data/selinux: account for improved cwd handling in snap-confine

Services are started with their WorkingDirectory set to $SNAP_DATA. Since snap-confine performs more checks on cwd now, we need to account for that in the policy. Relevant SELinux denial: type=AVC msg=audit(1554975937.636:129): avc: denied { getattr } for pid=1099 comm="snap-confine" path="/var/snap/test-snapd-service/x1" dev="vda1" ino=393657 scontext=system_u:system_r:snappy_confine_t:s0 tcontext=system_u:object_r:snappy_var_t:s0 tclass=dir permissive=1 Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com> 

1 files changed, 1 insertions, 1 deletions

diff --git a/data/selinux/snappy.te b/data/selinux/snappy.te
index 7b7a201957..91d7955397 100644
--- a/data/selinux/snappy.te
+++ b/data/selinux/snappy.te
@@ -451,7 +451,7 @@ allow snappy_confine_t snappy_snap_t:file mounton;
 allow snappy_confine_t snappy_snap_t:lnk_file read;
 allow snappy_confine_t snappy_var_lib_t:dir mounton;
 allow snappy_confine_t snappy_var_run_t:file mounton;
-allow snappy_confine_t snappy_var_t:dir mounton;
+allow snappy_confine_t snappy_var_t:dir { getattr mounton };
 allow snappy_confine_t tmp_t:dir { add_name create mounton remove_name rmdir setattr write read };
 allow snappy_confine_t usr_t:dir mounton;
 allow snappy_confine_t var_log_t:dir mounton;