Bug 1398853 - SELinux file context for /usr/lib/systemd/resolv.conf should be net_conf_t
SELinux file context for /usr/lib/systemd/resolv.conf should be net_conf_t
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
25
Unspecified Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-26 11:31 EST by Anthony Messina
Modified: 2016-12-08 13:23 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-12-08 13:23:19 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Anthony Messina 2016-11-26 11:31:51 EST
According to the systemd-resolved man page

"A static file /usr/lib/systemd/resolv.conf is provided that lists the 127.0.0.53 DNS stub (see above) as only DNS server. This file may be symlinked from /etc/resolv.conf in order to connect all local clients that bypass local DNS APIs to systemd-resolved. This mode of operation is recommended."

In order for this to work properly, the SELinux file context for /usr/lib/systemd/resolv.conf should be net_conf_t so other daemons are allowed to access it via the symlink (similar to the label fix a while back for /run/systemd/resolve/resolv.conf)

$ ls -l /etc/resolv.conf 
lrwxrwxrwx. 1 root root 28 Nov 25 20:23 /etc/resolv.conf -> /usr/lib/systemd/resolv.conf
Comment 1 Daniel Walsh 2016-11-28 12:51:28 EST
Should other domains including NetworkManager_t be allowed to write it?  If not, it would probably be better labeled usr_t.
Comment 2 Anthony Messina 2016-11-28 14:33:47 EST
(In reply to Daniel Walsh from comment #1)
> Should other domains including NetworkManager_t be allowed to write it?  If
> not, it would probably be better labeled usr_t.

Other domains probably shouldn't be messing with it. This is just a workaround which reduced the AVCs (that have to be allowed) until Fedora's SELinux policies can catch up (hopefully very soon) to systemd's tools.

One thing that systemd is fond of is symlinks, which many of the previously existing domain policies don't like -- Postfix for example.
Comment 3 Daniel Walsh 2016-11-28 16:25:34 EST
If we labeled it usr_t or even lib_t then all these domains could read it but not modify it.

Sadly we currently label it init_exec_t, which is no good.
Comment 4 Anthony Messina 2016-11-28 19:30:35 EST
(In reply to Daniel Walsh from comment #3)
> If we labeled it usr_t or even lib_t then all these domains could read it
> but not modify it.
> 
> Sadly we currently label it init_exec_t, which is no good.

https://github.com/fedora-selinux/selinux-policy/commit/55636311de67f0782fde3d89ea82559d16c2c3ca

This should get closer.  Regardless of the label, won't other policy prevent the symlink from /etc/resolve.conf to /usr/lib/systemd/resolv.conf or /run/systemd/resolve/resolv.conf, the latter of which is defaulted to net_conf_t?  It seems a lot of things will need lnk_file support.
Comment 5 Daniel Walsh 2016-11-29 10:05:03 EST
No I think all domains that need to read /etc/resolv.conf already can read a link file that is labeled as net_conf_t,  The problem is they can not read a file with a label of init_exec_t.  Changing this label to net_conf_t allows the access but it also allows all domains that can write to net_conf_t to be allowed to write to the file, from an SELinux point of view.  Getting this to a label like lib_t or usr_t, would solve both problems.  In that all domains that need to read /etc/resolv.conf can now read the file, but domains that can write /etc/resolv.conf will NOT be allowed to write /usr/lib/systemd/resolv.conf
Comment 6 Fedora Update System 2016-11-29 12:04:51 EST
selinux-policy-3.13.1-225.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-9d027c3768
Comment 7 Fedora Update System 2016-12-02 23:31:59 EST
selinux-policy-3.13.1-225.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-9d027c3768
Comment 8 Fedora Update System 2016-12-05 12:03:22 EST
selinux-policy-3.13.1-225.1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-e3864b8972
Comment 9 Fedora Update System 2016-12-06 21:26:11 EST
selinux-policy-3.13.1-225.1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e3864b8972
Comment 10 Fedora Update System 2016-12-08 13:23:19 EST
selinux-policy-3.13.1-225.1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.