1186531 – RFE: Please consider managing /etc/resolv.conf as symlink to a location in /run

Bug 1186531 - RFE: Please consider managing /etc/resolv.conf as symlink to a location in /run

Summary: RFE: Please consider managing /etc/resolv.conf as symlink to a location in /run

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	1116999
Blocks:	dnssec
TreeView+	depends on / blocked

Reported:	2015-01-27 21:42 UTC by Petr Lautrbach
Modified:	2015-08-09 23:58 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1116999
Environment:
Last Closed:	2015-08-09 23:58:51 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1166071	0	unspecified	CLOSED	selinux policy considerations for private and public resolv.conf	2021-02-22 00:41:40 UTC

Internal Links: 1166071

Description Petr Lautrbach 2015-01-27 21:42:41 UTC

+++ This bug was initially created as a clone of Bug #1116999 +++

I'd would be great if NetworkManager would set /etc/resolv.conf to a symlink to some place in /run, and then only manipulate the file there. This way, /etc may stay read-only, and systemd's ProtectSystem=full may be used on NM, which would be quite beneficial given that NM deals with networking stuff and runs otherwise highly privileged.

(Debian has been maintaining /etc/resolv.conf like that for a while, and so does systemd-networkd, btw).


++++       ++++


As the result of this change, /usr/sbin/cups-browsed can't read symlinked /etc/resolv.conf -> /var/run/NetworkManager/resolv.conf


type=PROCTITLE msg=audit(1422394384.174:1297): proctitle="/usr/sbin/cups-browsed"
type=SYSCALL msg=audit(1422394384.174:1297): arch=c000003e syscall=5 success=yes exit=0 a0=8 a1=7fff10b1aa60 a2=7fff10b1aa60 a3=1 items=0 ppid=1 pid=1535 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cups-browsed" exe="/usr/sbin/cups-browsed" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1422394384.174:1297): avc:  denied  { getattr } for  pid=1535 comm="cups-browsed" path="/run/NetworkManager/resolv.conf" dev="tmpfs" ino=330754 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=1
type=PROCTITLE msg=audit(1422394384.174:1296): proctitle="/usr/sbin/cups-browsed"
type=SYSCALL msg=audit(1422394384.174:1296): arch=c000003e syscall=2 success=yes exit=8 a0=7f0bbda9415f a1=80000 a2=1b6 a3=1 items=0 ppid=1 pid=1535 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cups-browsed" exe="/usr/sbin/cups-browsed" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1422394384.174:1296): avc:  denied  { open } for  pid=1535 comm="cups-browsed" path="/run/NetworkManager/resolv.conf" dev="tmpfs" ino=330754 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1422394384.174:1296): avc:  denied  { read } for  pid=1535 comm="cups-browsed" name="resolv.conf" dev="tmpfs" ino=330754 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1422394384.174:1296): avc:  denied  { search } for  pid=1535 comm="cups-browsed" name="NetworkManager" dev="tmpfs" ino=20983 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=dir permissive=1

Comment 1 Lukas Vrabec 2015-01-28 17:39:05 UTC

Hi, 

Could you tell me all paths where will be resolv.conf stored? 

Thank you

Comment 2 Petr Lautrbach 2015-01-29 15:58:29 UTC

It's even worse:

#============= chronyd_t ==============
allow chronyd_t NetworkManager_var_run_t:dir search;

#============= cupsd_t ==============
allow cupsd_t NetworkManager_var_run_t:dir search;

#============= sshd_t ==============
allow sshd_t NetworkManager_var_run_t:file read;

Comment 3 Daniel Walsh 2015-01-29 16:43:40 UTC

In order to make this work, you would want to label /run/NetworkManager/resolv.conf as net_conf_t and then have a transition rule to label it correctly on creation.

Comment 4 Pavel Šimerda (pavlix) 2015-01-29 21:03:58 UTC

(In reply to Lukas Vrabec from comment #1)
> Hi, 
> 
> Could you tell me all paths where will be resolv.conf stored? 
> 
> Thank you

For the purpose of this bug report it's /run/NetworkManager/resolv.conf in addition to /etc/resolv.conf. There may be (and are) other locations for other software like dnssec-trigger or systemd-networkd.

Comment 5 Daniel Walsh 2015-01-31 18:30:21 UTC

Meaning they are all going to change the symbolic link?

Comment 6 Lukas Vrabec 2015-02-02 12:15:54 UTC

yes.

Note You need to log in before you can comment on or make changes to this bug.