[PATCH v3] Do not use /etc/resolv.conf symbolic links on SELinux

Thu, 29 Sep 2016 06:12:08 -0700 

When SELinux is enabled, do not create a symbolic link to a "resolv.conf"
file outside /etc (e.g. in /var/run/NetworkManager), but instead create a
regular file in /etc.

This is to avoid creating policy permissions to read files in the other
non-standard "resolv.conf" directories for each application that needs to
access the network.

Thanks to Thomas Haller for suggesting that existing code can be reused
to achieve this.

Signed-off-by: Guido Trentalancia <[email protected]>
---
 src/dns-manager/nm-dns-manager.c |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

--- NetworkManager-1.4.0-orig/src/dns-manager/nm-dns-manager.c  2016-08-24 
15:09:03.000000000 +0200
+++ NetworkManager-1.4.0/src/dns-manager/nm-dns-manager.c       2016-09-29 
14:48:44.646034942 +0200
@@ -671,12 +671,17 @@ update_resolv_conf (NMDnsManager *self,
        FILE *f;
        struct stat st;
        gboolean success;
+       gboolean selinux = FALSE;
        gs_free char *content = NULL;
        SpawnResult write_file_result = SR_SUCCESS;
        int errsv;
        const char *rc_path = _PATH_RESCONF;
        nm_auto_free char *rc_path_real = NULL;
 
+#ifdef HAVE_SELINUX
+       selinux = TRUE;
+#endif
+
        /* If we are not managing /etc/resolv.conf and it points to
         * MY_RESOLV_CONF, don't write the private DNS configuration to
         * MY_RESOLV_CONF otherwise we would overwrite the changes done by
@@ -696,7 +701,11 @@ update_resolv_conf (NMDnsManager *self,
 
        content = create_resolv_conf (searches, nameservers, options);
 
-       if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE) {
+       /* A symbolic link is avoided when SELinux is enabled because this
+        * would require changing the policy for each application requiring
+        * network access (i.e. networkmanager_read_pid_files() interface)
+        */
+       if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE || selinux) {
                GError *local = NULL;
 
                rc_path_real = realpath (rc_path, NULL);
@@ -770,7 +779,7 @@ update_resolv_conf (NMDnsManager *self,
                return SR_ERROR;
        }
 
-       if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE) {
+       if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE || selinux) {
                _LOGT ("update-resolv-conf: write internal file %s succeeded 
(rc-manager=%s)",
                       rc_path, _rc_manager_to_string (rc_manager));
                return write_file_result;
_______________________________________________
networkmanager-list mailing list
[email protected]
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Reply via email to