Bug 2359260

Summary: snapd-2.68.3-0.el8.x86_64 on RHEL 8.10 blocked by selinux
Product: [Fedora] Fedora EPEL Reporter: Louis van Dyk <louis>
Component: snapdAssignee: Zygmunt Krynicki <me>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: epel8CC: go-sig, maciek.borzecki, me, ngompa13
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Louis van Dyk 2025-04-13 00:19:03 UTC 
Description of problem:
snapd-2.68.3 installed on RHEL 8.10 with SELinux enforcing fails to perform any actions, resulting in timeouts.  If SELinux is set to permissive mode, and snapd is restarted, then it works as expected.  snapd-2.67 is also affected.  Downgrading to snapd-2.65.1-0.el8.x86_64 works with SELinux in enforcing mode.

Version-Release number of selected component (if applicable):
snapd-selinux-2.68.3-0.el8.noarch                                                                                                                                                                                    snap-confine-2.68.3-0.el8.x86_64                                                                                                                                                                                     snapd-2.68.3-0.el8.x86_64                                  

How reproducible:
Always

Steps to Reproduce:
1. Install or upgrade the above three packages to 2.68.3 (or 2.67 which is also affected).
2. Run a snap command.
3. Wait as the server times out.  
4. setenforce 0
5. Restart snapd (it will take a long time to stop)
6. Run the snap command again, and it will succeed.
7. Downgrade snapd to 2.65.1.
8. setenforce 1
9. Restart snapd
10.  Run the snap command, and it will success with SELinux enforcing.

Actual results:
As above

Expected results:
It should work in enforcing mode with 2.68.3 which is the current release.

Additional info: