data/selinux: allow running hooks and services from classic snaps

When a classic snap with service or hooks is installed on SELinux system, the policy will prevent snapd from running the hooks or, should the snap have a service, it will fail to be started by systemd -> snap-confine chain. The reason is that for classic snaps, snap-confine executes snap-exec from the host (labeled as snappy_exec_t) instead of the one from a mounted snap (labeled as snappy_snap_t). The policy does not allow that. Allow snappy_exec_t to be an entrypoint to unconfined_service_t. Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com> 

1 files changed, 9 insertions, 0 deletions

diff --git a/data/selinux/snappy.te b/data/selinux/snappy.te
index de3e948886..a63b88e0a4 100644
--- a/data/selinux/snappy.te
+++ b/data/selinux/snappy.te
@@ -29,7 +29,9 @@ attribute_role snappy_roles;
 # snapd
 type snappy_t;
 type snappy_exec_t;
+# allow init domain to transition to snappy_t by executing snappy_exec_t
 init_daemon_domain(snappy_t, snappy_exec_t)
+
 role snappy_roles types snappy_t;
 
 type snappy_config_t;
@@ -502,6 +504,13 @@ allow snappy_confine_t snappy_unconfined_snap_t:process { noatsecure rlimitinh s
 gen_require(` type unconfined_service_t; ')
 allow snappy_confine_t unconfined_service_t:process { noatsecure rlimitinh siginh transition dyntransition };
 
+# for classic snaps, snap-confine executes snap-exec from the host (labeled as
+# snappy_exec_t)
+can_exec(snappy_confine_t, snappy_exec_t)
+# allow snappy_exec_t to be an entrypoint to unconfined_service_t, only
+# snap-confine is allowed to transition this way
+domain_entry_file(unconfined_service_t, snappy_exec_t)
+
 ########################################
 #
 # snap, snapctl local policy