data/selinux: overhaul SELinux targeted policy

Refactor SELinux policy for snapd and helpers. To make it more manageable, split snapd and the helpers into separate domains: snappy_t (snapd), snappy_mount_t (snap-{update,discard}-ns), and snappy_cli_t (snap{,ctl}). Add separate local policy for each helper, trying to keep it minimal where possible. Also update file contexts so that they can be properly relabeled. Introuduce a separate file type for snap data, snappy_snap_t which is aimed to be used a mount context for snap images. This ensures that the snaps will be properly labeled and we can write policy that uses this type. Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com> 

3 files changed, 395 insertions, 152 deletions

diff --git a/data/selinux/snappy.fc b/data/selinux/snappy.fc
index 85148ddd81..e41685dbaf 100644
--- a/data/selinux/snappy.fc
+++ b/data/selinux/snappy.fc
@@ -18,30 +18,38 @@
 
 
 HOME_DIR/snap(/.*)?	gen_context(system_u:object_r:snappy_home_t,s0)
+/root/snap(/.*)?	gen_context(system_u:object_r:snappy_home_t,s0)
 
-
-/usr/bin/snap	--	gen_context(system_u:object_r:snappy_exec_t,s0)
-/usr/bin/snapctl	--	gen_context(system_u:object_r:snappy_exec_t,s0)
+/usr/bin/snap	--	gen_context(system_u:object_r:snappy_cli_exec_t,s0)
+/usr/bin/snapctl	--	gen_context(system_u:object_r:snappy_cli_exec_t,s0)
 
 ifdef(`distro_redhat',`
+/usr/libexec/snapd/snapctl	--	gen_context(system_u:object_r:snappy_cli_exec_t,s0)
+/usr/libexec/snapd/snap-confine	--	gen_context(system_u:object_r:snappy_confine_exec_t,s0)
+/usr/libexec/snapd/snap-update-ns	--	gen_context(system_u:object_r:snappy_mount_exec_t,s0)
+/usr/libexec/snapd/snap-discard-ns	--	gen_context(system_u:object_r:snappy_mount_exec_t,s0)
 /usr/libexec/snapd/.*	--	gen_context(system_u:object_r:snappy_exec_t,s0)
 /etc/sysconfig/snapd	--	gen_context(system_u:object_r:snappy_config_t,s0)
 /usr/lib/systemd/system/snapd.* --	gen_context(system_u:object_r:snappy_unit_file_t,s0)
 ')
 
 ifdef(`distro_debian',`
+/usr/lib/snapd/snapctl	--	gen_context(system_u:object_r:snappy_cli_exec_t,s0)
+/usr/lib/snapd/snap-confine	--	gen_context(system_u:object_r:snappy_confine_exec_t,s0)
+/usr/lib/snapd/snap-update-ns	--	gen_context(system_u:object_r:snappy_mount_exec_t,s0)
+/usr/lib/snapd/snap-discard-ns	--	gen_context(system_u:object_r:snappy_mount_exec_t,s0)
 /usr/lib/snapd/.*	--	gen_context(system_u:object_r:snappy_exec_t,s0)
 /etc/default/snapd	--	gen_context(system_u:object_r:snappy_config_t,s0)
 /lib/systemd/system/snapd.*	--	gen_context(system_u:object_r:snappy_unit_file_t,s0)
 ')
 
-/var/run/snapd(/.*)? --	gen_context(system_u:object_r:snappy_var_run_t,s0)
+/var/run/snapd(/.*)? gen_context(system_u:object_r:snappy_var_run_t,s0)
 /var/run/snapd\.socket	-s	gen_context(system_u:object_r:snappy_var_run_t,s0)
 /var/run/snapd-snap\.socket	-s	gen_context(system_u:object_r:snappy_var_run_t,s0)
 /var/lib/snapd(/.*)?	gen_context(system_u:object_r:snappy_var_lib_t,s0)
 /var/cache/snapd(/.*)?	gen_context(system_u:object_r:snappy_var_cache_t,s0)
 /var/snap(/.*)?	gen_context(system_u:object_r:snappy_var_t,s0)
 
-/run/snapd(/.*)? --	gen_context(system_u:object_r:snappy_var_run_t,s0)
+/run/snapd(/.*)? gen_context(system_u:object_r:snappy_var_run_t,s0)
 /run/snapd\.socket	-s	gen_context(system_u:object_r:snappy_var_run_t,s0)
 /run/snapd-snap\.socket	-s	gen_context(system_u:object_r:snappy_var_run_t,s0)
diff --git a/data/selinux/snappy.if b/data/selinux/snappy.if
index d47015e945..ad1cc55a19 100644
--- a/data/selinux/snappy.if
+++ b/data/selinux/snappy.if
@@ -184,43 +184,6 @@ interface(`snappy_dontaudit_manage_user_home_files',`
 
 ########################################
 ## <summary>
-## Execute snappy home directory content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`snappy_exec_user_home_files',`
-	gen_require(`
-	type snappy_home_t;
-	')
-
-	can_exec($1, snappy_home_t)
-')
-
-########################################
-## <summary>
-## Execmod snappy home directory content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`snappy_execmod_user_home_files',`
-	gen_require(`
-	type snappy_home_t;
-	')
-
-	allow $1 snappy_home_t:file execmod;
-')
-
-
-########################################
-## <summary>
 ## Connect to snapd over a unix stream socket.
 ## </summary>
 ## <param name="domain">
@@ -255,7 +218,6 @@ interface(`snappy_stream_connect',`
 ## </param>
 ## <rolecap/>
 #
-
 interface(`snappy_admin',
 gen_require(`
 type snappy_t, snappy_config_t; 
@@ -271,3 +233,60 @@ interface(`snappy_admin',
 files_list_pids($1, snappy_var_run_t);
 admin_pattern($1, snappy_var_run_t);
 ')
+
+########################################
+## <summary>
+##	Execute snappy CLI in the snappy_cli_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`snappy_cli_domtrans',`
+	gen_require(`
+	type snappy_cli_t, snappy_cli_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, snappy_cli_exec_t, snappy_cli_t)
+')
+
+########################################
+## <summary>
+##	Execute snap-confine in the snappy_confine_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`snappy_confine_domtrans',`
+	gen_require(`
+	type snappy_confine_t, snappy_confine_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, snappy_confine_exec_t, snappy_confine_t)
+')
+
+########################################
+## <summary>
+##	Execute snap-update-ns, snap-discard-ns in the snappy_mount_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`snappy_mount_domtrans',`
+	gen_require(`
+	type snappy_mount_t, snappy_mount_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, snappy_mount_exec_t, snappy_mount_t)
+')
diff --git a/data/selinux/snappy.te b/data/selinux/snappy.te
index a388e90672..65dbe8f00d 100644
--- a/data/selinux/snappy.te
+++ b/data/selinux/snappy.te
@@ -24,9 +24,13 @@ policy_module(snappy,0.0.14)
 # Declarations
 #
 
+attribute_role snappy_roles;
+
+# snapd
 type snappy_t;
 type snappy_exec_t;
 init_daemon_domain(snappy_t, snappy_exec_t)
+role snappy_roles types snappy_t;
 
 type snappy_config_t;
 files_config_file(snappy_config_t)
@@ -51,96 +55,99 @@ files_pid_file(snappy_var_run_t)
 type snappy_unit_file_t;
 systemd_unit_file(snappy_unit_file_t)
 
+type snappy_tmp_t;
+files_tmp_file(snappy_tmp_t)
+
+# actual snap
+type snappy_snap_t;
+files_type(snappy_snap_t)
+
+# CLI tools: snap, snapctl
+type snappy_cli_t;
+type snappy_cli_exec_t;
+domain_type(snappy_cli_t)
+domain_entry_file(snappy_cli_t, snappy_cli_exec_t)
+
+# helper tools: snap-{update,discard}-ns
+type snappy_mount_t;
+type snappy_mount_exec_t;
+domain_type(snappy_mount_t)
+domain_entry_file(snappy_mount_t, snappy_mount_exec_t)
+
+# helper tool: snap-confine
+type snappy_confine_t;
+type snappy_confine_exec_t;
+domain_type(snappy_confine_t)
+domain_entry_file(snappy_confine_t, snappy_confine_exec_t)
+
+type snappy_unconfined_snap_t;
+unconfined_domain(snappy_unconfined_snap_t)
+
 ########################################
 #
-# snappy local policy
+# snappy snapd local policy
 #
 
 # For development purposes, snappy_t domain is to be marked permissive
 permissive snappy_t;
 
 # Allow transitions from init_t to snappy for sockets
-gen_require(` type init_t; type var_run_t; ')
-filetrans_pattern(init_t, var_run_t, snappy_var_run_t, sock_file, "snapd.socket")
-filetrans_pattern(init_t, var_run_t, snappy_var_run_t, sock_file, "snapd-snap.socket")
+init_named_socket_activation(snappy_t, snappy_var_run_t, "snapd.socket")
+init_named_socket_activation(snappy_t, snappy_var_run_t, "snapd-snap.socket")
 
 # Allow init_t to read snappy data
 allow init_t snappy_var_lib_t:dir read;
 
-# Allow snapd to read init socket
-gen_require(` type init_t; ')
-allow snappy_t init_t:file { getattr open read };
-allow snappy_t init_t:lnk_file read;
-allow snappy_t init_t:unix_stream_socket connectto;
-
-# Allow snapd to read file contexts
-gen_require(` type file_context_t; ')
-allow snappy_t file_context_t:dir search;
-allow snappy_t file_context_t:file { map getattr open read };
-
 # Allow snapd to read procfs
 gen_require(` type proc_t; ')
 allow snappy_t proc_t:file { getattr open read };
 
 # Allow snapd to read sysfs
-gen_require(` type sysfs_t; ')
-allow snappy_t sysfs_t:dir read;
-allow snappy_t sysfs_t:file { getattr setattr open read write };
-allow snappy_t sysfs_t:lnk_file { getattr read };
-
+dev_read_sysfs(snappy_t)
+dev_search_sysfs(snappy_t)
 
 # This silences a read AVC denial event on the lost+found directory.
 gen_require(` type lost_found_t; ')
 dontaudit snappy_t lost_found_t:dir read;
 
 # Allow snapd to read SSL cert store
-gen_require(` type cert_t; ')
-allow snappy_t cert_t:dir { search open read };
-allow snappy_t cert_t:file { getattr open read };
-allow snappy_t cert_t:lnk_file { getattr open read };
+miscfiles_read_all_certs(snappy_t)
 
 # Allow snapd to read config files
 read_files_pattern(snappy_t, snappy_config_t, snappy_config_t)
 
 # Allow snapd to manage snaps' homedir data
-manage_dirs_pattern(snappy_t, snappy_home_t, snappy_home_t)
-manage_files_pattern(snappy_t, snappy_home_t, snappy_home_t)
-manage_lnk_files_pattern(snappy_t, snappy_home_t, snappy_home_t)
+admin_pattern(snappy_t, snappy_home_t)
 userdom_search_user_home_dirs(snappy_t)
-userdom_user_home_dir_filetrans(snappy_t, snappy_home_t, dir, "snap")
+userdom_list_user_home_dirs(snappy_t)
 
 # Allow snapd to read DNS config
-gen_require(` type net_conf_t; ')
-allow snappy_t net_conf_t:file { getattr open read };
-allow snappy_t net_conf_t:lnk_file { read };
+sysnet_dns_name_resolve(snappy_t)
 
 # When managed by NetworkManager, DNS config is in its rundata
 gen_require(` type NetworkManager_var_run_t; ')
 allow snappy_t NetworkManager_var_run_t:dir search;
 
 # Allow snapd to read sysctl files
-gen_require(` type sysctl_net_t; ')
-allow snappy_t sysctl_net_t:dir search;
-allow snappy_t sysctl_net_t:file { open read };
+kernel_read_net_sysctls(snappy_t)
+kernel_search_network_sysctl(snappy_t)
 
 # Allow snapd to manage D-Bus config files for snaps
-gen_require(` type dbusd_etc_t; ')
-allow snappy_t dbusd_etc_t:dir { getattr open read search };
-allow snappy_t dbusd_etc_t:file { getattr open read write create rename unlink };
-allow snappy_t dbusd_etc_t:lnk_file { read };
-
-# Allow snapd to manage udev rules for snaps
-gen_require(` type udev_rules_t; type udev_exec_t; ')
-allow snappy_t udev_rules_t:dir { getattr open read write search add_name remove_name };
-allow snappy_t udev_rules_t:file { getattr open read write create rename unlink };
-allow snappy_t udev_exec_t:file { execute execute_no_trans getattr open read map };
-
-# Allow snapd to manipulate udev
-gen_require(` type udev_t; type udev_var_run_t; ')
-allow snappy_t udev_t:unix_stream_socket connectto;
-allow snappy_t udev_var_run_t:file { getattr open read };
-allow snappy_t udev_var_run_t:dir { read };
-allow snappy_t udev_var_run_t:sock_file { getattr open read write };
+optional_policy(`
+ dbus_read_config(snappy_t)
+ allow snappy_t dbusd_etc_t:file { write create rename unlink };
+ allow snappy_t dbusd_etc_t:lnk_file { read };
+')
+
+# Allow snapd to manage udev rules for snaps and trigger events
+optional_policy(`
+ udev_manage_rules_files(snappy_t)
+	udev_manage_pid_files(snappy_t)
+ udev_exec(snappy_t)
+ udev_domtrans(snappy_t)
+ udev_create_kobject_uevent_socket(snappy_t)
+')
+allow snappy_t self:netlink_kobject_uevent_socket { create_socket_perms read };
 
 # Allow snapd to read/write systemd units and use systemctl for managing snaps
 systemd_config_all_services(snappy_t)
@@ -148,32 +155,30 @@ systemd_manage_all_unit_files(snappy_t)
 systemd_manage_all_unit_lnk_files(snappy_t)
 systemd_exec_systemctl(snappy_t)
 
-# Allow snapd to mount snaps
-gen_require(` type mount_exec_t; ')
-allow snappy_t mount_exec_t:file { map execute execute_no_trans getattr open read };
-
 # Allow snapd to execute unsquashfs
-gen_require(` type bin_t; ')
-allow snappy_t bin_t:file { map execute execute_no_trans };
-
-# Allow snappy to exec snap-seccomp
-allow snappy_t snappy_exec_t:file { execute_no_trans };
+corecmd_exec_bin(snappy_t)
+
+# Allow snappy to exec helpers
+can_exec(snappy_t, snappy_exec_t)
+can_exec(snappy_t, snappy_mount_exec_t)
+can_exec(snappy_t, snappy_cli_exec_t)
+corecmd_search_bin(snappy_t)
+# allow transition to snap cli domain
+snappy_cli_domtrans(snappy_t)
+# allow transition to mount helpers domain
+snappy_mount_domtrans(snappy_t)
+# allow transition to snap-confine domain
+snappy_confine_domtrans(snappy_t)
 
 # Allow snapd to get FUSE device attributes
-gen_require(` type fuse_device_t; ')
-allow snappy_t fuse_device_t:chr_file getattr;
+storage_getattr_fuse_dev(snappy_t)
 
 # Read l10n files?
 miscfiles_read_localization(snappy_t)
 
-# Allow snapd to manage its socket files
-manage_files_pattern(snappy_t, snappy_var_run_t, snappy_var_run_t)
-
-# Allow snapd to manage mounts
-gen_require(` type fs_t; type mount_var_run_t; ')
-allow snappy_t fs_t:filesystem { mount unmount };
-allow snappy_t mount_var_run_t:dir { add_name remove_name write search };
-allow snappy_t mount_var_run_t:file { create getattr setattr open read write rename unlink lock };
+# Allow snapd to read its run files, those files are managed elsewhere
+read_files_pattern(snappy_t, snappy_var_run_t, snappy_var_run_t)
+getattr_files_pattern(snappy_t, snappy_var_run_t, snappy_var_run_t)
 
 gen_require(` type user_tmp_t; ')
 allow snappy_t user_tmp_t:dir { read };
@@ -181,62 +186,45 @@ allow snappy_t user_tmp_t:dir { read };
 gen_require(` type systemd_unit_file_t; ')
 allow snappy_t systemd_unit_file_t:dir { rmdir };
 
-gen_require(` type fixed_disk_device_t; ')
-allow snappy_t fixed_disk_device_t:blk_file { getattr };
-
-gen_require(` type loop_control_device_t; ')
-allow snappy_t loop_control_device_t:chr_file { getattr };
-
-gen_require(` type usr_t; ')
-allow snappy_t usr_t:dir { write };
-
 gen_require(` type home_root_t; ')
 allow snappy_t home_root_t:dir { read };
 
 # Allow snapd to manage its persistent data
-manage_dirs_pattern(snappy_t, snappy_var_cache_t, snappy_var_cache_t)
-manage_files_pattern(snappy_t, snappy_var_cache_t, snappy_var_cache_t)
-manage_lnk_files_pattern(snappy_t, snappy_var_cache_t, snappy_var_cache_t)
-manage_dirs_pattern(snappy_t, snappy_var_lib_t, snappy_var_lib_t)
-manage_files_pattern(snappy_t, snappy_var_lib_t, snappy_var_lib_t)
-manage_lnk_files_pattern(snappy_t, snappy_var_lib_t, snappy_var_lib_t)
-manage_dirs_pattern(snappy_t, snappy_var_t, snappy_var_t)
-manage_files_pattern(snappy_t, snappy_var_t, snappy_var_t)
-manage_lnk_files_pattern(snappy_t, snappy_var_t, snappy_var_t)
+admin_pattern(snappy_t, snappy_var_cache_t)
+# for r/w to commands.db
+mmap_rw_files_pattern(snappy_t, snappy_var_cache_t, snappy_var_cache_t)
+admin_pattern(snappy_t, snappy_var_lib_t)
+# for r/w to errtracker.db
+mmap_rw_files_pattern(snappy_t, snappy_var_lib_t, snappy_var_lib_t)
+admin_pattern(snappy_t, snappy_var_t)
+# And search/read mounted snaps
+allow snappy_t snappy_snap_t:dir { list_dir_perms };
+allow snappy_t snappy_snap_t:file { read_file_perms };
+allow snappy_t snappy_snap_t:lnk_file { read_lnk_file_perms };
 
 # Grant snapd access to /tmp
-gen_require(` type tmp_t; ')
-allow snappy_t tmp_t:dir { getattr setattr add_name create read remove_name rmdir write };
-allow snappy_t tmp_t:file { getattr setattr create open unlink write };
+admin_pattern(snappy_t, snappy_tmp_t)
+files_tmp_filetrans(snappy_t, snappy_tmp_t, { file dir })
 
-# Allow snappy to mmap files in /var/cache
-allow snappy_t snappy_var_cache_t:file { map };
+# snap command completions
+gen_require(` type usr_t; ')
+allow snappy_t usr_t:dir { write };
 
 # Allow snapd to use ssh-keygen
-gen_require(` type ssh_keygen_exec_t; ')
-allow snappy_t ssh_keygen_exec_t:file { execute execute_no_trans getattr open read map };
+ssh_exec_keygen(snappy_t)
 
 # Allow snapd to access passwd file for lookup
 auth_read_passwd(snappy_t);
 
-# Until we can figure out how to apply the label to mounted snaps,
-# we need to grant snapd access to "unlabeled files"
-gen_require(` type unlabeled_t; ')
-allow snappy_t unlabeled_t:dir { getattr search open read };
-allow snappy_t unlabeled_t:lnk_file { getattr read };
-allow snappy_t unlabeled_t:file { getattr open read };
-
-# Until we can figure out why some things are randomly getting unconfined_t,
-# we need to grant access to "unconfined" files
+# because /run/snapd/ns/*.mnt gets a label of the process context
 gen_require(` type unconfined_t; ')
-allow snappy_t unconfined_t:dir { getattr search open read };
-allow snappy_t unconfined_t:file { getattr open read };
+allow snappy_t unconfined_t:file getattr;
+allow snappy_t snappy_confine_t:file getattr;
 
 logging_send_syslog_msg(snappy_t);
 
-allow snappy_t self:capability { sys_admin sys_chroot dac_override dac_read_search chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap };
-allow snappy_t self:tun_socket relabelto;
-allow snappy_t self:process { getcap signal_perms setrlimit setfscreate };
+allow snappy_t self:capability { dac_read_search dac_override };
+allow snappy_t self:process { setpgid };
 
 # Various socket permissions
 allow snappy_t self:fifo_file rw_fifo_file_perms;
@@ -282,3 +270,231 @@ optional_policy(`
 sssd_read_public_files(snappy_t)
 sssd_stream_connect(snappy_t)
 ')
+
+# for sanity checks
+optional_policy(`
+ mount_run(snappy_t, snappy_roles)
+')
+
+# only pops up in cloud images where cloud-init.target is incorrectly labeled
+allow snappy_t init_var_run_t:lnk_file read;
+
+########################################
+#
+# snap-update-ns, snap-dicsard-ns local policy
+#
+permissive snappy_mount_t;
+
+role system_r types snappy_mount_t;
+
+admin_pattern(snappy_mount_t, snappy_var_run_t)
+files_pid_filetrans(snappy_mount_t, snappy_var_run_t, {file dir})
+
+# Allow snap-{update,discard}-ns to manage mounts
+gen_require(` type fs_t; type mount_var_run_t; ')
+allow snappy_mount_t fs_t:filesystem { mount unmount };
+allow snappy_mount_t mount_var_run_t:dir { add_name remove_name write search };
+allow snappy_mount_t mount_var_run_t:file { create getattr setattr open read write rename unlink lock };
+
+allow snappy_mount_t self:capability { sys_chroot };
+
+manage_files_pattern(snappy_mount_t, snappy_snap_t, snappy_snap_t)
+manage_dirs_pattern(snappy_mount_t, snappy_snap_t, snappy_snap_t)
+
+read_files_pattern(snappy_mount_t, snappy_var_lib_t, snappy_var_lib_t)
+getattr_files_pattern(snappy_mount_t, snappy_var_lib_t, snappy_var_lib_t)
+read_lnk_files_pattern(snappy_mount_t, snappy_var_lib_t, snappy_var_lib_t)
+
+fs_manage_cgroup_dirs(snappy_mount_t)
+fs_manage_cgroup_files(snappy_mount_t)
+
+# because /run/snapd/ns/*.mnt gets a label of the process context
+gen_require(` type unconfined_t; ')
+allow snappy_mount_t unconfined_t:file { open read getattr };
+allow snappy_mount_t snappy_confine_t:file { open read getattr };
+
+########################################
+#
+# snap-confine local policy
+#
+permissive snappy_confine_t;
+
+role system_r types snappy_confine_t;
+snappy_mount_domtrans(snappy_confine_t)
+allow snappy_confine_t snappy_mount_t:process2 nosuid_transition;
+
+admin_pattern(snappy_confine_t, snappy_var_run_t)
+
+allow snappy_confine_t snappy_var_lib_t:dir { list_dir_perms };
+allow snappy_confine_t snappy_var_lib_t:file { read_file_perms };
+allow snappy_confine_t snappy_var_lib_t:lnk_file { read_lnk_file_perms };
+
+files_pid_filetrans(snappy_confine_t, snappy_var_run_t, {file dir})
+
+allow snappy_confine_t snappy_home_t:dir { create_dir_perms list_dir_perms };
+allow snappy_confine_t snappy_home_t:file { read_file_perms };
+allow snappy_confine_t snappy_home_t:lnk_file { manage_lnk_file_perms };
+userdom_user_home_dir_filetrans(snappy_confine_t, snappy_home_t, dir, "snap")
+userdom_admin_home_dir_filetrans(snappy_confine_t, snappy_home_t, dir, "snap")
+
+allow snappy_confine_t snappy_snap_t:process transition;
+
+allow snappy_confine_t self:process { setexec };
+allow snappy_confine_t self:capability { setgid setuid sys_chroot };
+
+init_read_state(snappy_confine_t)
+
+# libudev
+udev_manage_pid_dirs(snappy_confine_t)
+
+dev_getattr_fs(snappy_confine_t)
+dev_getattr_sysfs_fs(snappy_confine_t)
+fs_getattr_cgroup(snappy_confine_t)
+fs_getattr_hugetlbfs(snappy_confine_t)
+fs_getattr_tmpfs(snappy_confine_t)
+fs_getattr_xattr_fs(snappy_confine_t)
+fs_manage_cgroup_dirs(snappy_confine_t)
+fs_write_cgroup_files(snappy_confine_t)
+kernel_getattr_debugfs(snappy_confine_t)
+term_getattr_pty_fs(snappy_confine_t)
+term_getattr_generic_ptys(snappy_confine_t)
+
+# because /run/snapd/ns/*.mnt gets a label of the process context
+allow snappy_confine_t unconfined_t:file getattr;
+
+# mount ns setup
+gen_require(`
+ type ptmx_t;
+ type modules_object_t;
+ type ifconfig_var_run_t;
+ type var_log_t;
+')
+allow snappy_confine_t admin_home_t:dir mounton;
+allow snappy_confine_t cert_t:dir { getattr mounton };
+allow snappy_confine_t device_t:filesystem unmount;
+allow snappy_confine_t devpts_t:dir mounton;
+allow snappy_confine_t etc_t:file mounton;
+allow snappy_confine_t home_root_t:dir mounton;
+allow snappy_confine_t ifconfig_var_run_t:dir mounton;
+allow snappy_confine_t modules_object_t:dir mounton;
+allow snappy_confine_t ptmx_t:chr_file { getattr mounton };
+allow snappy_confine_t snappy_snap_t:dir { mounton read };
+allow snappy_confine_t snappy_snap_t:file mounton;
+allow snappy_confine_t snappy_snap_t:lnk_file read;
+allow snappy_confine_t snappy_var_lib_t:dir mounton;
+allow snappy_confine_t snappy_var_run_t:file mounton;
+allow snappy_confine_t snappy_var_t:dir mounton;
+allow snappy_confine_t tmp_t:dir { add_name create mounton remove_name rmdir setattr write };
+allow snappy_confine_t usr_t:dir mounton;
+allow snappy_confine_t var_log_t:dir mounton;
+allow snappy_confine_t var_run_t:dir mounton;
+dev_mounton(snappy_confine_t)
+dev_mounton_sysfs(snappy_confine_t)
+dev_unmount_sysfs_fs(snappy_confine_t)
+files_mounton_etc(snappy_confine_t)
+files_mounton_mnt(snappy_confine_t)
+files_mounton_rootfs(snappy_confine_t)
+fs_unmount_xattr_fs(snappy_confine_t)
+kernel_mounton_proc(snappy_confine_t)
+kernel_unmount_proc(snappy_confine_t)
+seutil_read_file_contexts(snappy_confine_t)
+term_mount_pty_fs(snappy_confine_t)
+
+# device group
+fs_manage_cgroup_dirs(snappy_confine_t)
+fs_manage_cgroup_files(snappy_confine_t)
+
+# restoring file contexts
+seutil_read_file_contexts(snappy_confine_t)
+seutil_read_default_contexts(snappy_confine_t)
+seutil_read_config(snappy_confine_t)
+
+can_exec(snappy_confine_t, snappy_snap_t)
+read_files_pattern(snappy_confine_t, snappy_snap_t, snappy_snap_t)
+# and allow transition by snap-confine
+allow snappy_confine_t snappy_unconfined_snap_t:process { noatsecure rlimitinh siginh transition dyntransition };
+gen_require(` type unconfined_service_t; ')
+allow snappy_confine_t unconfined_service_t:process { noatsecure rlimitinh siginh transition dyntransition };
+
+########################################
+#
+# snap, snapctl local policy
+#
+permissive snappy_cli_t;
+
+role system_r types snappy_cli_t;
+snappy_confine_domtrans(snappy_cli_t)
+# services are started through 'snap run ...' wrapper
+snappy_cli_domtrans(init_t)
+
+relabel_dirs_pattern(snappy_cli_t, user_home_t, snappy_home_t)
+relabel_files_pattern(snappy_cli_t, user_home_t, snappy_home_t)
+relabel_dirs_pattern(snappy_cli_t, admin_home_t, snappy_home_t)
+relabel_files_pattern(snappy_cli_t, admin_home_t, snappy_home_t)
+
+allow snappy_cli_t snappy_home_t:dir { create_dir_perms add_entry_dir_perms list_dir_perms };
+allow snappy_cli_t snappy_home_t:file { read_file_perms };
+allow snappy_cli_t snappy_home_t:lnk_file { manage_lnk_file_perms };
+userdom_user_home_dir_filetrans(snappy_cli_t, snappy_home_t, dir, "snap")
+userdom_admin_home_dir_filetrans(snappy_cli_t, snappy_home_t, dir, "snap")
+
+allow snappy_cli_t snappy_snap_t:dir {list_dir_perms };
+allow snappy_cli_t snappy_snap_t:file { read_file_perms };
+allow snappy_cli_t snappy_snap_t:lnk_file { read_lnk_file_perms };
+
+allow snappy_cli_t snappy_var_lib_t:dir { list_dir_perms };
+allow snappy_cli_t snappy_var_lib_t:file { read_file_perms };
+allow snappy_cli_t snappy_var_lib_t:lnk_file { read_lnk_file_perms };
+
+# allow reading passwd
+auth_read_passwd(snappy_cli_t);
+# allow reading sssd files
+optional_policy(`
+ sssd_read_public_files(snappy_cli_t)
+ sssd_stream_connect(snappy_cli_t)
+')
+
+# restorecon
+seutil_domtrans_setfiles(snappy_cli_t)
+seutil_read_file_contexts(snappy_cli_t)
+seutil_read_default_contexts(snappy_cli_t)
+
+allow snappy_cli_t proc_t:file { getattr open read };
+allow snappy_cli_t snappy_exec_t:file { read_file_perms };
+
+# go runtime poking at things
+init_ioctl_stream_sockets(snappy_cli_t)
+kernel_read_net_sysctls(snappy_cli_t)
+kernel_search_network_sysctl(snappy_cli_t)
+
+# talk to snapd
+snappy_stream_connect(snappy_cli_t)
+
+########################################
+#
+# snappy (unconfined snap) local policy
+#
+permissive snappy_unconfined_snap_t;
+
+# allow unconfined snap service to run as a system service
+role system_r types snappy_unconfined_snap_t;
+can_exec(snappy_unconfined_snap_t, snappy_snap_t)
+domain_entry_file(snappy_unconfined_snap_t, snappy_snap_t)
+domain_entry_file(unconfined_service_t, snappy_snap_t)
+
+# for journald
+gen_require(` type syslogd_t; ')
+allow syslogd_t snappy_unconfined_snap_t:dir search_dir_perms;
+
+allow snappy_unconfined_snap_t self:process { fork getsched };
+
+# allow snappy_unconfined_snap_t snappy_snap_t:dir { list_dir_perms };
+# allow snappy_unconfined_snap_t snappy_snap_t:file { read_file_perms };
+# allow snappy_unconfined_snap_t snappy_snap_t:lnk_file { read_lnk_file_perms };
+
+# snap can carry services, which are then started by systemd, need to allow
+# systemd to manage them
+allow init_t snappy_unconfined_snap_t:dir search_dir_perms;
+allow init_t snappy_unconfined_snap_t:file { read_file_perms };
+allow init_t snappy_unconfined_snap_t:lnk_file { read_lnk_file_perms };
+allow init_t snappy_unconfined_snap_t:process { sigkill signull signal };