Re: [PATCH v3] Do not use /etc/resolv.conf symbolic links on SELinux

[Guido Trentalancia <guido trentalancia net>]

Run-time checks are wrong because they leave the filesystem in a state that is not usable when SELinux goes 
back into enforcing mode.

Compile-time checks have no side effects and in any case are better than the bug!

The patch tries to be conservative... But I am fine with removing the symbolic link creation code completely, 
so that it always create a normal file. 

Guido 

On the 29th September 2016 16:52:40 CEST, Jetchko Jekov <jetchko jekov gmail com> wrote:
> Compile time checks for SELinux presence/status are simply wrong.
>
>
> On Thu, Sep 29, 2016 at 3:11 PM Guido Trentalancia
> <guido trentalancia net>
> wrote:
>
> > When SELinux is enabled, do not create a symbolic link to a
> "resolv.conf"
> > file outside /etc (e.g. in /var/run/NetworkManager), but instead
> create a
> > regular file in /etc.
> >
> > This is to avoid creating policy permissions to read files in the
> other
> > non-standard "resolv.conf" directories for each application that
> needs to
> > access the network.
> >
> > Thanks to Thomas Haller for suggesting that existing code can be
> reused
> > to achieve this.
> >
> > Signed-off-by: Guido Trentalancia <guido trentalancia net>
> > ---
> >  src/dns-manager/nm-dns-manager.c |   13 +++++++++++--
> >  1 file changed, 11 insertions(+), 2 deletions(-)
> >
> > --- NetworkManager-1.4.0-orig/src/dns-manager/nm-dns-manager.c 
> 2016-08-24
> > 15:09:03.000000000 +0200
> > +++ NetworkManager-1.4.0/src/dns-manager/nm-dns-manager.c      
> 2016-09-29
> > 14:48:44.646034942 +0200
> > @@ -671,12 +671,17 @@ update_resolv_conf (NMDnsManager *self,
> >         FILE *f;
> >         struct stat st;
> >         gboolean success;
> > +       gboolean selinux = FALSE;
> >         gs_free char *content = NULL;
> >         SpawnResult write_file_result = SR_SUCCESS;
> >         int errsv;
> >         const char *rc_path = _PATH_RESCONF;
> >         nm_auto_free char *rc_path_real = NULL;
> >
> > +#ifdef HAVE_SELINUX
> > +       selinux = TRUE;
> > +#endif
> > +
> >         /* If we are not managing /etc/resolv.conf and it points to
> >          * MY_RESOLV_CONF, don't write the private DNS configuration
> to
> >          * MY_RESOLV_CONF otherwise we would overwrite the changes
> done by
> > @@ -696,7 +701,11 @@ update_resolv_conf (NMDnsManager *self,
> >
> >         content = create_resolv_conf (searches, nameservers,
> options);
> > -       if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE) {
> > +       /* A symbolic link is avoided when SELinux is enabled because
> this
> > +        * would require changing the policy for each application
> requiring
> > +        * network access (i.e. networkmanager_read_pid_files()
> interface)
> > +        */
> > +       if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE ||
> selinux) {
> >                 GError *local = NULL;
> >
> >                 rc_path_real = realpath (rc_path, NULL);
> > @@ -770,7 +779,7 @@ update_resolv_conf (NMDnsManager *self,
> >                 return SR_ERROR;
> >         }
> >
> > -       if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE) {
> > +       if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE ||
> selinux) {
> >                 _LOGT ("update-resolv-conf: write internal file %s
> > succeeded (rc-manager=%s)",
> >                        rc_path, _rc_manager_to_string (rc_manager));
> >                 return write_file_result;
> > _______________________________________________
> > networkmanager-list mailing list
> > networkmanager-list gnome org
> > https://mail.gnome.org/mailman/listinfo/networkmanager-list