When SELinux is enabled, do not create a symbolic link to a "resolv.conf" file outside /etc (e.g. in /var/run/NetworkManager), but instead create a regular file in /etc.
This is to avoid creating policy permissions to read files in the other non-standard "resolv.conf" directories for each application that needs to access the network. Signed-off-by: Guido Trentalancia <[email protected]> --- src/dns-manager/nm-dns-manager.c | 39 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 37 insertions(+), 2 deletions(-) --- NetworkManager-1.4.0-orig/src/dns-manager/nm-dns-manager.c 2016-08-24 15:09:03.000000000 +0200 +++ NetworkManager-1.4.0/src/dns-manager/nm-dns-manager.c 2016-09-28 18:43:11.261469294 +0200 @@ -845,21 +845,56 @@ update_resolv_conf (NMDnsManager *self, return SR_ERROR; } + /* A symbolic link is avoided when SELinux is enabled because this + * would require changing the policy for each application requiring + * network access (i.e. networkmanager_read_pid_files() interface) + */ +#ifndef HAVE_SELINUX if (symlink (MY_RESOLV_CONF, RESOLV_CONF_TMP) == -1) { +#else + if (rename (MY_RESOLV_CONF, RESOLV_CONF_TMP) == -1) { +#endif errsv = errno; g_set_error (error, NM_MANAGER_ERROR, NM_MANAGER_ERROR_FAILED, +#ifndef HAVE_SELINUX "Could not create symlink %s pointing to %s: %s", - RESOLV_CONF_TMP, - MY_RESOLV_CONF, + RESOLV_CONF_TMP, + MY_RESOLV_CONF, +#else + "Could not rename %s to %s: %s", + MY_RESOLV_CONF, + RESOLV_CONF_TMP, +#endif g_strerror (errsv)); _LOGT ("update-resolv-conf: write internal file %s succeeded " +#ifndef HAVE_SELINUX "but failed to symlink %s: %s", +#else + "but failed to rename it to %s: %s", +#endif MY_RESOLV_CONF, RESOLV_CONF_TMP, g_strerror (errsv)); return SR_ERROR; } +#ifdef HAVE_SELINUX + if (link (_PATH_RESCONF, MY_RESOLV_CONF) == -1) { + errsv = errno; + g_set_error (error, + NM_MANAGER_ERROR, + NM_MANAGER_ERROR_FAILED, + "Could not create hard link %s pointing to %s: %s", + RESOLV_CONF_TMP, + MY_RESOLV_CONF, + g_strerror (errsv)); + _LOGT ("update-resolv-conf: write internal file %s succeeded " + "but failed to hard link %s: %s", + MY_RESOLV_CONF, RESOLV_CONF_TMP, g_strerror (errsv)); + return SR_ERROR; + } +#endif + if (rename (RESOLV_CONF_TMP, _PATH_RESCONF) == -1) { errsv = errno; g_set_error (error, _______________________________________________ networkmanager-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/networkmanager-list
