Run-time checks are wrong because they leave the filesystem in a state that is not usable when SELinux goes back into enforcing mode.
Compile-time checks have no side effects and in any case are better than the bug! The patch tries to be conservative... But I am fine with removing the symbolic link creation code completely, so that it always create a normal file. Guido On the 29th September 2016 16:52:40 CEST, Jetchko Jekov <[email protected]> wrote: >Compile time checks for SELinux presence/status are simply wrong. > > >On Thu, Sep 29, 2016 at 3:11 PM Guido Trentalancia ><[email protected]> >wrote: > >> When SELinux is enabled, do not create a symbolic link to a >"resolv.conf" >> file outside /etc (e.g. in /var/run/NetworkManager), but instead >create a >> regular file in /etc. >> >> This is to avoid creating policy permissions to read files in the >other >> non-standard "resolv.conf" directories for each application that >needs to >> access the network. >> >> Thanks to Thomas Haller for suggesting that existing code can be >reused >> to achieve this. >> >> Signed-off-by: Guido Trentalancia <[email protected]> >> --- >> src/dns-manager/nm-dns-manager.c | 13 +++++++++++-- >> 1 file changed, 11 insertions(+), 2 deletions(-) >> >> --- NetworkManager-1.4.0-orig/src/dns-manager/nm-dns-manager.c >2016-08-24 >> 15:09:03.000000000 +0200 >> +++ NetworkManager-1.4.0/src/dns-manager/nm-dns-manager.c >2016-09-29 >> 14:48:44.646034942 +0200 >> @@ -671,12 +671,17 @@ update_resolv_conf (NMDnsManager *self, >> FILE *f; >> struct stat st; >> gboolean success; >> + gboolean selinux = FALSE; >> gs_free char *content = NULL; >> SpawnResult write_file_result = SR_SUCCESS; >> int errsv; >> const char *rc_path = _PATH_RESCONF; >> nm_auto_free char *rc_path_real = NULL; >> >> +#ifdef HAVE_SELINUX >> + selinux = TRUE; >> +#endif >> + >> /* If we are not managing /etc/resolv.conf and it points to >> * MY_RESOLV_CONF, don't write the private DNS configuration >to >> * MY_RESOLV_CONF otherwise we would overwrite the changes >done by >> @@ -696,7 +701,11 @@ update_resolv_conf (NMDnsManager *self, >> >> content = create_resolv_conf (searches, nameservers, >options); >> >> - if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE) { >> + /* A symbolic link is avoided when SELinux is enabled because >this >> + * would require changing the policy for each application >requiring >> + * network access (i.e. networkmanager_read_pid_files() >interface) >> + */ >> + if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE || >selinux) { >> GError *local = NULL; >> >> rc_path_real = realpath (rc_path, NULL); >> @@ -770,7 +779,7 @@ update_resolv_conf (NMDnsManager *self, >> return SR_ERROR; >> } >> >> - if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE) { >> + if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE || >selinux) { >> _LOGT ("update-resolv-conf: write internal file %s >> succeeded (rc-manager=%s)", >> rc_path, _rc_manager_to_string (rc_manager)); >> return write_file_result; >> _______________________________________________ >> networkmanager-list mailing list >> [email protected] >> https://mail.gnome.org/mailman/listinfo/networkmanager-list >> _______________________________________________ networkmanager-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/networkmanager-list
