Re: [PATCH v2] Do not use /etc/resolv.conf symbolic links on SELinux

Hello Thomas.

On 29/09/2016 at 11.51 +0200, Thomas Haller wrote:
On Thu, 2016-09-29 at 09:17 +0200, Beniamino Galvani wrote:

On Thu, Sep 29, 2016 at 02:06:58AM +0200, Guido Trentalancia wrote:

When SELinux is enabled, do not create a symbolic link to a
file outside /etc (e.g. in /var/run/NetworkManager), but instead
create a
regular file in /etc.

This is to avoid creating policy permissions to read files in the
non-standard "resolv.conf" directories for each application that
needs to
access the network.


the patch seems to reimplement what rc-manager=file already does,
the difference that the patch will hardcode a behavior at build
when HAVE_SELINUX is set.

Can't you simply set 'rc-manager=file' in NetworkManager.conf to
achieve the same result? If you prefer you can also have that
enabled by default by building NetworkManager with

  ./configure --with-config-dns-rc-manager-default=file



I think so too.

The selinux-policy is very much coupled to the services that are
expected to run and the files those services use.

If your service does a certain thing that the selinux policy doesn't
allow you have two options:
  - extend the selinux policy
  - configure the service not to do that.

The latter can be already done via rc-manager=file (which also can be
configured to be compile-time default).

Thanks very much for pointing this out.

I think it is a good thing to reuse existing code.

However, I still think that creating a symbolic link instead of a
regular file for /etc/resolv.conf is a very bad idea and SELinux shows
this !

That's why, in my opinion, NetworkManager still needs to be patched so
that it works properly out of the box on SELinux-enabled systems.

That said, I am going to post a new version of the patch, which reuses
the existing code...



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]