From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 27 May 2016 11:11:00 -0400
Subject: [refpolicy] resolv.conf managed by NetworkManager or networkd
In-Reply-To: <8eb3ec05-9937-d097-1cc7-52de9e459586@debian.org>
References: <8eb3ec05-9937-d097-1cc7-52de9e459586@debian.org>
Message-ID: <9d9714a8-b8e7-2fc3-36f3-0cfd22e56664@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 5/26/2016 9:49 AM, Laurent Bigonville wrote:
> Hello,
> 
> On systems running NetworkManager or systemd-networkd, the resolv.conf 
> file is managed by that daemon and written in some private directory 
> (/var/run/NetworkManager or /run/systemd/resolve/). A symlink 
> /etc/resolv.conf is then created.
> 
> That means that application should be able to read a file that will be 
> labeled as NetworkManager_var_run_t (or some other private type for 
> networkd). One of the idea what to modify the sysnet_read_config() 
> interface but this lead to compilation is due to boolean/optional policy 
> mix.
> 
> An idea how to fix that?

>From doing a little searching, I assume the problem is with
sysnet_read_config() being in the allow_ypbind conditional?  It would
put an optional inside a conditional, which isn't allowed by the compiler.

Is a named filetrans impossible to work for this situation, so when the
two services create it the file it still ends up net_conf_t?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com