Server IP : 13.213.54.232 / Your IP : 216.73.216.30 Web Server : Apache/2.4.52 (Ubuntu) System : Linux ip-172-31-17-110 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 User : www-data ( 33) PHP Version : 7.1.33-67+ubuntu22.04.1+deb.sury.org+1 Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals, MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : OFF | Sudo : ON | Pkexec : ON Directory : /snap/snapd/current/usr/lib/snapd/ |
Upload File : |
#!/bin/bash set -e set +x STATIC_SNAP_MOUNT_DIR="/snap" show_help() { exec cat <<'EOF' Usage: snap-mgmt-selinux.sh [OPTIONS] A helper script to manage SELinux contexts used by snapd Arguments: --snap-mount-dir=<path> Provide a path to be used as $STATIC_SNAP_MOUNT_DIR --patch-selinux-mount-context=<context> Add SELinux context to mount units --remove-selinux-mount-context=<context> Remove SELinux context from mount units EOF } SNAP_UNIT_PREFIX="$(systemd-escape -p ${STATIC_SNAP_MOUNT_DIR})" patch_selinux_mount_context() { if ! command -v selinuxenabled > /dev/null; then return fi if ! selinuxenabled; then # The tools are there, but SELinux is not enabled return fi selinux_mount_context="$1" remove="$2" if ! echo "$selinux_mount_context" | grep -qE '[a-zA-Z0-9_]+(:[a-zA-Z0-9_]+){2,3}'; then echo "invalid mount context '$selinux_mount_context'" exit 1 fi context_opt="context=$selinux_mount_context" mounts=$(systemctl list-unit-files --no-legend --full "$SNAP_UNIT_PREFIX-*.mount" | cut -f1 -d ' ' || true) changed_mounts= for unit in $mounts; do # Ensure its really a snap mount unit or systemd unit if ! grep -q 'What=/var/lib/snapd/snaps/' "/etc/systemd/system/$unit" && ! grep -q 'X-Snappy=yes' "/etc/systemd/system/$unit"; then echo "Skipping non-snapd systemd unit $unit" continue fi if [ "$remove" == "" ]; then if grep -q "Options=.*,$context_opt" < "/etc/systemd/system/$unit"; then # already patched continue fi if ! sed -i -e "s#^\\(Options=nodev.*\\)#\\1,$context_opt#" "/etc/systemd/system/$unit"; then echo "Cannot patch $unit" fi changed_mounts="$changed_mounts $unit" elif [ "$remove" == "remove" ]; then if ! grep -q "Options=.*,$context_opt" < "/etc/systemd/system/$unit"; then # Not patched continue fi if ! sed -i -e "s#^\\(Options=nodev.*\\),$context_opt\\(,.*\\)\\?#\\1\\2#" "/etc/systemd/system/$unit"; then echo "Cannot patch $unit" fi changed_mounts="$changed_mounts $unit" fi done if [ -z "$changed_mounts" ]; then # Nothing changed, no need to reload return fi systemctl daemon-reload for unit in $changed_mounts; do if ! systemctl try-restart "$unit" ; then echo "Cannot restart $unit" fi done } while [ -n "$1" ]; do case "$1" in --help) show_help exit ;; --snap-mount-dir=*) STATIC_SNAP_MOUNT_DIR=${1#*=} SNAP_UNIT_PREFIX=$(systemd-escape -p "$STATIC_SNAP_MOUNT_DIR") shift ;; --patch-selinux-mount-context=*) patch_selinux_mount_context "${1#*=}" shift ;; --remove-selinux-mount-context=*) patch_selinux_mount_context "${1#*=}" remove shift ;; *) echo "Unknown command: $1" exit 1 ;; esac done