+++ This bug was initially created as a clone of Bug #1116999 +++ I'd would be great if NetworkManager would set /etc/resolv.conf to a symlink to some place in /run, and then only manipulate the file there. This way, /etc may stay read-only, and systemd's ProtectSystem=full may be used on NM, which would be quite beneficial given that NM deals with networking stuff and runs otherwise highly privileged. (Debian has been maintaining /etc/resolv.conf like that for a while, and so does systemd-networkd, btw). ++++ ++++ As the result of this change, /usr/sbin/cups-browsed can't read symlinked /etc/resolv.conf -> /var/run/NetworkManager/resolv.conf type=PROCTITLE msg=audit(1422394384.174:1297): proctitle="/usr/sbin/cups-browsed" type=SYSCALL msg=audit(1422394384.174:1297): arch=c000003e syscall=5 success=yes exit=0 a0=8 a1=7fff10b1aa60 a2=7fff10b1aa60 a3=1 items=0 ppid=1 pid=1535 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cups-browsed" exe="/usr/sbin/cups-browsed" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1422394384.174:1297): avc: denied { getattr } for pid=1535 comm="cups-browsed" path="/run/NetworkManager/resolv.conf" dev="tmpfs" ino=330754 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=1 type=PROCTITLE msg=audit(1422394384.174:1296): proctitle="/usr/sbin/cups-browsed" type=SYSCALL msg=audit(1422394384.174:1296): arch=c000003e syscall=2 success=yes exit=8 a0=7f0bbda9415f a1=80000 a2=1b6 a3=1 items=0 ppid=1 pid=1535 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cups-browsed" exe="/usr/sbin/cups-browsed" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1422394384.174:1296): avc: denied { open } for pid=1535 comm="cups-browsed" path="/run/NetworkManager/resolv.conf" dev="tmpfs" ino=330754 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1422394384.174:1296): avc: denied { read } for pid=1535 comm="cups-browsed" name="resolv.conf" dev="tmpfs" ino=330754 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1422394384.174:1296): avc: denied { search } for pid=1535 comm="cups-browsed" name="NetworkManager" dev="tmpfs" ino=20983 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=dir permissive=1
Hi, Could you tell me all paths where will be resolv.conf stored? Thank you
It's even worse: #============= chronyd_t ============== allow chronyd_t NetworkManager_var_run_t:dir search; #============= cupsd_t ============== allow cupsd_t NetworkManager_var_run_t:dir search; #============= sshd_t ============== allow sshd_t NetworkManager_var_run_t:file read;
In order to make this work, you would want to label /run/NetworkManager/resolv.conf as net_conf_t and then have a transition rule to label it correctly on creation.
(In reply to Lukas Vrabec from comment #1) > Hi, > > Could you tell me all paths where will be resolv.conf stored? > > Thank you For the purpose of this bug report it's /run/NetworkManager/resolv.conf in addition to /etc/resolv.conf. There may be (and are) other locations for other software like dnssec-trigger or systemd-networkd.
Meaning they are all going to change the symbolic link?
yes.