Re: [PATCH] Do not use /etc/resolv.conf symbolic links on SELinux

From: Guido Trentalancia <guido trentalancia net>
To: networkmanager-list gnome org
Subject: Re: [PATCH] Do not use /etc/resolv.conf symbolic links on SELinux
Date: Thu, 29 Sep 2016 00:58:49 +0200

Hello.

On Wed, 28/09/2016 at 17.44 -0400, Colin Walters wrote:


On Wed, Sep 28, 2016, at 02:06 PM, Guido Trentalancia wrote:


When SELinux is enabled, do not create a symbolic link to a
"resolv.conf"
file outside /etc (e.g. in /var/run/NetworkManager), but instead
create a
regular file in /etc.

This is to avoid creating policy permissions to read files in the
other
non-standard "resolv.conf" directories for each application that
needs to
access the network.


Maybe better to:

1) Standardize e.g. `/run/resolv.conf` and have labeling set up for
it
2) Change NetworkManager to label the file as `etc_t` which it likely
   has permission to do so already


The two alternatives you suggest are either over-complicated and not convenient (1) or unfeasible (2, because 
the file is a symbolic link).

Guido

References:
- [PATCH] Do not use /etc/resolv.conf symbolic links on SELinux
  - From: Guido Trentalancia
- Re: [PATCH] Do not use /etc/resolv.conf symbolic links on SELinux
  - From: Colin Walters

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]