avahi-daemon label change breaks generated profiles
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd (Ubuntu) |
In Progress
|
Undecided
|
Unassigned |
Bug Description
I've been working on snapping an app (shairport-sync) that uses Avahi. Currently on startup it's logging the following in the system logs, and is not showing up in avahi-browse:
type=USER_AVC msg=audit(
As an experiment I reinstalled my snap in devmode and got the following:
type=USER_AVC msg=audit(
followed by lots of other happy-looking messages, e.g.:
type=USER_AVC msg=audit(
and my machine appeared in avahi-browse and was visible to my other mDNS devices. So the problem seems to be solely due to confinement.
In fact, the generated profile has the following:
peer=
but the denials have the following:
peer_
so I suspect the avahi-daemon labelling has changed in Ubuntu (I'm running 20.04 LTS).
description: | updated |
summary: |
- avahi-control dbus permissions for Ping method need updating + avahi dbus permissions for Ping method need updating |
summary: |
- avahi dbus permissions for Ping method need updating + avahi-daemon label change break generated profiles |
description: | updated |
Changed in snapd (Ubuntu): | |
status: | New → In Progress |
https:/ /github. com/snapcore/ snapd/pull/ 8713
Tested locally, and by allowing bare "avahi-daemon" as a label, my confined snap can register with Avahi and is visible across the network.