Bug 1626840

Summary: Several SELinux messages when installing snapd and a simple snap package.
Product: [Fedora] Fedora Reporter: psg_nm <pgrahamdev>
Component: snapdAssignee: Zygmunt Krynicki <me>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 28CC: me, ngompa13
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-12-28 22:55:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Detailed SELinux messages when trying to install snapd and simple "hello" package. none

Description psg_nm 2018-09-09 15:36:47 UTC 
Created attachment 1481889 [details]
Detailed SELinux messages when trying to install snapd and simple "hello" package.

Description of problem:
I received several SELinux alerts when install the "snapd" RPM and a basic snap package.

Version-Release number of selected component (if applicable):
snapd-2.35-1.fc28.x86_64

How reproducible:


Steps to Reproduce:
1. Install "snapd" using "sudo dnf install snapd"
2. Following the suggestion from https://docs.snapcraft.io/core/install-fedora, I  ran "sudo ln -s /var/lib/snapd/snap /snap"
3. Run "snap install hello" (will ask for root authentication).

Actual results:

The snapd package was installed properly, but I received several SELinux alerts.  including:

SELinux is preventing snap-confine from getattr access on the filesystem /.

SELinux is preventing snapd from getattr access on the directory /home/username/snap.

SELinux is preventing snapd from read access on the directory snap.

SELinux is preventing snapd from open access on the directory /home/username/snap.

Note that "hello" and "hello.universe" do run properly.

Expected results:

No SELinux warnings/messages.

Additional info:

Note that I have tried using snap packages a few times on Fedora 28, but I ran into similar errors and gave up, not reporting the problems.  I figured I would finally report the bug report.  I have tried installing a few other snap packages, but I thought I would start with a basic one.
Comment 1 psg_nm 2018-12-28 22:55:36 UTC 
This appears to be fixed in a recent update to Fedora 29 (maybe an update to the snapd-selinux package fixed this).

I did recently reinstall my Fedora desktop which has been upgraded from Fedora 23 (or so) through Fedora 29.  I did see some SELinux warnings related to snapd (something about updating man pages, as I remember).  The reinstallation was done with with Fedora 29 KDE Spin and so far no issues with SELinux warnings.  This issue can be closed for now.