From: dac.override@gmail.com (Dominick Grift) Date: Thu, 26 May 2016 16:32:57 +0200 Subject: [refpolicy] resolv.conf managed by NetworkManager or networkd In-Reply-To: <8eb3ec05-9937-d097-1cc7-52de9e459586@debian.org> References: <8eb3ec05-9937-d097-1cc7-52de9e459586@debian.org> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 05/26/2016 03:49 PM, Laurent Bigonville wrote: > Hello, > > On systems running NetworkManager or systemd-networkd, the > resolv.conf file is managed by that daemon and written in some > private directory (/var/run/NetworkManager or > /run/systemd/resolve/). A symlink /etc/resolv.conf is then > created. > > That means that application should be able to read a file that will > be labeled as NetworkManager_var_run_t (or some other private type > for networkd). One of the idea what to modify the > sysnet_read_config() interface but this lead to compilation is due > to boolean/optional policy mix. > > An idea how to fix that? > Yes, go down the rabbit hole and make it so that you can have optionals in the sysnet_read_config() interface. Because sysnet config can be in: 1. /etc/resolv.conf 2. /var/run/systemd/systemd-resolved/resolv.conf 3. /var/run/NetworkManager/resolv.conf Start by identifying the conflicts. When you have them all commented out, and have the compiler happy, start thinking about alternate ways to get the commented functionality to work in an acceptable manner. It will probably be tough to get this sorted out, but i think it is probably inevitable. > Cheers, > > Laurent Bigonville > > _______________________________________________ refpolicy mailing > list refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > - -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCAAGBQJXRwkUAAoJECV0jlU3+UdpuzIL/Ra7fv4x8c4YnnWtZAgGGsCb a3B0FpGdRlxyXjq8r0SRHMZtdmDuki6szkJJmWedtJLzzuRRyIyfwXxoaiqe5/J+ 9xODlw0oDj2iKP6yq4Y0awkbuYz0Gs8DfTfJEyHNozauiRzGAXwtfrM4gQFoouhX baJE/YpWQC7Hu5y0CnClZr+3t2fn5aRfBzj2pClJ2zLbuT3xhRERnOaW1WYOl/Si SEcm1KmhKJgTHCilVqrMPQ7w4yTmFYSSQt1enYdfxw8RDpPreWt/FDNcEfUbMwQq aQv3gB+Nf5UTF1hVx4Jx3oa45xFW+ikH22bvypXDNhjUhkN/at9V26/PCYyUIASI DPM8QVLv188fue7cnrUfziOJTEMRAN2iCJBJPxyJGBjqlOPnMG13xUvFAOMxMNv5 gS0PCuPlfHA/pW9mj66NRb+iiTt4lMFJObGZSJcu1Z62KkpSoiJULQozFZIXZe66 zWJ+BEL82jwT4Uln70j0uzdmuVtI4+NgIoO2o1FHVw== =E8ZK -----END PGP SIGNATURE-----