diff options
| author | Maciej Borzecki <maciej.zenon.borzecki@canonical.com> | 2019-06-25 15:17:12 +0200 |
|---|---|---|
| committer | Maciej Borzecki <maciej.zenon.borzecki@canonical.com> | 2019-06-25 15:49:48 +0200 |
| commit | 44e0899bb774f92a1731090b46b0b28ec0bf7508 (patch) | |
| tree | 3342975c51a29ba5aeec8164768ba631a094e214 | |
| parent | c70aded90dfc1a7ac97d01d58ec08239d8ae1688 (diff) | |
data/selinux: allow snap-confine to read symlinks on tmpfs_t
snap-confine and snap-update-ns use tmpfs when setting up the mount namespace. When setting up the mount ns of a snap, some entries may end up with tmpfs_t labels. We should fix it in the long run, but for now allow s-c to read tmpfs_t (s-u-n already has the relevant permissions). Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
| -rw-r--r-- | data/selinux/snappy.te | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/data/selinux/snappy.te b/data/selinux/snappy.te index 8b7834e048..0d1491b608 100644 --- a/data/selinux/snappy.te +++ b/data/selinux/snappy.te @@ -491,6 +491,9 @@ term_mount_pty_fs(snappy_confine_t) # device group fs_manage_cgroup_dirs(snappy_confine_t) fs_manage_cgroup_files(snappy_confine_t) +# snap-update-ns and snap-confine use tmpfs when setting up the namespace, +# things may end up keeping tmpfs_t label +fs_read_tmpfs_symlinks(snappy_confine_t) # restoring file contexts seutil_read_file_contexts(snappy_confine_t) |