Why is snapd accessing TLS certificates?

mrsampson · October 3, 2022, 10:52am

SELinux is preventing snapd from open access on the file /etc/pki/tls/certs/Deutsche_Telekom_Root_CA_2.pem.

mettacrawler · October 3, 2022, 11:19am

Because most SSL/TLS/HTTPS clients connections require CA certificates in order to function properly? The simplest example I can come up with:

Web browser connects to HTTPS site.
HTTPS server sends a server certificate, one of the fields in it is the Issuer.
Web browser looks up the issuer in the TLS files.
If it finds a match it continues to the web site.

If you want better answers, provide more details.

On my Fedora systems I use SyncThing in a snap because there is no flatpak. The snap is provided by a 3rd party as the official SyncThing snap support was discontinued. It works great, my SyncThing is sandboxed and running as non-root for risk mitigation.

$ snap list
Name                    Version   Rev    Tracking       Publisher      Notes
core20                  20220826  1623   latest/stable  canonical✓     base
snapd                   2.57.2    17029  latest/stable  canonical✓     snapd
syncthing-arubislander  1.20.4    28     latest/stable  arub-islander  -

I have never had any SELinux issues with it. IIRC, I don’t think it uses CA certificates for TLS though. I think it uses self-signed ones.

mrsampson · October 3, 2022, 12:05pm

Thanks, I recently upgraded from F35 to F36 and noticed the SEL warning, so I’m very confused why something that wasn’t complaining in F35 would suddenly be complaining in F36. Seems weird.

I don’t install snaps or flatpaks when there’s an rpm available. I’m a little surpised at what’s listed in there. I run KDE, so I’m confused now about gnome being a snap.

Name                    Version                     Rev    Tracking       Publisher   Notes
acrordrdc               2021.007.20091              62     latest/stable  mmtrt       -
bare                    1.0                         5      latest/stable  canonical✓  base
core18                  20220831                    2566   latest/stable  canonical✓  base
gnome-3-28-1804         3.28.0-19-g98f9e67.98f9e67  161    latest/stable  canonical✓  -
gtk-common-themes       0.1-81-g442e511             1535   latest/stable  canonical✓  -
snapd                   2.57.2                      17029  latest/stable  canonical✓  snapd
wine-platform-6-stable  6.0.4                       19     latest/stable  mmtrt       -
wine-platform-runtime   v1.0                        316    latest/stable  mmtrt       -

dalto · October 3, 2022, 12:43pm

It is the nature of running snaps. They pull in the runtimes they need to operate. Apparently, gnome is one of those requirements.

I haven’t tried snaps in a long-time. Are they really sandboxed on Fedora? For some reason I thought that snaps relied on apparmor for security sandboxing.

computersavvy · October 3, 2022, 3:31pm

There have been some updates to the selinux policies and thus older systems that have not yet received a relabel to match the newer policies may complain.
The fix seems to be to do either sudo touch /.autorelabel which will relabel the secontext for the whole system at the next boot, or sudo restorecon -r / which will do the same thing for the running system (but could potentially interfere with a running process).

mettacrawler · October 4, 2022, 12:03am

$ dnf info snap-confine
Last metadata expiration check: 0:00:04 ago on Mon 03 Oct 2022 08:03:11 PM EDT.
Installed Packages
Name         : snap-confine
Version      : 2.56.2
Release      : 4.fc36
Architecture : x86_64
Size         : 9.0 M
Source       : snapd-2.56.2-4.fc36.src.rpm
Repository   : @System
From repo    : updates
Summary      : Confinement system for snap applications
URL          : https://github.com/snapcore/snapd
License      : GPLv3
Description  : This package is used internally by snapd to apply confinement to
             : the started snap applications.

https://packages.fedoraproject.org/pkgs/snapd/snap-confine/index.html

mrsampson · October 4, 2022, 9:31am

That was it. Thank you.