Re: [PATCH v3] Do not use /etc/resolv.conf symbolic links on SELinux

Run-time checks are wrong because they leave the filesystem in a state that is not usable when SELinux goes 
back into enforcing mode.

Compile-time checks have no side effects and in any case are better than the bug!

The patch tries to be conservative... But I am fine with removing the symbolic link creation code completely, 
so that it always create a normal file. 


On the 29th September 2016 16:52:40 CEST, Jetchko Jekov <jetchko jekov gmail com> wrote:
Compile time checks for SELinux presence/status are simply wrong.

On Thu, Sep 29, 2016 at 3:11 PM Guido Trentalancia
<guido trentalancia net>

When SELinux is enabled, do not create a symbolic link to a
file outside /etc (e.g. in /var/run/NetworkManager), but instead
create a
regular file in /etc.

This is to avoid creating policy permissions to read files in the
non-standard "resolv.conf" directories for each application that
needs to
access the network.

Thanks to Thomas Haller for suggesting that existing code can be
to achieve this.

Signed-off-by: Guido Trentalancia <guido trentalancia net>
 src/dns-manager/nm-dns-manager.c |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

--- NetworkManager-1.4.0-orig/src/dns-manager/nm-dns-manager.c 
15:09:03.000000000 +0200
+++ NetworkManager-1.4.0/src/dns-manager/nm-dns-manager.c      
14:48:44.646034942 +0200
@@ -671,12 +671,17 @@ update_resolv_conf (NMDnsManager *self,
        FILE *f;
        struct stat st;
        gboolean success;
+       gboolean selinux = FALSE;
        gs_free char *content = NULL;
        SpawnResult write_file_result = SR_SUCCESS;
        int errsv;
        const char *rc_path = _PATH_RESCONF;
        nm_auto_free char *rc_path_real = NULL;

+       selinux = TRUE;
        /* If we are not managing /etc/resolv.conf and it points to
         * MY_RESOLV_CONF, don't write the private DNS configuration
         * MY_RESOLV_CONF otherwise we would overwrite the changes
done by
@@ -696,7 +701,11 @@ update_resolv_conf (NMDnsManager *self,

        content = create_resolv_conf (searches, nameservers,

-       if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE) {
+       /* A symbolic link is avoided when SELinux is enabled because
+        * would require changing the policy for each application
+        * network access (i.e. networkmanager_read_pid_files()
+        */
+       if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE ||
selinux) {
                GError *local = NULL;

                rc_path_real = realpath (rc_path, NULL);
@@ -770,7 +779,7 @@ update_resolv_conf (NMDnsManager *self,
                return SR_ERROR;

-       if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE) {
+       if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE ||
selinux) {
                _LOGT ("update-resolv-conf: write internal file %s
succeeded (rc-manager=%s)",
                       rc_path, _rc_manager_to_string (rc_manager));
                return write_file_result;
networkmanager-list mailing list
networkmanager-list gnome org

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]