diff --git a/snapd-selinux-allow-tmp.patch b/snapd-selinux-allow-tmp.patch new file mode 100644 index 0000000..50f21a9 --- /dev/null +++ b/snapd-selinux-allow-tmp.patch @@ -0,0 +1,16 @@ +diff --git a/snappy.te b/snappy.te +index 4817321..77e7d45 100644 +--- a/snappy.te ++++ b/snappy.te +@@ -114,6 +114,11 @@ gen_require(` type unlabeled_t; ') + allow snappy_t unlabeled_t:dir { getattr search }; + allow snappy_t unlabeled_t:file { getattr open read }; + ++# Grant snapd access to /tmp ++gen_require(` type tmp_t; ') ++allow snappy_t tmp_t:dir { add_name create read remove_name rmdir write }; ++allow snappy_t tmp_t:file { create open unlink write }; ++ + + logging_send_syslog_msg(snappy_t); + diff --git a/snapd.spec b/snapd.spec index 860d3bb..7d455bd 100644 --- a/snapd.spec +++ b/snapd.spec @@ -47,6 +47,10 @@ Patch2: 0001-docs-Fix-binary-path-referenced-in-documentation.patch # snapcore SELinux policy Source1: https://gitlab.com/Conan_Kudo/snapcore-selinux/repository/archive.tar.gz?ref=%{commit1}#/%{polmodname}-%{shortcommit1}.tar.gz +# SELinux policy patches +# This patch grants snapd access to /tmp, which should no longer be necessary in 2.17 +Patch500: snapd-selinux-allow-tmp.patch + # e.g. el6 has ppc64 arch without gcc-go, so EA tag is required ExclusiveArch: %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 %{arm}} @@ -144,6 +148,10 @@ providing packages with %{import_path} prefix. # Extract source for SELinux policy module tar xvf %{SOURCE1} +pushd ./%{polmodfolder} +%patch500 -p1 -b .allowtmp +popd + %build # Build SELinux module @@ -324,6 +332,7 @@ fi %changelog * Wed Oct 19 2016 Zygmunt Krynicki - 2.16-1 - New upstream release +- Patch SELinux policy to allow access to /tmp * Tue Oct 18 2016 Neal Gompa - 2.14-2 - Add SELinux policy module subpackage * Tue Aug 30 2016 Zygmunt Krynicki - 2.14-1