cmd/snap: use distro snap-exec when running under classic confinement
We have used a hardcoded path to snap-exec pointing to 'core'
libexec (/usr/lib/snapd) directory. Subsequently we tried to run snap-exec from
that location through snap-confine. When classic confinement is in effect,
snap-confine does not set up a mount namespace where the 'core' snap is a
rootfs, thus we are running off the distro's root filesystem. In such case, the
path to snap-exec may or may not be valid, depending on whether the distro's
libexec directory coincides with the path from 'core'. The assumption would be
invalid on distributions where libexec is under a different path, eg. Fedora
where snapd's libexecdir is /usr/libexec/snapd.
Fix the issue by using snap-exec from distro specific libexec directory when
running under classic confinement. Should 'snap' be reexeced from the 'core'
snap, use the 'core' snap version of snap-exec too.
dirs: check if distro 'is like' fedora when picking path to libexecdir
The original bug report [1] comes from Korora, a Fedora derivative. Address it
by checking if distro 'is like' fedora rather than using a hardcoded list of
options. Both RHEL and CentOS list ID_LIKE="..fedora.." in their /etc/os-release
files. Korora, being a derivative also has ID_LIKE="fedora".
snapd talks to polkitd over DBus and calls
org.freedesktop.PolicyKit1.Authority.CheckAuthorization() method. The default
SELinux policy prevents polkitd from sending a reply back to snapd.
> First, any time a message is routed from one connection to another connection,
> the bus daemon will check permissions with the security context of the first
> connection as source, security context of the second connection as target,
> object class "dbus" and requested permission "send_msg".
The change adds adjusts the policy to allow DBus messages (dbus send_msg) to be
sent from processes with type polkit_t (polkitd) to processes with type
snappy_t (snapd).
Signed-off-by: Maciej Borzecki <email address hidden>
tests/main/searching: handle changes in featured snaps list
When doing `snap find --section=..` do not make any assumptions about the list
of returned snaps. Use specific snap when checking if section list uses host's
architecture.
Signed-off-by: Maciej Borzecki <email address hidden>