[PATCH] Do not use resolv.conf symbolic links on SELinux

[Guido Trentalancia <guido trentalancia net>]

When SELinux is enabled, do not create a symbolic link to a "resolv.conf"
file outside /etc (e.g. in /var/run/NetworkManager), but instead create a
regular file in /etc.

This is to avoid creating policy permissions to read files in the other
non-standard "resolv.conf" directories for each application that needs to
access the network.

Signed-off-by: Guido Trentalancia <guido trentalancia net>
---
 src/dns-manager/nm-dns-manager.c |   39 +++++++++++++++++++++++++++++++++++++--
 1 file changed, 37 insertions(+), 2 deletions(-)

--- NetworkManager-1.4.0-orig/src/dns-manager/nm-dns-manager.c  2016-08-24 15:09:03.000000000 +0200
+++ NetworkManager-1.4.0/src/dns-manager/nm-dns-manager.c       2016-09-28 18:43:11.261469294 +0200
@@ -845,21 +845,56 @@ update_resolv_conf (NMDnsManager *self,
                return SR_ERROR;
        }
 
+       /* A symbolic link is avoided when SELinux is enabled because this
+        * would require changing the policy for each application requiring
+        * network access (i.e. networkmanager_read_pid_files() interface)
+        */
+#ifndef HAVE_SELINUX
        if (symlink (MY_RESOLV_CONF, RESOLV_CONF_TMP) == -1) {
+#else
+       if (rename (MY_RESOLV_CONF, RESOLV_CONF_TMP) == -1) {
+#endif
                errsv = errno;
                g_set_error (error,
                             NM_MANAGER_ERROR,
                             NM_MANAGER_ERROR_FAILED,
+#ifndef HAVE_SELINUX
                             "Could not create symlink %s pointing to %s: %s",
-                            RESOLV_CONF_TMP,
-                            MY_RESOLV_CONF,
+                            RESOLV_CONF_TMP,
+                            MY_RESOLV_CONF,
+#else
+                            "Could not rename %s to %s: %s",
+                            MY_RESOLV_CONF,
+                            RESOLV_CONF_TMP,
+#endif
                             g_strerror (errsv));
                _LOGT ("update-resolv-conf: write internal file %s succeeded "
+#ifndef HAVE_SELINUX
                       "but failed to symlink %s: %s",
+#else
+                      "but failed to rename it to %s: %s",
+#endif
                       MY_RESOLV_CONF, RESOLV_CONF_TMP, g_strerror (errsv));
                return SR_ERROR;
        }
 
+#ifdef HAVE_SELINUX
+       if (link (_PATH_RESCONF, MY_RESOLV_CONF) == -1) {
+               errsv = errno;
+               g_set_error (error,
+                            NM_MANAGER_ERROR,
+                            NM_MANAGER_ERROR_FAILED,
+                            "Could not create hard link %s pointing to %s: %s",
+                            RESOLV_CONF_TMP,
+                            MY_RESOLV_CONF,
+                            g_strerror (errsv));
+               _LOGT ("update-resolv-conf: write internal file %s succeeded "
+                       "but failed to hard link %s: %s",
+                       MY_RESOLV_CONF, RESOLV_CONF_TMP, g_strerror (errsv));
+               return SR_ERROR;
+       }
+#endif
+
        if (rename (RESOLV_CONF_TMP, _PATH_RESCONF) == -1) {
                errsv = errno;
                g_set_error (error,