dea93a5...
by
Michael Vogt
on 2019-05-04
Merge remote-tracking branch 'upstream/master' into release-2.39
7e37021...
by
Samuele Pedroni
on 2019-05-04
packaging: fix changelog typo
5a0a871...
by
Sergio Cazzolato
on 2019-05-03
Fix "Placeholer" is a misspelling of "Placeholder" issue
This is failing on master.
a799cf3...
by
Michael Vogt
on 2019-05-03
Merge remote-tracking branch 'upstream/master' into HEAD
d1e5a8d...
by
Michael Vogt
on 2019-05-03
debian: add placeholder 2.39 changelog
5a9245d...
by
Michael Vogt
on 2019-05-03
releasing package snapd version 2.39
e82b051...
by
Maciej Borzecki
on 2019-04-18
spread, tests: make ausearch interpret audit entries for easier debugging
This should have been enabled from the start. Makes audit entries like this:
time->Thu Apr 18 07:25:33 2019
type=PROCTITLE msg=audit( 1555572333. 539:193) :
proctitle= 2F7573722F73626 96E2F72756E7573 6572002D7500677 5657374002D2D00 746172002D2D637 265617465002D2D 737061727365002 D2D677A6970002D 2D6469726563746 F7279002F686F6D 652F67756573742 F736E61702F7465 73742D736E61706 42D746F6F6C732F 003600636F6D6D6 F6E
type=SYSCALL msg=audit( 1555572333. 539:193) : arch=c000003e syscall=250
success=yes exit=0 a0=8 a1=fffffffc a2=fffffffd a3=0 items=0 ppid=22643
pid=23027 auid=4294967295 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="runuser" exe="/usr/ sbin/runuser"
subj=system_ u:system_ r:snappy_ t:s0 key=(null)
type=AVC msg=audit( 1555572333. 539:193) : avc: denied { write } for pid=23027
comm="runuser" scontext= system_ u:system_ r:snappy_ t:s0
tcontext= system_ u:system_ r:snappy_ t:s0 tclass=key permissive=1
be printed like so:
type=PROCTITLE msg=audit( 04/18/2019 07:25:33.539:193) :
proctitle= /usr/sbin/ runuser -u guest -- tar --create --sparse --gzip --directory /home/guest/ snap/test- snapd-tools/ 6 common
type=SYSCALL msg=audit( 04/18/2019 07:25:33.539:193) : arch=x86_64 syscall=keyctl
success=yes exit=0 a0=0x8 a1=0xfffffffc a2=0xfffffffd a3=0x0 items=0 ppid=22643
pid=23027 auid=unset uid=guest gid=guest euid=root suid=root fsuid=root
egid=root sgid=root fsgid=root tty=(none) ses=unset comm=runuser
exe=/usr/ sbin/runuser subj=system_ u:system_ r:snappy_ t:s0 key=(null)
type=AVC msg=audit( 04/18/2019 07:25:33.539:193) : avc: denied { write } for
pid=23027 comm=runuser scontext= system_ u:system_ r:snappy_ t:s0
tcontext= system_ u:system_ r:snappy_ t:s0 tclass=key permissive=1
Signed-off-by: Maciej Borzecki <email address hidden>
3e946a7...
by
Maciej Borzecki
on 2019-04-18
data/selinux: allow runuser keyring access, allow searching devpts
Allow runuser to use the kernel keyring, similar adjustments are already present
in the core policy for logrotate: https:/ /access. redhat. com/solutions/ 1240253
Allow snap-confine to search devpts.
Relevant denials:
type=AVC msg=audit( 1555529616. 501:2750) : avc: denied { search } for pid=2441
comm="snap-confine" name="/" dev="devpts" ino=1
scontext= system_ u:system_ r:snappy_ confine_ t:s0
tcontext= system_ u:object_ r:devpts_ t:s0 tclass=dir permissive=1
type=AVC msg=audit( 1555529614. 909:2741) : avc: denied { write } for pid=2228
comm="runuser" scontext= system_ u:system_ r:snappy_ t:s0
tcontext= system_ u:system_ r:snappy_ t:s0 tclass=key permissive=1
Signed-off-by: Maciej Borzecki <email address hidden>
647fa6f...
by
Michael Vogt
on 2019-05-03
release 2.39~rc1
60d3e22...
by
Michael Vogt
on 2019-04-16
tests: set selinux-clean test to manual for now
The selinux-clean test breaks in master and in the pending PRs
depending on the test order. To ensure other PRs can land this PR
disables it for now and when its debugged we can re-enable.