When pppd is used with the usepeerdns option (e.g. when PEERDNS is set to yes in the corresponding ifcfg-xyz file), then pppd would write to /etc/ppp/resolv.conf. However, currently file_contexts marks this file with a default pppd_etc_t, instead of the more appropriate pppd_etc_rw_t. In short, the following line needs to be added to pppd.fc: /etc/ppp/resolv\.conf -- system_u:object_r:pppd_etc_rw_t
I still can not get PEERDNS=yes to work wirh ppp and SELinux, It is possible that in addition to policy changes, ppp and/or ppp scripts from initscripts need to be changed to be more SELinux-friendly. Policy: - pppd.fc needs to be updated as stated above, - pppd.te needs to include at least allow pppd_t net_conf_t:file { write }; Scripts or pppd: Saving to /etc/resolv.conf.save is not the best idea, since "allow pppd_t etc_t:dir { write };" is too much, and w/o it pppd can not remove the saved file. A possible solution would be to have a transition from pppd_t to a more appropriate domain on execution of /etc/ppp/ip-up and similar scripts. As I said, I have not gotten it to work correctly, so I might be missing something else.
I've added the following to the local policy: allow pppd_t net_conf_t:file { write setattr }; allow pppd_t tmp_t:dir { getattr search write add_name remove_name }; allow pppd_t tmp_t:file { create append getattr read }; allow pppd_t var_run_t:file { getattr }; allow pppd_t pppd_t:file { read getattr }; and PEERDNS now works for PPP.
Fixed in selinux-policy-strict-1.13.2-7.src.rpm
Fixed in Rawhide