Hello Thomas. On 29/09/2016 at 11.51 +0200, Thomas Haller wrote: > On Thu, 2016-09-29 at 09:17 +0200, Beniamino Galvani wrote: > > > > On Thu, Sep 29, 2016 at 02:06:58AM +0200, Guido Trentalancia wrote: > > > > > > > > > When SELinux is enabled, do not create a symbolic link to a > > > "resolv.conf" > > > file outside /etc (e.g. in /var/run/NetworkManager), but instead > > > create a > > > regular file in /etc. > > > > > > This is to avoid creating policy permissions to read files in the > > > other > > > non-standard "resolv.conf" directories for each application that > > > needs to > > > access the network. > > > > Hi, > > > > the patch seems to reimplement what rc-manager=file already does, > > with > > the difference that the patch will hardcode a behavior at build > > time > > when HAVE_SELINUX is set. > > > > Can't you simply set 'rc-manager=file' in NetworkManager.conf to > > achieve the same result? If you prefer you can also have that > > option > > enabled by default by building NetworkManager with > > > > ./configure --with-config-dns-rc-manager-default=file > > > > Ben > > Hi, > > I think so too. > > The selinux-policy is very much coupled to the services that are > expected to run and the files those services use. > > If your service does a certain thing that the selinux policy doesn't > allow you have two options: > - extend the selinux policy > - configure the service not to do that. > > The latter can be already done via rc-manager=file (which also can be > configured to be compile-time default).
Thanks very much for pointing this out. I think it is a good thing to reuse existing code. However, I still think that creating a symbolic link instead of a regular file for /etc/resolv.conf is a very bad idea and SELinux shows this ! That's why, in my opinion, NetworkManager still needs to be patched so that it works properly out of the box on SELinux-enabled systems. That said, I am going to post a new version of the patch, which reuses the existing code... Regards, Guido _______________________________________________ networkmanager-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/networkmanager-list
