Hello. On Thu, 29/09/2016 at 18.25 +0200, Thomas Haller wrote: > On Thu, 2016-09-29 at 18:01 +0200, Guido Trentalancia wrote: > > > > On Thu, 29/09/2016 at 17.52 +0200, Michael Biebl wrote: > > > > > > > > > Am 29.09.2016 um 17:33 schrieb Guido Trentalancia: > > > > > > > > > > > > > > > > On Thu, 29/09/2016 at 17.29 +0200, Michael Biebl wrote: > > > > > > > > > > > > > > > > > > > > Am 29.09.2016 um 17:11 schrieb Guido Trentalancia: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Run-time checks are wrong because they leave the filesystem > > > > > > in > > > > > > a > > > > > > state that is not usable when SELinux goes back into > > > > > > enforcing > > > > > > mode. > > > > > > > > > > > > Compile-time checks have no side effects and in any case > > > > > > are > > > > > > better > > > > > > than the bug! > > > > > > > > > > Debian enables selinux support during compile time but we do > > > > > not > > > > > enable > > > > > selinux by default. > > > > > > > > > > So the side-effect of this patch would be that suddenly NM > > > > > would > > > > > use > > > > > files instead of symlinks on Debian. > > > > > > > > This is not a side-effect in my opinion, but an added benefit > > > > because > > > > there is no good reason for using a symbolic link. > > > > > > So you want to get rid of the symbolic link altogether and > > > selinux > > > is > > > only a diversion? > > > > I am in favor of getting rid completely of the symbolic link > > creation, > > but this is outside of the scope of a simple patch created as a > > quick > > fix of an existing bug. > > > > I'll leave more extensive changes to the author... They are not > > strictly required for running NetworkManager. > > > > Guido > > Hi Guido, > > I don't see what is there to fix here. > > > If you dislike the setting, configure rc-manager=file (it is here to > be > configured by the user).
It's not about liking or disliking something. It's more something to do with having a program that works out of the box in a natural way. It would fix the problem only locally. It's tricky, other users in the future would experience the same problem. > If you build NM yourself, configure --with-config-dns-rc-manager- > default=file and have the setting to be the default (or fix your > selinux policy). Changing the SELinux policy is not the right move. The policy is fine as it is. There should be no need to read NetworkManager files in /var/run in order to use the network. > If your distro enables SELinux, it should either fix their selinux > policy or again build NM with --with-config-dns-rc-manager- > default=file. They are both artificial and tricky ways of getting the program to work. The patch that I proposed avoids the need to use tricky and difficult- to-find configuration options and allows the program to work in a natural way with the default configure options. But, if you don't like it, just don't use it. > Using a symlink by default IMO makes a lot of sense, because this way > NM announces that it is in charge of managing resolv.conf. If you > manually change resolv.conf to be a symlink to anywhere else, NM will > automatically understand that it is not supposed to touch the > symlink, > without requiring additional configuration from you. On a normal system the resolv.conf file is just a normal file. Using symbolic links in my opinion is not the way forward. And the problems arising with SELinux are just a demonstration of that. > This way, multiple management deamons can cooperate in who is in > charge > of configuring resolv.conf. There are other ways of achieving that, without the problems introduced by using symbolic links. However, if you don't like the patch or do not think it is useful, just do not use it. Regards, Guido _______________________________________________ networkmanager-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/networkmanager-list
