Re: [PATCH v3] Do not use /etc/resolv.conf symbolic links on SELinux



Am 29.09.2016 um 18:01 schrieb Guido Trentalancia:
On Thu, 29/09/2016 at 17.52 +0200, Michael Biebl wrote:
Am 29.09.2016 um 17:33 schrieb Guido Trentalancia:

On Thu, 29/09/2016 at 17.29 +0200, Michael Biebl wrote:

Am 29.09.2016 um 17:11 schrieb Guido Trentalancia:


Run-time checks are wrong because they leave the filesystem in
a
state that is not usable when SELinux goes back into enforcing
mode.

Compile-time checks have no side effects and in any case are
better
than the bug!

Debian enables selinux support during compile time but we do not
enable
selinux by default.

So the side-effect of this patch would be that suddenly NM would
use
files instead of symlinks on Debian.

This is not a side-effect in my opinion, but an added benefit
because
there is no good reason for using a symbolic link.

So you want to get rid of the symbolic link altogether and selinux is
only a diversion?

I am in favor of getting rid completely of the symbolic link creation,
but this is outside of the scope of a simple patch created as a quick
fix of an existing bug.

I'll leave more extensive changes to the author... They are not
strictly required for running NetworkManager.

How do resolvconf/openresolv or resolved/networkd handle this? They use
a file in /run as well and /etc/resolv.conf being a symlink to that file.
I know basically zero about selinux but I would assume there is a way to
get the selinux labelling right otherwise they would be broken as well.


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

Attachment: signature.asc
Description: OpenPGP digital signature



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]