Return-Path: <SRS0=jhG8=N3=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.7 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,
	MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id DD9A8C43441
	for <selinux-refpolicy@archiver.kernel.org>; Fri, 16 Nov 2018 15:12:56 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 8A3822087C
	for <selinux-refpolicy@archiver.kernel.org>; Fri, 16 Nov 2018 15:12:56 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="aIihYD/4"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8A3822087C
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=ieee.org
Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728124AbeKQBZl (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Fri, 16 Nov 2018 20:25:41 -0500
Received: from mail-qk1-f196.google.com ([209.85.222.196]:42842 "EHLO
        mail-qk1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728079AbeKQBZl (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Fri, 16 Nov 2018 20:25:41 -0500
Received: by mail-qk1-f196.google.com with SMTP id m5so37858365qka.9
        for <selinux-refpolicy@vger.kernel.org>; Fri, 16 Nov 2018 07:12:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ieee.org; s=google;
        h=subject:to:cc:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-language:content-transfer-encoding;
        bh=qP63hmnICX3QjPVi6/eBjtvAwHWzxX4S5NKsjob0cUg=;
        b=aIihYD/4d+tT5DF2T2tK5g2exEos02USxxKdp+Vqp//j0+SLDHH2LTiazGOMFf9Wwb
         N2gVI57ZL+K1SMnV3xcesicnT0acF6KsgXIwHnFgUJojQUdNMj5kCu8Zo4X7aTFhN69+
         JEuwpO+qbb14MJpmN2I8OGSvF/OZr7E7vPbg0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=qP63hmnICX3QjPVi6/eBjtvAwHWzxX4S5NKsjob0cUg=;
        b=E8rcTAqa7cHg3FQd8yZZ9UgwDZ/8KInxyhyviIw13VitoQpb6mDEH2Oslwz7qpkueP
         ttf7ztNeTTQ+J8/VnFJ1i6UqtNxYh+FPHOvEUCisAU2CYgMFcYi/OUQ62xnD3ecWSms0
         IhYO30PRblBn/Hy4ecQQeDFU1bRyZ4+gTrMJF07LOIvRwB2KBAdbRHcinhodx+CXJiH/
         ksLjD6hyu0WZP3bROcjBUpRXvEInA+Fn04/XtTZR1SCaIiKS6HCOuLRmOgOkmdNbf055
         wTZwFRJm04pdNGXD0M37IaaYk/CNxmU57VY8Z+ZWTMPqdQgV71ELMlGnQcCdcCNFEZey
         439Q==
X-Gm-Message-State: AGRZ1gKmP/yVX1ol1Bhg8Dhfz6Kw0aPA7fKdstrC77QQXYYyYNE1L9UT
        V4TeNBDk2e0ONsM05gzIWUk171CspH0=
X-Google-Smtp-Source: AJdET5dCcG7lsR3EjIEERXEhKklca+M8zQTEo1GwpJ0CL9ycZC/t9ikHLfA0GRFuLdMA2YkuEaNkRg==
X-Received: by 2002:a37:2452:: with SMTP id w79mr10439300qkg.105.1542381174678;
        Fri, 16 Nov 2018 07:12:54 -0800 (PST)
Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247])
        by smtp.gmail.com with ESMTPSA id l30sm8142041qte.44.2018.11.16.07.12.53
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 16 Nov 2018 07:12:53 -0800 (PST)
Subject: Re: [PATCH v3 2/2] dnsmasq: Add support for lxc-net, lxd-bridge,
 NetworkManager
To:     Petr Vorel <pvorel@suse.cz>, selinux-refpolicy@vger.kernel.org
Cc:     Dan Walsh <dwalsh@redhat.com>
References: <20181112084731.27185-1-pvorel@suse.cz>
 <20181112084731.27185-2-pvorel@suse.cz>
From:   Chris PeBenito <pebenito@ieee.org>
Message-ID: <7abbe1dd-f459-606f-c92c-8e66297bacd0@ieee.org>
Date:   Fri, 16 Nov 2018 10:12:52 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.3.0
MIME-Version: 1.0
In-Reply-To: <20181112084731.27185-2-pvorel@suse.cz>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On 11/12/18 3:47 AM, Petr Vorel wrote:
> * lxc-net pid and lease files:
> /var/run/lxc/dnsmasq.pid
> /var/lib/misc/dnsmasq.*.leases
> 
> * lxd-bridge pid and lease files:
> /var/run/lxd-bridge/dnsmasq.pid
> /var/lib/lxd-bridge/dnsmasq.*.leases
> /var/lib/lxd/networks/*/dnsmasq.leases
> /var/lib/lxd/networks/*/dnsmasq.pid
> 
> * NetworkManager pid, lease and configuration files:
> /var/lib/NetworkManager/dnsmasq-*.leases
> /run/nm-dns-dnsmasq.conf
> /run/nm-dnsmasq-*.pid
> /run/sendsigs.omit.d/*dnsmasq.pid
> /run/NetworkManager/dnsmasq.conf
> /run/NetworkManager/dnsmasq.pid
> 
> + sort /var/lib/ lines.
> 
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
> Changes v2->v3:
> * more sorting
> 
> Changes v1->v2
> * fix sorting (requested by Chris PeBenito)
> * fix missing dot escapes (requested by Chris PeBenito)
> * change some stars to plus
> ---
>   policy/modules/services/dnsmasq.fc | 11 ++++++++++-
>   1 file changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc
> index 91c18d46..7df6e973 100644
> --- a/policy/modules/services/dnsmasq.fc
> +++ b/policy/modules/services/dnsmasq.fc
> @@ -5,6 +5,11 @@
>   
>   /run/dnsmasq.*			--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
>   /run/libvirt/network(/.*)?		gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
> +/run/(lxc|lxd-bridge|NetworkManager)/dnsmasq\.pid	--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
> +/run/NetworkManager/dnsmasq\.conf   gen_context(system_u:object_r:dnsmasq_etc_t,s0)
> +/run/nm-dns-dnsmasq\.conf   gen_context(system_u:object_r:dnsmasq_etc_t,s0)
> +/run/nm-dnsmasq-.+\.pid	--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
> +/run/sendsigs\.omit\.d/.*dnsmasq\.pid	--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
>   
>   /usr/bin/dnsmasq		--	gen_context(system_u:object_r:dnsmasq_exec_t,s0)
>   
> @@ -13,7 +18,11 @@
>   
>   /usr/sbin/dnsmasq		--	gen_context(system_u:object_r:dnsmasq_exec_t,s0)
>   
> -/var/lib/misc/dnsmasq\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
>   /var/lib/dnsmasq(/.*)?			gen_context(system_u:object_r:dnsmasq_lease_t,s0)
> +/var/lib/lxd-bridge/dnsmasq\..+\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
> +/var/lib/lxd/networks/\.*/dnsmasq\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
> +/var/lib/lxd/networks/\.+/dnsmasq\.pid	--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
> +/var/lib/misc/dnsmasq(\..+)?\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
> +/var/lib/NetworkManager/dnsmasq-.+\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
>   
>   /var/log/dnsmasq(.*)?\.log(\..+)	--	gen_context(system_u:object_r:dnsmasq_var_log_t,s0)

I got this error:

/sbin/setfiles: file_contexts: Multiple different specifications for 
/run/nm-dns-dnsmasq\.conf 
(system_u:object_r:NetworkManager_var_run_t:s0 and 
system_u:object_r:dnsmasq_etc_t:s0).

This made me think about this patch more.  Is NetworkManager creating 
these config files?


-- 
Chris PeBenito