Re: [PATCH v3] Do not use /etc/resolv.conf symbolic links on SELinux
- From: Jetchko Jekov <jetchko jekov gmail com>
- To: Guido Trentalancia <guido trentalancia net>, networkmanager-list gnome org
- Subject: Re: [PATCH v3] Do not use /etc/resolv.conf symbolic links on SELinux
- Date: Thu, 29 Sep 2016 14:52:40 +0000
Compile time checks for SELinux presence/status are simply wrong.
When SELinux is enabled, do not create a symbolic link to a "resolv.conf"
file outside /etc (e.g. in /var/run/NetworkManager), but instead create a
regular file in /etc.
This is to avoid creating policy permissions to read files in the other
non-standard "resolv.conf" directories for each application that needs to
access the network.
Thanks to Thomas Haller for suggesting that existing code can be reused
to achieve this.
Signed-off-by: Guido Trentalancia <guido trentalancia net>
---
src/dns-manager/nm-dns-manager.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- NetworkManager-1.4.0-orig/src/dns-manager/nm-dns-manager.c 2016-08-24 15:09:03.000000000 +0200
+++ NetworkManager-1.4.0/src/dns-manager/nm-dns-manager.c 2016-09-29 14:48:44.646034942 +0200
@@ -671,12 +671,17 @@ update_resolv_conf (NMDnsManager *self,
FILE *f;
struct stat st;
gboolean success;
+ gboolean selinux = FALSE;
gs_free char *content = NULL;
SpawnResult write_file_result = SR_SUCCESS;
int errsv;
const char *rc_path = _PATH_RESCONF;
nm_auto_free char *rc_path_real = NULL;
+#ifdef HAVE_SELINUX
+ selinux = TRUE;
+#endif
+
/* If we are not managing /etc/resolv.conf and it points to
* MY_RESOLV_CONF, don't write the private DNS configuration to
* MY_RESOLV_CONF otherwise we would overwrite the changes done by
@@ -696,7 +701,11 @@ update_resolv_conf (NMDnsManager *self,
content = create_resolv_conf (searches, nameservers, options);
- if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE) {
+ /* A symbolic link is avoided when SELinux is enabled because this
+ * would require changing the policy for each application requiring
+ * network access (i.e. networkmanager_read_pid_files() interface)
+ */
+ if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE || selinux) {
GError *local = NULL;
rc_path_real = realpath (rc_path, NULL);
@@ -770,7 +779,7 @@ update_resolv_conf (NMDnsManager *self,
return SR_ERROR;
}
- if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE) {
+ if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE || selinux) {
_LOGT ("update-resolv-conf: write internal file %s succeeded (rc-manager=%s)",
rc_path, _rc_manager_to_string (rc_manager));
return write_file_result;
_______________________________________________
networkmanager-list mailing list
networkmanager-list gnome org
https://mail.gnome.org/mailman/listinfo/networkmanager-list
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]