Re: [PATCH] Do not use /etc/resolv.conf symbolic links on SELinux


On Wed, 28/09/2016 at 17.44 -0400, Colin Walters wrote:

On Wed, Sep 28, 2016, at 02:06 PM, Guido Trentalancia wrote:

When SELinux is enabled, do not create a symbolic link to a
file outside /etc (e.g. in /var/run/NetworkManager), but instead
create a
regular file in /etc.

This is to avoid creating policy permissions to read files in the
non-standard "resolv.conf" directories for each application that
needs to
access the network.

Maybe better to:

1) Standardize e.g. `/run/resolv.conf` and have labeling set up for
2) Change NetworkManager to label the file as `etc_t` which it likely
   has permission to do so already

The two alternatives you suggest are either over-complicated and not convenient (1) or unfeasible (2, because 
the file is a symbolic link).


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]