data/selinux: allow snap-confine to read entries on nsfs

Allow snap-confine to read entries on nsfs, eg. files under /proc/<pid>/ns/. Specifically comes up when mount ns is captured and bind mounted over at /run/snapd/ns/*.mnt. Fixes SELinux denials: ---- time->Mon Jul 29 10:07:52 2019 type=AVC msg=audit(1564394872.547:228): avc: denied { read } for pid=24014 comm="snap-confine" dev="nsfs" ino=402653 2209 scontext=system_u:system_r:snappy_confine_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1 ---- time->Mon Jul 29 10:07:52 2019 type=AVC msg=audit(1564394872.547:229): avc: denied { open } for pid=24014 comm="snap-confine" path="/run/snapd/ns/l xd.mnt" dev="nsfs" ino=4026532209 scontext=system_u:system_r:snappy_confine_t:s0 tcontext=system_u:object_r:nsfs_t:s0 t class=file permissive=1 ---- time->Mon Jul 29 10:07:52 2019 type=AVC msg=audit(1564394872.547:230): avc: denied { getattr } for pid=24014 comm="snap-confine" path="/run/snapd/n s/lxd.mnt" dev="nsfs" ino=4026532209 scontext=system_u:system_r:snappy_confine_t:s0 tcontext=system_u:object_r:nsfs_t:s 0 tclass=file permissive=1 Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com> 

1 files changed, 1 insertions, 0 deletions

diff --git a/data/selinux/snappy.te b/data/selinux/snappy.te
index 391a83c50c..c153de0ff5 100644
--- a/data/selinux/snappy.te
+++ b/data/selinux/snappy.te
@@ -444,6 +444,7 @@ fs_manage_cgroup_dirs(snappy_confine_t)
 fs_write_cgroup_files(snappy_confine_t)
 kernel_getattr_debugfs(snappy_confine_t)
 kernel_getattr_proc(snappy_confine_t)
+fs_read_nsfs_files(snappy_confine_t)
 term_getattr_pty_fs(snappy_confine_t)
 # term_getattr_generic_ptys() is not supported by core policy in RHEL7
 allow snappy_confine_t devpts_t:chr_file getattr;