From 82e42900ad8027abed98f0b5d7a0969223fa4a7b Mon Sep 17 00:00:00 2001 From: Ondrej Mosnacek Date: Fri, 11 Dec 2020 17:21:14 +0100 Reference: https://github.com/fedora-selinux/selinux-policy/commit/82e42900ad8027abed98f0b5d7a0969223fa4a7b Conflict: NA Subject: [PATCH] Allow stub-resolv.conf to be a symlink It turns out that under certain configurations, /var/run/systemd/resolve/stub-resolv.conf can be a symlink instead of a regular file (see [1]). In such case, domains such as NetworkManager_t and chronyd_t need to be able to read it, which is denied since the symlink ends up being labeled as systemd_resolved_var_run_t. So make sure that such symlink is also labeled net_conf_t and extend sysnet_read_config() to allow also reading symlinks. NOTE: Further unification/simplification of /etc network config symlinks would now be possible (basically reverting f1505fca7063 ("Label /etc/resolv.conf as net_conf_t only if it is a plain file")), but that leads down to a deeper rabbit hole, so it's not addressed here. [1] https://src.fedoraproject.org/rpms/selinux-policy/pull-request/135#comment-62439 Signed-off-by: Ondrej Mosnacek --- policy/modules/system/sysnetwork.fc | 2 +- policy/modules/system/sysnetwork.if | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc index 27eb98b..de92927 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -38,7 +38,7 @@ ifdef(`distro_redhat',` /etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0) /var/run/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) /var/run/systemd/resolve/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) -/var/run/systemd/resolve/stub-resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) +/var/run/systemd/resolve/stub-resolv\.conf gen_context(system_u:object_r:net_conf_t,s0) ') /var/run/NetworkManager/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if index d7b696b..25e6b13 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -456,6 +456,7 @@ interface(`sysnet_read_config',` allow $1 net_conf_t:dir list_dir_perms; allow $1 net_conf_t:lnk_file read_lnk_file_perms; read_files_pattern($1, net_conf_t, net_conf_t) + read_lnk_files_pattern($1, net_conf_t, net_conf_t) ') ') @@ -1144,7 +1145,7 @@ interface(`sysnet_filetrans_systemd_resolved',` optional_policy(` systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf") systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp") - systemd_resolved_pid_filetrans($1, net_conf_t, file, "stub-resolv.conf") + systemd_resolved_pid_filetrans($1, net_conf_t, { file lnk_file }, "stub-resolv.conf") ') ') -- 1.8.3.1