On Sun, Jan 8, 2017 at 2:26 PM, Aleix Pol <[email protected]> wrote: > Hi everyone, > Last Snappy meeting we discussed several subjects and I would like to > know what's the status, hence this e-mail. > - Usage of snappy in random Linux systems: Red Hat et al (Fedora, > CentOS), random GNU/Linux kernels (e.g. ArchLinux and Android).
This is not working. SELinux support is missing within snapd, and I'm still playing whack-a-mole with the SELinux policy module[0] I've been working on. Unfortunately, the correct way to handle this is something I'm simply not skilled at doing, since it requires fundamentally comprehensive understanding of snapd and conceptual understanding of SELinux as a MAC and how to use it through libselinux in the manner needed by snapd. While I have the conceptual understanding of SELinux, I do not have the other two pieces. The concepts of SELinux MAC and snapd's security model do mostly line up, from what I can tell, so it's just a matter of someone with understanding of both bridging the gap. CentOS, Fedora, and Android use SELinux, so this is a prerequisite for making Snappy work in a useful, secure manner. Arch Linux has no MAC by default, though the community prefers SELinux and offers it as a supported-ish option (see Arch Hardened), likewise for Gentoo (see Gentoo Hardened). In addition, we're still missing some kind of way to swap default core snaps and have a concept of a "base" snap so that distributions can build snaps from their own code. I wrote code for making core snaps based on Fedora, Mageia, or openSUSE[1], but there's still no way for me to force snapd to use a different core snap. There's also still work to be done from the Snapcraft side to support different distributions, too. See the snapcraft bug[2] for details. [0]: https://gitlab.com/Conan_Kudo/snapcore-selinux [1]: https://gitlab.com/Conan_Kudo/snapcore-mkrpmdistcoresnap [2]: https://bugs.launchpad.net/snapcraft/+bug/1602258 > - Some discussed AppStream semantics introduction for integration in > Software Centers. > As far as I know, I don't think anything has happened on this front since we discussed at the sprint. -- 真実はいつも一つ!/ Always, there's only one truth! -- Snapcraft mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
