From 396e66f0563f19925c635f152e3cded64de0e98a Mon Sep 17 00:00:00 2001
Message-Id: <396e66f0563f19925c635f152e3cded64de0e98a.1649678867.git.maciej.zenon.borzecki@canonical.com>
From: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Date: Fri, 8 Apr 2022 15:32:27 +0200
Subject: [PATCH] data/selinux: allow snap-update-ns to mount on top of
/var/snap inside the mount ns
As some layouts may place things on top of paths under /var/snap.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
---
data/selinux/snappy.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/data/selinux/snappy.te b/data/selinux/snappy.te
index 198b57fa6f2400f2f1eca7d901067d2f7184e595..0abfc52dc26ebc97af83df729a544ea0e6e3a553 100644
--- a/data/selinux/snappy.te
+++ b/data/selinux/snappy.te
@@ -543,6 +543,11 @@ allow snappy_mount_t snappy_snap_t:dir mounton;
allow snappy_mount_t snappy_snap_t:file mounton;
allow snappy_mount_t snappy_snap_t:filesystem { unmount remount };
+# layouts may also require mounting on top of /var/lib/snapd which contains the
+# snaps
+allow snappy_mount_t snappy_var_lib_t:dir mounton;
+allow snappy_mount_t snappy_var_lib_t:file mounton;
+
# freezer
fs_manage_cgroup_dirs(snappy_mount_t)
fs_manage_cgroup_files(snappy_mount_t)
--
2.35.1