Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1398853
Summary: | SELinux file context for /usr/lib/systemd/resolv.conf should be net_conf_t | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Anthony Messina <amessina> |
Component: | selinux-policy-targeted | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 25 | CC: | dwalsh |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-12-08 18:23:19 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Anthony Messina
2016-11-26 16:31:51 UTC
Should other domains including NetworkManager_t be allowed to write it? If not, it would probably be better labeled usr_t. (In reply to Daniel Walsh from comment #1) > Should other domains including NetworkManager_t be allowed to write it? If > not, it would probably be better labeled usr_t. Other domains probably shouldn't be messing with it. This is just a workaround which reduced the AVCs (that have to be allowed) until Fedora's SELinux policies can catch up (hopefully very soon) to systemd's tools. One thing that systemd is fond of is symlinks, which many of the previously existing domain policies don't like -- Postfix for example. If we labeled it usr_t or even lib_t then all these domains could read it but not modify it. Sadly we currently label it init_exec_t, which is no good. (In reply to Daniel Walsh from comment #3) > If we labeled it usr_t or even lib_t then all these domains could read it > but not modify it. > > Sadly we currently label it init_exec_t, which is no good. https://github.com/fedora-selinux/selinux-policy/commit/55636311de67f0782fde3d89ea82559d16c2c3ca This should get closer. Regardless of the label, won't other policy prevent the symlink from /etc/resolve.conf to /usr/lib/systemd/resolv.conf or /run/systemd/resolve/resolv.conf, the latter of which is defaulted to net_conf_t? It seems a lot of things will need lnk_file support. No I think all domains that need to read /etc/resolv.conf already can read a link file that is labeled as net_conf_t, The problem is they can not read a file with a label of init_exec_t. Changing this label to net_conf_t allows the access but it also allows all domains that can write to net_conf_t to be allowed to write to the file, from an SELinux point of view. Getting this to a label like lib_t or usr_t, would solve both problems. In that all domains that need to read /etc/resolv.conf can now read the file, but domains that can write /etc/resolv.conf will NOT be allowed to write /usr/lib/systemd/resolv.conf selinux-policy-3.13.1-225.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-9d027c3768 selinux-policy-3.13.1-225.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-9d027c3768 selinux-policy-3.13.1-225.1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-e3864b8972 selinux-policy-3.13.1-225.1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e3864b8972 selinux-policy-3.13.1-225.1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. |