snapd:release/2.40

Last commit made on 2019-08-20
Get this branch:
git clone -b release/2.40 https://git.launchpad.net/snapd

Branch merges

Branch information

Name:
release/2.40
Repository:
lp:snapd

Recent commits

c390a8f... by Maciej Borzecki on 2019-08-20

Merge pull request #7264 from bboozzoo/bboozzoo/build-on-rhel-2.40

packaging/fedora: build on RHEL8 (2.40)

d5eec0d... by Sergio Cazzolato on 2019-07-19

Removing support for ubuntu cosmic on test suite

6531bc0... by Maciej Borzecki on 2019-08-19

Merge remote-tracking branch 'upstream/release/2.40' into bboozzoo/build-on-rhel-2.40

df3a671... by Maciej Borzecki on 2019-08-05

packaging/debian-sid: set GOCACHE to a known writable location

Go attempts to automatically cache build artifacts under $GOCACHE. This normally
defaults to $HOME/.cache/go-build. When building snapd under sbuild, $HOME is
set to a location that does not exist. The tests/main/sbuild spread job fails
with the log:

  + echo 'And build it normally'
  And build it normally
  + su -c 'sbuild -d sid --run-autopkgtest /home/gopath/src/github.com/snapcore/snapd/../*.dsc' test
  E: Build failure (dpkg-buildpackage died)

Inspecting build log manually, the following can be found:

  (cd _build/bin && GOPATH=$(pwd)/.. CGO_ENABLED=0 go build github.com/snapcore/snapd/cmd/snap-exec)
  failed to initialize build cache at /sbuild-nonexistent/.cache/go-build: mkdir /sbuild-nonexistent: permission denied
  make[1]: *** [debian/rules:147: override_dh_auto_build] Error 1
  make[1]: Leaving directory '/<<PKGBUILDDIR>>'
  make: *** [debian/rules:102: build] Error 2
  dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2

Signed-off-by: Maciej Borzecki <email address hidden>

d8dedaf... by Maciej Borzecki on 2019-08-14

packaging/fedora: make sure RHEL8 static Go binares are built as PIE

Signed-off-by: Maciej Borzecki <email address hidden>

832f9f4... by Maciej Borzecki on 2019-08-14

packaging/fedora: define gobuild_static for RHEL8

The gobuild_static macro is not defined in the go-toolset module packaging. For
now, make sure that we define it for all RHEL versions above 7.

Signed-off-by: Maciej Borzecki <email address hidden>

27075ca... by Maciej Borzecki on 2019-08-14

packaging/fedora: drop indent from build requires

Indent has been dropped in RHEL8[1]. We do not really need it for building
snapd, and it is not listed in Arch's PKGBUILD either. Might just as well drop
it from spect too.

[1]. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/considerations_in_adopting_rhel_8/index#removed-packages_changes-to-packages

Signed-off-by: Maciej Borzecki <email address hidden>

47c7cbe... by Maciej Borzecki on 2019-07-29

data/selinux: allow read on sysfs

Go 1.13 runtime pokes /sys/kernel/mm/transparent_hugepage/hpage_pmd_size during
setup, thus triggering the following denial:

----
time->Mon Jul 29 13:14:03 2019
type=AVC msg=audit(1564406043.239:221): avc: denied { read } for pid=23708 comm="6" name="hpage_pmd_size" dev="sysfs" ino=2621 scontext=system_u:system_r:snappy_mount_t:s0
 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Mon Jul 29 13:14:03 2019
type=AVC msg=audit(1564406043.239:222): avc: denied { open } for pid=23708 comm="6" path="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" dev="sysfs" ino=2621 scontext
=system_u:system_r:snappy_mount_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Mon Jul 29 13:15:15 2019
type=AVC msg=audit(1564406115.994:251): avc: denied { read } for pid=24049 comm="snap" name="hpage_pmd_size" dev="sysfs" ino=2621 scontext=system_u:system_r:snappy_cli_t:s
0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Mon Jul 29 13:15:15 2019
type=AVC msg=audit(1564406115.994:252): avc: denied { open } for pid=24049 comm="snap" path="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" dev="sysfs" ino=2621 scont
ext=system_u:system_r:snappy_cli_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1

Signed-off-by: Maciej Borzecki <email address hidden>

ddc53df... by Maciej Borzecki on 2019-08-13

data/selinux: tweak formatting of gen_require() blocks

Tweak the formatting of gen_require() blocks to be in line with refpolicy.

Signed-off-by: Maciej Borzecki <email address hidden>

8c379c1... by Maciej Borzecki on 2019-08-13

data/selinux: allow mandb_t to search /var/lib/snapd

Mandb tends to look everywhere in the filesystem in search for directories
containing manpages. Since cache update is executed under a targeted policy,
with mandb_t type, attempts to poke under /var/lib/snapd (snappy_var_lib_t)
raise SELinux denials like this:

time->Tue Aug 13 11:44:03 2019
type=AVC msg=audit(1565696643.557:298): avc: denied { search } for pid=22851
         comm="mandb" name="snapd" dev="vda1" ino=524751
         scontext=system_u:system_r:mandb_t:s0
         tcontext=system_u:object_r:snappy_var_lib_t:s0
         tclass=dir permissive=0

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1648701

Signed-off-by: Maciej Borzecki <email address hidden>