packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
selinux-policy/backport-Allow-stub-resolv.conf-to-be-a-symlink.patch
luhuaxin 67a202caa4 backport some upstream patches
2021-05-31 18:58:06 +08:00

67 lines
2.9 KiB
Diff
Raw Blame History

From 82e42900ad8027abed98f0b5d7a0969223fa4a7b Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Fri, 11 Dec 2020 17:21:14 +0100
Reference: https://github.com/fedora-selinux/selinux-policy/commit/82e42900ad8027abed98f0b5d7a0969223fa4a7b
Conflict: NA
Subject: [PATCH] Allow stub-resolv.conf to be a symlink
It turns out that under certain configurations,
/var/run/systemd/resolve/stub-resolv.conf can be a symlink instead of a
regular file (see [1]). In such case, domains such as NetworkManager_t
and chronyd_t need to be able to read it, which is denied since the
symlink ends up being labeled as systemd_resolved_var_run_t.
So make sure that such symlink is also labeled net_conf_t and extend
sysnet_read_config() to allow also reading symlinks.
NOTE: Further unification/simplification of /etc network config symlinks
would now be possible (basically reverting f1505fca7063 ("Label
/etc/resolv.conf as net_conf_t only if it is a plain file")), but that
leads down to a deeper rabbit hole, so it's not addressed here.
[1] https://src.fedoraproject.org/rpms/selinux-policy/pull-request/135#comment-62439
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policy/modules/system/sysnetwork.fc | 2 +-
policy/modules/system/sysnetwork.if | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index 27eb98b..de92927 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -38,7 +38,7 @@ ifdef(`distro_redhat',`
/etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
/var/run/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
/var/run/systemd/resolve/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
-/var/run/systemd/resolve/stub-resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
+/var/run/systemd/resolve/stub-resolv\.conf gen_context(system_u:object_r:net_conf_t,s0)
')
/var/run/NetworkManager/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index d7b696b..25e6b13 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -456,6 +456,7 @@ interface(`sysnet_read_config',`
allow $1 net_conf_t:dir list_dir_perms;
allow $1 net_conf_t:lnk_file read_lnk_file_perms;
read_files_pattern($1, net_conf_t, net_conf_t)
+ read_lnk_files_pattern($1, net_conf_t, net_conf_t)
')
')
@@ -1144,7 +1145,7 @@ interface(`sysnet_filetrans_systemd_resolved',`
optional_policy(`
systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf")
systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
- systemd_resolved_pid_filetrans($1, net_conf_t, file, "stub-resolv.conf")
+ systemd_resolved_pid_filetrans($1, net_conf_t, { file lnk_file }, "stub-resolv.conf")
')
')
--
1.8.3.1
Reference in New Issue View Git Blame Copy Permalink