Bug 122968

Summary: Under selinux, PEERDNS=yes does not work for ppp.
Product: [Fedora] Fedora Reporter: Aleksey Nogin <aleksey>
Component: policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: notting, pgraner, twoerner
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-07-20 12:36:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Aleksey Nogin 2004-05-10 19:53:44 UTC 
When pppd is used with the usepeerdns option (e.g. when PEERDNS is set
to yes in the corresponding ifcfg-xyz file), then pppd would write to
/etc/ppp/resolv.conf. However, currently file_contexts marks this file
with a default pppd_etc_t, instead of the more appropriate pppd_etc_rw_t.

In short, the following line needs to be added to pppd.fc:

/etc/ppp/resolv\.conf --   system_u:object_r:pppd_etc_rw_t
Comment 1 Aleksey Nogin 2004-05-12 05:30:31 UTC 
I still can not get PEERDNS=yes to work wirh ppp and SELinux, It is
possible that in addition to policy changes, ppp and/or ppp scripts
from initscripts need to be changed to be more SELinux-friendly.

Policy:
- pppd.fc needs to be updated as stated above,
- pppd.te needs to include at least 
allow pppd_t net_conf_t:file { write };

Scripts or pppd:
Saving to /etc/resolv.conf.save is not the best idea, since "allow
pppd_t etc_t:dir { write };" is too much, and w/o it pppd can not
remove the saved file. 

A possible solution would be to have a transition from pppd_t to a
more appropriate domain on execution of /etc/ppp/ip-up and similar
scripts.

As I said, I have not gotten it to work correctly, so I might be
missing something else.
Comment 2 Aleksey Nogin 2004-05-15 18:22:13 UTC 
I've added the following to the local policy:

allow pppd_t net_conf_t:file { write setattr };
allow pppd_t tmp_t:dir { getattr search write add_name remove_name };
allow pppd_t tmp_t:file { create append getattr read };
allow pppd_t var_run_t:file { getattr };
allow pppd_t pppd_t:file { read getattr };

and PEERDNS now works for PPP.
Comment 3 Daniel Walsh 2004-06-02 18:43:46 UTC 
Fixed in selinux-policy-strict-1.13.2-7.src.rpm
Comment 4 Daniel Walsh 2004-07-20 12:36:18 UTC 
Fixed in Rawhide