Bug 122968 - Under selinux, PEERDNS=yes does not work for ppp.
Under selinux, PEERDNS=yes does not work for ppp.
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
: SELinux
Depends On:
  Show dependency treegraph
Reported: 2004-05-10 15:53 EDT by Aleksey Nogin
Modified: 2007-11-30 17:10 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-07-20 08:36:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Aleksey Nogin 2004-05-10 15:53:44 EDT
When pppd is used with the usepeerdns option (e.g. when PEERDNS is set
to yes in the corresponding ifcfg-xyz file), then pppd would write to
/etc/ppp/resolv.conf. However, currently file_contexts marks this file
with a default pppd_etc_t, instead of the more appropriate pppd_etc_rw_t.

In short, the following line needs to be added to pppd.fc:

/etc/ppp/resolv\.conf --   system_u:object_r:pppd_etc_rw_t
Comment 1 Aleksey Nogin 2004-05-12 01:30:31 EDT
I still can not get PEERDNS=yes to work wirh ppp and SELinux, It is
possible that in addition to policy changes, ppp and/or ppp scripts
from initscripts need to be changed to be more SELinux-friendly.

- pppd.fc needs to be updated as stated above,
- pppd.te needs to include at least 
allow pppd_t net_conf_t:file { write };

Scripts or pppd:
Saving to /etc/resolv.conf.save is not the best idea, since "allow
pppd_t etc_t:dir { write };" is too much, and w/o it pppd can not
remove the saved file. 

A possible solution would be to have a transition from pppd_t to a
more appropriate domain on execution of /etc/ppp/ip-up and similar

As I said, I have not gotten it to work correctly, so I might be
missing something else.
Comment 2 Aleksey Nogin 2004-05-15 14:22:13 EDT
I've added the following to the local policy:

allow pppd_t net_conf_t:file { write setattr };
allow pppd_t tmp_t:dir { getattr search write add_name remove_name };
allow pppd_t tmp_t:file { create append getattr read };
allow pppd_t var_run_t:file { getattr };
allow pppd_t pppd_t:file { read getattr };

and PEERDNS now works for PPP.
Comment 3 Daniel Walsh 2004-06-02 14:43:46 EDT
Fixed in selinux-policy-strict-1.13.2-7.src.rpm
Comment 4 Daniel Walsh 2004-07-20 08:36:18 EDT
Fixed in Rawhide

Note You need to log in before you can comment on or make changes to this bug.