Skip to content

Commit

Permalink
data/selinux: allow mounting on var_t (#14567)
Browse files Browse the repository at this point in the history 
This comes up when snap-update-ns called from snapd attempts to mount on
files labeled with var_t, such as /var/cache/swcatalog.

Jira: https://warthogs.atlassian.net/browse/SNAPDENG-32055

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
  • Loading branch information
@zyga
zyga authored Oct 2, 2024
1 parent e7a25a6 commit 0193451
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion data/selinux/snappy.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -575,8 +575,9 @@ allow snappy_mount_t lib_t:dir mounton;
# mount things labeled usr_t from the host
allow snappy_mount_t usr_t:dir mounton;

# allow mounting on top of /var/lib
# allow mounting on top of /var and /var/lib
allow snappy_mount_t var_lib_t:dir mounton;
allow snappy_mount_t var_t:dir mounton;

# mount and unmount on top of snaps
allow snappy_mount_t snappy_snap_t:dir mounton;
Expand Down

0 comments on commit 0193451

Please sign in to comment.