From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 27 May 2016 11:11:00 -0400 Subject: [refpolicy] resolv.conf managed by NetworkManager or networkd In-Reply-To: <8eb3ec05-9937-d097-1cc7-52de9e459586@debian.org> References: <8eb3ec05-9937-d097-1cc7-52de9e459586@debian.org> Message-ID: <9d9714a8-b8e7-2fc3-36f3-0cfd22e56664@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 5/26/2016 9:49 AM, Laurent Bigonville wrote: > Hello, > > On systems running NetworkManager or systemd-networkd, the resolv.conf > file is managed by that daemon and written in some private directory > (/var/run/NetworkManager or /run/systemd/resolve/). A symlink > /etc/resolv.conf is then created. > > That means that application should be able to read a file that will be > labeled as NetworkManager_var_run_t (or some other private type for > networkd). One of the idea what to modify the sysnet_read_config() > interface but this lead to compilation is due to boolean/optional policy > mix. > > An idea how to fix that? >From doing a little searching, I assume the problem is with sysnet_read_config() being in the allow_ypbind conditional? It would put an optional inside a conditional, which isn't allowed by the compiler. Is a named filetrans impossible to work for this situation, so when the two services create it the file it still ends up net_conf_t? -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com