SELinux: snapd: Confining snaps to their private domain


Snaps are applications that are installed and updated automatically using snapd. If you are using the Swift programming language, the good IDE environment for it is Visual Studio Code (vscode). Visual Studio Code is a snap and you can install it as follows:

sudo snap install --classic code

Requirements: Run sudo omarine-update to update the system and install snapd.

The snapd's original purpose was to serve systems using the AppArmor security model, so each snap comes with a profile that serves as a security policy module in the SELinux system for that application. However, classic snaps like vscode will not be confined, ie there is a security risk.

SELinux security policy can confine every snap, whether it's classic or not.

Unfortunately, the snaps all share the same snappy_snap_t type and are read-only mounted via loop devices with the squashfs filesystem type so the type cannot be changed. The snappy_snap_t type is similar to the bin_t type for generic programs, and the snapd is hard-coded to use manual domain transition with setexeccon(), which puts all the snaps to run in the same unconfined_service_t domain.

That's not a good thing since a small snap wears a too wide policy shirt just like the big snap, which can make the mistake of using resources beyond its scope.

To fix this, we'll patch the snapd package, setting a separate domain for each snap. The same name part of these domains is _service_t, and the prefix is the name of the snap. For example, the domain of hello-world is hello-world_service_t, the domain of code is code_service_t, the domain of gnome-calculator is gnome-calculator_service_t.

See details in the patch file snapd-2.46-selinux-1.patch.

This approach makes it easy to add a new snap to the list of snaps which have their own domain using a template in the policy source code.

Below is an illustration of the two snaps code and gnome-calculator running in their own domain

Using snapd

After updating the system with sudo omarine-update to get the snapd, reboot your computer. And before using snapd for the first time, run the following command to initialize snapd

snap version

Installing and running hello-world

Installing hello-world is the first example to install other snaps

sudo snap install hello-world

Then we run hello-world

Searching for a snap

The snap find command is used to search for snaps, for example to find firefox

snap find firefox

Listing installed snaps

The snap list command lists installed snaps

snap list

Currently unrated


There are currently no comments

New Comment


required (not published)



What is 7 + 7?