On Thu, 2016-09-29 at 09:17 +0200, Beniamino Galvani wrote:
On Thu, Sep 29, 2016 at 02:06:58AM +0200, Guido Trentalancia wrote:When SELinux is enabled, do not create a symbolic link to a "resolv.conf" file outside /etc (e.g. in /var/run/NetworkManager), but instead create a regular file in /etc. This is to avoid creating policy permissions to read files in the other non-standard "resolv.conf" directories for each application that needs to access the network.Hi, the patch seems to reimplement what rc-manager=file already does, with the difference that the patch will hardcode a behavior at build time when HAVE_SELINUX is set. Can't you simply set 'rc-manager=file' in NetworkManager.conf to achieve the same result? If you prefer you can also have that option enabled by default by building NetworkManager with ./configure --with-config-dns-rc-manager-default=file Ben
Hi, I think so too. The selinux-policy is very much coupled to the services that are expected to run and the files those services use. If your service does a certain thing that the selinux policy doesn't allow you have two options: - extend the selinux policy - configure the service not to do that. The latter can be already done via rc-manager=file (which also can be configured to be compile-time default). Thomas
Attachment:
signature.asc
Description: This is a digitally signed message part