Bug 122968
Summary: | Under selinux, PEERDNS=yes does not work for ppp. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Aleksey Nogin <aleksey> |
Component: | policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | notting, pgraner, twoerner |
Target Milestone: | --- | Keywords: | SELinux |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2004-07-20 12:36:18 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Aleksey Nogin
2004-05-10 19:53:44 UTC
I still can not get PEERDNS=yes to work wirh ppp and SELinux, It is possible that in addition to policy changes, ppp and/or ppp scripts from initscripts need to be changed to be more SELinux-friendly. Policy: - pppd.fc needs to be updated as stated above, - pppd.te needs to include at least allow pppd_t net_conf_t:file { write }; Scripts or pppd: Saving to /etc/resolv.conf.save is not the best idea, since "allow pppd_t etc_t:dir { write };" is too much, and w/o it pppd can not remove the saved file. A possible solution would be to have a transition from pppd_t to a more appropriate domain on execution of /etc/ppp/ip-up and similar scripts. As I said, I have not gotten it to work correctly, so I might be missing something else. I've added the following to the local policy: allow pppd_t net_conf_t:file { write setattr }; allow pppd_t tmp_t:dir { getattr search write add_name remove_name }; allow pppd_t tmp_t:file { create append getattr read }; allow pppd_t var_run_t:file { getattr }; allow pppd_t pppd_t:file { read getattr }; and PEERDNS now works for PPP. Fixed in selinux-policy-strict-1.13.2-7.src.rpm Fixed in Rawhide |