Re: [PATCH v3] Do not use /etc/resolv.conf symbolic links on SELinux



Compile time checks for SELinux presence/status are simply wrong.
  

On Thu, Sep 29, 2016 at 3:11 PM Guido Trentalancia <guido trentalancia net> wrote:
When SELinux is enabled, do not create a symbolic link to a "resolv.conf"
file outside /etc (e.g. in /var/run/NetworkManager), but instead create a
regular file in /etc.

This is to avoid creating policy permissions to read files in the other
non-standard "resolv.conf" directories for each application that needs to
access the network.

Thanks to Thomas Haller for suggesting that existing code can be reused
to achieve this.

Signed-off-by: Guido Trentalancia <guido trentalancia net>
---
 src/dns-manager/nm-dns-manager.c |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

--- NetworkManager-1.4.0-orig/src/dns-manager/nm-dns-manager.c  2016-08-24 15:09:03.000000000 +0200
+++ NetworkManager-1.4.0/src/dns-manager/nm-dns-manager.c       2016-09-29 14:48:44.646034942 +0200
@@ -671,12 +671,17 @@ update_resolv_conf (NMDnsManager *self,
        FILE *f;
        struct stat st;
        gboolean success;
+       gboolean selinux = FALSE;
        gs_free char *content = NULL;
        SpawnResult write_file_result = SR_SUCCESS;
        int errsv;
        const char *rc_path = _PATH_RESCONF;
        nm_auto_free char *rc_path_real = NULL;

+#ifdef HAVE_SELINUX
+       selinux = TRUE;
+#endif
+
        /* If we are not managing /etc/resolv.conf and it points to
         * MY_RESOLV_CONF, don't write the private DNS configuration to
         * MY_RESOLV_CONF otherwise we would overwrite the changes done by
@@ -696,7 +701,11 @@ update_resolv_conf (NMDnsManager *self,

        content = create_resolv_conf (searches, nameservers, options);

-       if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE) {
+       /* A symbolic link is avoided when SELinux is enabled because this
+        * would require changing the policy for each application requiring
+        * network access (i.e. networkmanager_read_pid_files() interface)
+        */
+       if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE || selinux) {
                GError *local = NULL;

                rc_path_real = realpath (rc_path, NULL);
@@ -770,7 +779,7 @@ update_resolv_conf (NMDnsManager *self,
                return SR_ERROR;
        }

-       if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE) {
+       if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE || selinux) {
                _LOGT ("update-resolv-conf: write internal file %s succeeded (rc-manager=%s)",
                       rc_path, _rc_manager_to_string (rc_manager));
                return write_file_result;
_______________________________________________
networkmanager-list mailing list
networkmanager-list gnome org
https://mail.gnome.org/mailman/listinfo/networkmanager-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]