[PATCH v2] Do not use /etc/resolv.conf symbolic links on SELinux

From: Guido Trentalancia <guido trentalancia net>
To: networkmanager-list gnome org
Subject: [PATCH v2] Do not use /etc/resolv.conf symbolic links on SELinux
Date: Thu, 29 Sep 2016 02:06:58 +0200

When SELinux is enabled, do not create a symbolic link to a "resolv.conf"
file outside /etc (e.g. in /var/run/NetworkManager), but instead create a
regular file in /etc.

This is to avoid creating policy permissions to read files in the other
non-standard "resolv.conf" directories for each application that needs to
access the network.

Signed-off-by: Guido Trentalancia <guido trentalancia net>
---
 src/dns-manager/nm-dns-manager.c |   22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

--- NetworkManager-1.4.0-orig/src/dns-manager/nm-dns-manager.c  2016-08-24 15:09:03.000000000 +0200
+++ NetworkManager-1.4.0/src/dns-manager/nm-dns-manager.c       2016-09-29 02:00:36.825511593 +0200
@@ -845,17 +845,35 @@ update_resolv_conf (NMDnsManager *self,
                return SR_ERROR;
        }
 
+       /* A symbolic link is avoided when SELinux is enabled because this
+        * would require changing the policy for each application requiring
+        * network access (i.e. networkmanager_read_pid_files() interface)
+        */
+#ifndef HAVE_SELINUX
        if (symlink (MY_RESOLV_CONF, RESOLV_CONF_TMP) == -1) {
+#else
+       if (rename (MY_RESOLV_CONF, RESOLV_CONF_TMP) == -1) {
+#endif
                errsv = errno;
                g_set_error (error,
                             NM_MANAGER_ERROR,
                             NM_MANAGER_ERROR_FAILED,
+#ifndef HAVE_SELINUX
                             "Could not create symlink %s pointing to %s: %s",
-                            RESOLV_CONF_TMP,
-                            MY_RESOLV_CONF,
+                            RESOLV_CONF_TMP,
+                            MY_RESOLV_CONF,
+#else
+                            "Could not rename %s to %s: %s",
+                            MY_RESOLV_CONF,
+                            RESOLV_CONF_TMP,
+#endif
                             g_strerror (errsv));
                _LOGT ("update-resolv-conf: write internal file %s succeeded "
+#ifndef HAVE_SELINUX
                       "but failed to symlink %s: %s",
+#else
+                      "but failed to rename it to %s: %s",
+#endif
                       MY_RESOLV_CONF, RESOLV_CONF_TMP, g_strerror (errsv));
                return SR_ERROR;
        }

Follow-Ups:
- Re: [PATCH v2] Do not use /etc/resolv.conf symbolic links on SELinux
  - From: Beniamino Galvani
- [PATCH v3] Do not use /etc/resolv.conf symbolic links on SELinux
  - From: Guido Trentalancia

References:
- [PATCH] Do not use /etc/resolv.conf symbolic links on SELinux
  - From: Guido Trentalancia

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]