snappy_confine_t:s0
tcontext=system_u:object_r:devpts_t:s0 tclass=dir permissive=1

type=AVC msg=audit(1555529614.909:2741): avc: denied { write } for pid=2228
comm="runuser" scontext=system_u:system_r:snappy_t:s0
tcontext=system_u:system_r:snappy_t:s0 tclass=key permissive=1

Signed-off-by: Maciej Borzecki <email address hidden>

647fa6f... by Michael Vogt on 2019-05-03

release 2.39~rc1

60d3e22... by Michael Vogt on 2019-04-16

tests: set selinux-clean test to manual for now

The selinux-clean test breaks in master and in the pending PRs
depending on the test order. To ensure other PRs can land this PR
disables it for now and when its debugged we can re-enable.