data/selinux: auto transition /var/snap to snappy_var_t

When snapd creates /var/snap at runtime, make sure it transitions to snappy_var_t. This is caught by tests restore checks, that list the following entries as incorrectly labeled: + grep -v snappy_var_t + find /var/snap -printf '%Z\t%H/%P\n' system_u:object_r:var_t:s0	/var/snap/ system_u:object_r:var_t:s0	/var/snap/core18 system_u:object_r:var_t:s0	/var/snap/core18/current system_u:object_r:var_t:s0	/var/snap/core18/common system_u:object_r:var_t:s0	/var/snap/core18/941 system_u:object_r:var_t:s0	/var/snap/test-snapd-with-configure-core18 system_u:object_r:var_t:s0	/var/snap/test-snapd-with-configure-core18/current system_u:object_r:var_t:s0	/var/snap/test-snapd-with-configure-core18/common system_u:object_r:var_t:s0	/var/snap/test-snapd-with-configure-core18/common/configure-ran system_u:object_r:var_t:s0	/var/snap/test-snapd-with-configure-core18/x1 system_u:object_r:var_t:s0	/var/snap/snapd system_u:object_r:var_t:s0	/var/snap/snapd/current system_u:object_r:var_t:s0	/var/snap/snapd/common system_u:object_r:var_t:s0	/var/snap/snapd/2827 Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com> 

1 files changed, 2 insertions, 0 deletions

diff --git a/data/selinux/snappy.te b/data/selinux/snappy.te
index 2bcff259ba..8fcfca0536 100644
--- a/data/selinux/snappy.te
+++ b/data/selinux/snappy.te
@@ -207,6 +207,8 @@ admin_pattern(snappy_t, snappy_var_lib_t)
 mmap_rw_files_pattern(snappy_t, snappy_var_lib_t, snappy_var_lib_t)
 # snap data files
 admin_pattern(snappy_t, snappy_var_t)
+# auto transition /var/snap when created at runtime
+files_var_filetrans(snappy_t, snappy_var_t, dir, "snap")
 # some snaps may create character files, eg. lxd creates /dev/full in the
 # container's rootfs
 manage_chr_files_pattern(snappy_t, snappy_var_t, snappy_var_t)