Snappy evolution

Neal Gompa ngompa13 at gmail.com
Mon Jan 9 14:24:08 UTC 2017 

 On Sun, Jan 8, 2017 at 2:26 PM, Aleix Pol <aleixpol at kde.org> wrote:
> Hi everyone,
> Last Snappy meeting we discussed several subjects and I would like to
> know what's the status, hence this e-mail.
> - Usage of snappy in random Linux systems: Red Hat et al (Fedora,
> CentOS), random GNU/Linux kernels (e.g. ArchLinux and Android).

This is not working.

SELinux support is missing within snapd, and I'm still playing
whack-a-mole with the SELinux policy module[0] I've been working on.

Unfortunately, the correct way to handle this is something I'm simply
not skilled at doing, since it requires fundamentally comprehensive
understanding of snapd and conceptual understanding of SELinux as a
MAC and how to use it through libselinux in the manner needed by
snapd. While I have the conceptual understanding of SELinux, I do not
have the other two pieces. The concepts of SELinux MAC and snapd's
security model do mostly line up, from what I can tell, so it's just a
matter of someone with understanding of both bridging the gap.

CentOS, Fedora, and Android use SELinux, so this is a prerequisite for
making Snappy work in a useful, secure manner.

Arch Linux has no MAC by default, though the community prefers SELinux
and offers it as a supported-ish option (see Arch Hardened), likewise
for Gentoo (see Gentoo Hardened).

In addition, we're still missing some kind of way to swap default core
snaps and have a concept of a "base" snap so that distributions can
build snaps from their own code. I wrote code for making core snaps
based on Fedora, Mageia, or openSUSE[1], but there's still no way for
me to force snapd to use a different core snap.

There's also still work to be done from the Snapcraft side to support
different distributions, too. See the snapcraft bug[2] for details.

[0]: https://gitlab.com/Conan_Kudo/snapcore-selinux
[1]: https://gitlab.com/Conan_Kudo/snapcore-mkrpmdistcoresnap
[2]: https://bugs.launchpad.net/snapcraft/+bug/1602258

> - Some discussed AppStream semantics introduction for integration in
> Software Centers.
>

As far as I know, I don't think anything has happened on this front
since we discussed at the sprint.




-- 
真実はいつも一つ!/ Always, there's only one truth!

More information about the Snapcraft mailing list