Bug 1979459

Summary: snapd breaks GNOME for SELinux confined users
Product: [Fedora] Fedora EPEL Reporter: bugreports2005
Component: snapdAssignee: Zygmunt Krynicki <me>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel7CC: go-sig, maciek.borzecki, me, ngompa13
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-07-09 03:38:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description bugreports2005 2021-07-06 06:19:09 UTC 
Description of problem:

When snapd is installed and a user with context set to staff_t logs into GNOME classic, the background is black and there are no bars. I did not test but was told that the non-classic was even more broken.

My analysis suggests that this is because /etc/profile.d/snapd.sh adds /var/lib/snapd/desktop to XDG_DATA_DIRS, SELinux prevents all access to it, and GNOME just gives up when that happens.

Adding this SELinux rule helped with the GNOME brokenness, although I do not know if it's enough for snaherep itself to work for a confined user. Should possibly add for user_t as well.

snappy_search_lib(staff_t);


Version-Release number of selected component (if applicable):
2.51-1.el7

How reproducible:
is reproducible

Steps to Reproduce:
1. install snapd, create testuser account
2. semanage login -a testuser -s staff_u
3. log testuser into gnome classic

Actual results:
black background, no menu bars, broken and hard to use


Expected results:
gnome works normally


Additional info:

This is just a specific case of brokenness, the SELinux rules governing /var/lib/snapd should probably be relaxed more generally as there are other related bugs about SELinux preventing access: #1648701, #1888699, #1973097, #1960735.

I don't know if this is enough to get snap actually work for a confined user.
Comment 1 Troy Dawson 2024-07-09 03:38:25 UTC 
EPEL 7 entered end-of-life (EOL) status on 2024-06-30.\n\nEPEL 7 is no longer maintained, which means that it\nwill not receive any further security or bug fix updates.\n As a result we are closing this bug.