PR#33: snapd: update to 2.54.4, cherr pick fixes for SELinux policy - rpms/snapd

rpms / snapd

#33 snapd: update to 2.54.4, cherr pick fixes for SELinux policy

Merged 2 years ago by bboozzoo. Opened 2 years ago by bboozzoo.

rpms/ bboozzoo/snapd bboozzoo/snapd-2.54.4 into rawhide

snapd: update to 2.54.4, cherr pick fixes for SELinux policy

Maciek Borzecki • 2 years ago

d915037

.gitignore

file modified

		`@@ -84,3 +84,5 @@`
		`/snapd_2.54.2.only-vendor.tar.xz`
		`/snapd_2.54.3.no-vendor.tar.xz`
		`/snapd_2.54.3.only-vendor.tar.xz`
		`+ /snapd_2.54.4.no-vendor.tar.xz`
		`+ /snapd_2.54.4.only-vendor.tar.xz`

0004-data-selinux-allow-the-snap-command-to-run-systemctl.patch

file added

+32

		`@@ -0,0 +1,32 @@`
		`+ From e995e0fafe55d0b73889b3995bbd982f4b362307 Mon Sep 17 00:00:00 2001`
		`+ Message-Id: <e995e0fafe55d0b73889b3995bbd982f4b362307.1646984489.git.maciej.zenon.borzecki@canonical.com>`
		`+ From: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>`
		`+ Date: Wed, 23 Feb 2022 07:32:45 +0100`
		`+ Subject: [PATCH] data/selinux: allow the snap command to run systemctl`
		`+`
		`+ Which can happen when there is a system key mismatch. Caught in the wild on`
		`+ Fedora.`
		`+`
		`+ Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2057103`
		`+`
		`+ Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>`
		`+ ---`
		`+ data/selinux/snappy.te \| 2 ++`
		`+ 1 file changed, 2 insertions(+)`
		`+`
		`+ diff --git a/data/selinux/snappy.te b/data/selinux/snappy.te`
		`+ index cc6ba5b14b306977eaa555b35d803637c2f5aa3e..c79f789ab00d4bc7e996606d4d63db2ac78d7ebd 100644`
		`+ --- a/data/selinux/snappy.te`
		`+ +++ b/data/selinux/snappy.te`
		`+ @@ -805,6 +805,8 @@ can_exec(snappy_cli_t, snappy_exec_t)`
		`+ fs_getattr_tmpfs(snappy_cli_t)`
		`+ fs_getattr_cgroup(snappy_cli_t)`
		`+`
		`+ +# execute systemctl is-system-running when system-key mismatch is detected`
		`+ +systemd_exec_systemctl(snappy_cli_t)`
		`+`
		`+ ########################################`
		`+ #`
		`+ --`
		`+ 2.35.1`
		`+`

snapd.spec

file modified

+43 -1

		`@@ -85,7 +85,7 @@`
		`%{!?_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}`

		`Name: snapd`
		`- Version: 2.54.3`
		`+ Version: 2.54.4`
		`Release: 1%{?dist}`
		`Summary: A transactional software package manager`
		`License: GPLv3`
		`@@ -95,6 +95,7 @@`
		`Patch0: 0001-data-selinux-update-the-policy-to-allow-creating-rem.patch`
		`Patch1: 0002-data-selinux-update-SELinux-policy-with-more-bpf-all.patch`
		`Patch2: 0003-data-selinux-snap-confine-may-getattr-device-nodes-w.patch`
		`+ Patch3: 0004-data-selinux-allow-the-snap-command-to-run-systemctl.patch`

		`%if 0%{?with_goarches}`
		`# e.g. el6 has ppc64 arch without gcc-go, so EA tag is required`
		`@@ -941,6 +942,47 @@`


		`%changelog`
		`+ * Fri Mar 11 2022 Maciek Borzecki <maciek.borzecki@gmail.com> - 2.54.4-1`
		`+ - Release 2.54.4 to Fedora`
		`+ - Includes a fix for RHBZ#2062678`
		`+ - Cherry pick a fix for RHBZ#2057103`
		`+`
		`+ * Thu Mar 03 2022 Michael Vogt <michael.vogt@ubuntu.com>`
		`+ - New upstream release 2.54.4`
		`+ - t/m/interfaces-network-manager: use different channel depending on`
		`+ system`
		`+ - many: backport attrer interface changes to 2.54`
		`+ - tests: skip version check on lp-1871652 for sru validation`
		`+ - i/builtin: allow modem-manager interface to access some files in`
		`+ sysfs`
		`+ - snapstate: make "remove vulnerable version" message more`
		`+ friendly`
		`+ - tests: fix "undo purging" step in snap-run-devmode-classic`
		`+ - o/snapstate: deal with potentially invalid type of refresh.retain`
		`+ value due to lax validation`
		`+ - interfaces: custom-device`
		`+ - packaging/ubuntu-16.04/control: adjust libfuse3 dependency`
		`+ - data/env: fix fish env for all versions of fish`
		`+ - packaging/ubuntu-16.04/snapd.postinst: start socket and service`
		`+ first`
		`+ - interfaces/u2f-devices: add U2F-TOKEN`
		`+ - interfaces/seccomp: Add rseq to base seccomp template`
		`+ - tests: remove disabled snaps before calling save_snapd_state`
		`+ - overlord: skip manager tests on riscv for now`
		`+ - interfaces/opengl: add support for ARM Mali`
		`+ - devicestate: ensure permissions of /var/lib/snapd/void are`
		`+ correct`
		`+ - cmd/snap-update-ns: convert some unexpected decimal file mode`
		`+ constants to octal.`
		`+ - interfaces/shared-memory: support single wild-cards in the`
		`+ read/write paths`
		`+ - packaging: fix running autopkgtest`
		`+ - i/builtin/xilinx-dma-host: add interface for Xilinx DMA driver`
		+ - tests: fix `tests/core/create-user` on testflinger pi3
		`+ - tests: fix parallel-install-basic on external UC16 devices`
		`+ - tests: re-enable kernel-module-load tests on arm`
		`+ - tests: do not run k8s smoke test on 32 bit systems`
		`+`
		`* Thu Feb 17 2022 Maciek Borzecki <maciek.borzecki@gmail.com> - 2.54.3-1`
		`- Release 2.54.3 to Fedora`
		`- Cherry pick SELinux policy fixes for RHBZ#1944390, RHBZ#2043160, RHBZ#2043161,`

sources

file modified

+2 -2

		`@@ -1,2 +1,2 @@`
		`- SHA512 (snapd_2.54.3.no-vendor.tar.xz) = 734616733b56623049b4385c4bfea37d1d9fc18966360c7e210c06e3e3716ea73a47fbeaa0924a8e1c9fcc92f5158bdc9255cbf1707d2ad2a2c49c0e4cae9a33`
		`- SHA512 (snapd_2.54.3.only-vendor.tar.xz) = 7c8fdab1316844e3ab03349d549d710b543da74b2ad5acff1e8c8f217c530e6e24d10a7dc1a9511aa1ac6cb151ca465062271deea09739a7222a42ef26408f11`
		`+ SHA512 (snapd_2.54.4.no-vendor.tar.xz) = 3ee98017d30c18f4367bae224a85bdf9991b37b9240783dfda3ceeac8fdc8332fea5c464de886e33e1b8e390b2c3d2cea515407b5306aadcc0397abf718ebfa0`
		`+ SHA512 (snapd_2.54.4.only-vendor.tar.xz) = 481bd06322427f343ac426f2b9ea5ae94acfd91dcf4aa269d85969c9d5e88776f8bed2240f017908e50975d24917e301b1f81d5fe41d2c3793e5bb57fa834811`