2018-04-11 21:35:51

by Sugar, David

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] Interface to read /run/systemd/resolve/resolv.conf

With systemd /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf allow domains with access to DNS lookup to read this file.

I was seeing the following denials when using DNS. This should resolve the problem on the whole system.
type=AVC msg=audit(1523455881.596:214): avc: denied { search } for pid=944 comm="chronyd" name="resolve" dev="tmpfs" ino=14267 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=dir
type=AVC msg=audit(1523455881.596:214): avc: denied { read } for pid=944 comm="chronyd" name="resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
type=AVC msg=audit(1523455881.596:214): avc: denied { open } for pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
type=AVC msg=audit(1523455881.596:215): avc: denied { getattr } for pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file

Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/sysnetwork.if | 1 +
policy/modules/system/systemd.if | 18 ++++++++++++++++++
2 files changed, 19 insertions(+)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index a53122b1..d7cef330 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -755,6 +755,7 @@ interface(`sysnet_dns_name_resolve',`
# This seems needed when the mymachines NSS module is used
optional_policy(`
systemd_read_machines($1)
+ systemd_resolved_read_resolv($1)
')
')

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index f6e34102..e0065ef5 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -715,3 +715,21 @@ interface(`systemd_tmpfilesd_managed',`

allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
')
+
+#######################################
+## <summary>
+## Allow domain to read resolv.conf file generated by systemd_resolved
+## </summary>
+## <param name="domain">
+## <summary>
+## domain allowed access
+## </summary>
+## </param>
+#
+interface(`systemd_resolved_read_resolv',`
+ gen_require(`
+ type systemd_resolved_var_run_t;
+ ')
+
+ read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
+')
--
2.14.3


2018-04-12 22:58:18

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] Interface to read /run/systemd/resolve/resolv.conf

On 04/11/2018 05:35 PM, Dave Sugar via refpolicy wrote:
> With systemd /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf allow domains with access to DNS lookup to read this file.
>
> I was seeing the following denials when using DNS. This should resolve the problem on the whole system.
> type=AVC msg=audit(1523455881.596:214): avc: denied { search } for pid=944 comm="chronyd" name="resolve" dev="tmpfs" ino=14267 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=dir
> type=AVC msg=audit(1523455881.596:214): avc: denied { read } for pid=944 comm="chronyd" name="resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
> type=AVC msg=audit(1523455881.596:214): avc: denied { open } for pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
> type=AVC msg=audit(1523455881.596:215): avc: denied { getattr } for pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/sysnetwork.if | 1 +
> policy/modules/system/systemd.if | 18 ++++++++++++++++++
> 2 files changed, 19 insertions(+)
>
> diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
> index a53122b1..d7cef330 100644
> --- a/policy/modules/system/sysnetwork.if
> +++ b/policy/modules/system/sysnetwork.if
> @@ -755,6 +755,7 @@ interface(`sysnet_dns_name_resolve',`
> # This seems needed when the mymachines NSS module is used
> optional_policy(`
> systemd_read_machines($1)
> + systemd_resolved_read_resolv($1)

This should probably be part of sysnet_read_config instead.

> ')
> ')
>
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index f6e34102..e0065ef5 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -715,3 +715,21 @@ interface(`systemd_tmpfilesd_managed',`
>
> allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
> ')
> +
> +#######################################
> +## <summary>
> +## Allow domain to read resolv.conf file generated by systemd_resolved
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_resolved_read_resolv',`

systemd_read_resolved_runtime()


> + gen_require(`
> + type systemd_resolved_var_run_t;
> + ')
> +
> + read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
> +')
>


--
Chris PeBenito