Compile time checks for SELinux presence/status are simply wrong.
On Thu, Sep 29, 2016 at 3:11 PM Guido Trentalancia <[email protected]> wrote: > When SELinux is enabled, do not create a symbolic link to a "resolv.conf" > file outside /etc (e.g. in /var/run/NetworkManager), but instead create a > regular file in /etc. > > This is to avoid creating policy permissions to read files in the other > non-standard "resolv.conf" directories for each application that needs to > access the network. > > Thanks to Thomas Haller for suggesting that existing code can be reused > to achieve this. > > Signed-off-by: Guido Trentalancia <[email protected]> > --- > src/dns-manager/nm-dns-manager.c | 13 +++++++++++-- > 1 file changed, 11 insertions(+), 2 deletions(-) > > --- NetworkManager-1.4.0-orig/src/dns-manager/nm-dns-manager.c 2016-08-24 > 15:09:03.000000000 +0200 > +++ NetworkManager-1.4.0/src/dns-manager/nm-dns-manager.c 2016-09-29 > 14:48:44.646034942 +0200 > @@ -671,12 +671,17 @@ update_resolv_conf (NMDnsManager *self, > FILE *f; > struct stat st; > gboolean success; > + gboolean selinux = FALSE; > gs_free char *content = NULL; > SpawnResult write_file_result = SR_SUCCESS; > int errsv; > const char *rc_path = _PATH_RESCONF; > nm_auto_free char *rc_path_real = NULL; > > +#ifdef HAVE_SELINUX > + selinux = TRUE; > +#endif > + > /* If we are not managing /etc/resolv.conf and it points to > * MY_RESOLV_CONF, don't write the private DNS configuration to > * MY_RESOLV_CONF otherwise we would overwrite the changes done by > @@ -696,7 +701,11 @@ update_resolv_conf (NMDnsManager *self, > > content = create_resolv_conf (searches, nameservers, options); > > - if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE) { > + /* A symbolic link is avoided when SELinux is enabled because this > + * would require changing the policy for each application requiring > + * network access (i.e. networkmanager_read_pid_files() interface) > + */ > + if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE || selinux) { > GError *local = NULL; > > rc_path_real = realpath (rc_path, NULL); > @@ -770,7 +779,7 @@ update_resolv_conf (NMDnsManager *self, > return SR_ERROR; > } > > - if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE) { > + if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE || selinux) { > _LOGT ("update-resolv-conf: write internal file %s > succeeded (rc-manager=%s)", > rc_path, _rc_manager_to_string (rc_manager)); > return write_file_result; > _______________________________________________ > networkmanager-list mailing list > [email protected] > https://mail.gnome.org/mailman/listinfo/networkmanager-list >
_______________________________________________ networkmanager-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/networkmanager-list
