With systemd, /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf allow domains with access to read network configuration to read this file.
Please note, this can't be in optional due to tunable_policy in nis_authenticate interface.
type=AVC msg=audit(1523455881.596:214): avc: denied { search } for pid=944 comm="chronyd" name="resolve" dev="tmpfs" ino=14267 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=dir
type=AVC msg=audit(1523455881.596:214): avc: denied { read } for pid=944 comm="chronyd" name="resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
type=AVC msg=audit(1523455881.596:214): avc: denied { open } for pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
type=AVC msg=audit(1523455881.596:215): avc: denied { getattr } for pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/sysnetwork.if | 2 ++
policy/modules/system/systemd.if | 19 +++++++++++++++++++
2 files changed, 21 insertions(+)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index a53122b1..1f7cf460 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -348,6 +348,8 @@ interface(`sysnet_read_config',`
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
+ systemd_read_resolved_runtime($1)
+
ifdef(`distro_debian',`
files_search_pids($1)
allow $1 net_conf_t:dir list_dir_perms;
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index f6e34102..866838fe 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -715,3 +715,22 @@ interface(`systemd_tmpfilesd_managed',`
allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
')
+
+#######################################
+## <summary>
+## Allow domain to read resolv.conf file generated by systemd_resolved
+## </summary>
+## <param name="domain">
+## <summary>
+## domain allowed access
+## </summary>
+## </param>
+#
+interface(`systemd_read_resolved_runtime',`
+ gen_require(`
+ type systemd_resolved_var_run_t;
+ ')
+
+ read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
+')
+
--
2.14.3
On 04/16/2018 04:07 PM, Dave Sugar via refpolicy wrote:
> With systemd, /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf allow domains with access to read network configuration to read this file.
> Please note, this can't be in optional due to tunable_policy in nis_authenticate interface.
>
> type=AVC msg=audit(1523455881.596:214): avc: denied { search } for pid=944 comm="chronyd" name="resolve" dev="tmpfs" ino=14267 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=dir
> type=AVC msg=audit(1523455881.596:214): avc: denied { read } for pid=944 comm="chronyd" name="resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
> type=AVC msg=audit(1523455881.596:214): avc: denied { open } for pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
> type=AVC msg=audit(1523455881.596:215): avc: denied { getattr } for pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/sysnetwork.if | 2 ++
> policy/modules/system/systemd.if | 19 +++++++++++++++++++
> 2 files changed, 21 insertions(+)
>
> diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
> index a53122b1..1f7cf460 100644
> --- a/policy/modules/system/sysnetwork.if
> +++ b/policy/modules/system/sysnetwork.if
> @@ -348,6 +348,8 @@ interface(`sysnet_read_config',`
> files_search_etc($1)
> allow $1 net_conf_t:file read_file_perms;
>
> + systemd_read_resolved_runtime($1)
> +
> ifdef(`distro_debian',`
> files_search_pids($1)
> allow $1 net_conf_t:dir list_dir_perms;
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index f6e34102..866838fe 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -715,3 +715,22 @@ interface(`systemd_tmpfilesd_managed',`
>
> allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
> ')
> +
> +#######################################
> +## <summary>
> +## Allow domain to read resolv.conf file generated by systemd_resolved
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_read_resolved_runtime',`
> + gen_require(`
> + type systemd_resolved_var_run_t;
> + ')
> +
> + read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
> +')
> +
Merged.
--
Chris PeBenito