Bug 122968 - Under selinux, PEERDNS=yes does not work for ppp.
Summary: Under selinux, PEERDNS=yes does not work for ppp.
Alias: None
Product: Fedora
Classification: Fedora
Component: policy
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Keywords: SELinux
Depends On:
TreeView+ depends on / blocked
Reported: 2004-05-10 19:53 UTC by Aleksey Nogin
Modified: 2007-11-30 22:10 UTC (History)
3 users (show)

Clone Of:
Last Closed: 2004-07-20 12:36:18 UTC

Attachments (Terms of Use)

Description Aleksey Nogin 2004-05-10 19:53:44 UTC
When pppd is used with the usepeerdns option (e.g. when PEERDNS is set
to yes in the corresponding ifcfg-xyz file), then pppd would write to
/etc/ppp/resolv.conf. However, currently file_contexts marks this file
with a default pppd_etc_t, instead of the more appropriate pppd_etc_rw_t.

In short, the following line needs to be added to pppd.fc:

/etc/ppp/resolv\.conf --   system_u:object_r:pppd_etc_rw_t

Comment 1 Aleksey Nogin 2004-05-12 05:30:31 UTC
I still can not get PEERDNS=yes to work wirh ppp and SELinux, It is
possible that in addition to policy changes, ppp and/or ppp scripts
from initscripts need to be changed to be more SELinux-friendly.

- pppd.fc needs to be updated as stated above,
- pppd.te needs to include at least 
allow pppd_t net_conf_t:file { write };

Scripts or pppd:
Saving to /etc/resolv.conf.save is not the best idea, since "allow
pppd_t etc_t:dir { write };" is too much, and w/o it pppd can not
remove the saved file. 

A possible solution would be to have a transition from pppd_t to a
more appropriate domain on execution of /etc/ppp/ip-up and similar

As I said, I have not gotten it to work correctly, so I might be
missing something else.

Comment 2 Aleksey Nogin 2004-05-15 18:22:13 UTC
I've added the following to the local policy:

allow pppd_t net_conf_t:file { write setattr };
allow pppd_t tmp_t:dir { getattr search write add_name remove_name };
allow pppd_t tmp_t:file { create append getattr read };
allow pppd_t var_run_t:file { getattr };
allow pppd_t pppd_t:file { read getattr };

and PEERDNS now works for PPP.

Comment 3 Daniel Walsh 2004-06-02 18:43:46 UTC
Fixed in selinux-policy-strict-1.13.2-7.src.rpm

Comment 4 Daniel Walsh 2004-07-20 12:36:18 UTC
Fixed in Rawhide

Note You need to log in before you can comment on or make changes to this bug.