From: dsugar@tresys.com (Dave Sugar) Date: Wed, 11 Apr 2018 17:35:51 -0400 Subject: [refpolicy] [PATCH 1/1] Interface to read /run/systemd/resolve/resolv.conf Message-ID: <20180411213551.14756-1-dsugar@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com With systemd /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf allow domains with access to DNS lookup to read this file. I was seeing the following denials when using DNS. This should resolve the problem on the whole system. type=AVC msg=audit(1523455881.596:214): avc: denied { search } for pid=944 comm="chronyd" name="resolve" dev="tmpfs" ino=14267 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=dir type=AVC msg=audit(1523455881.596:214): avc: denied { read } for pid=944 comm="chronyd" name="resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file type=AVC msg=audit(1523455881.596:214): avc: denied { open } for pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file type=AVC msg=audit(1523455881.596:215): avc: denied { getattr } for pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file Signed-off-by: Dave Sugar --- policy/modules/system/sysnetwork.if | 1 + policy/modules/system/systemd.if | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if index a53122b1..d7cef330 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -755,6 +755,7 @@ interface(`sysnet_dns_name_resolve',` # This seems needed when the mymachines NSS module is used optional_policy(` systemd_read_machines($1) + systemd_resolved_read_resolv($1) ') ') diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index f6e34102..e0065ef5 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -715,3 +715,21 @@ interface(`systemd_tmpfilesd_managed',` allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create }; ') + +####################################### +## +## Allow domain to read resolv.conf file generated by systemd_resolved +## +## +## +## domain allowed access +## +## +# +interface(`systemd_resolved_read_resolv',` + gen_require(` + type systemd_resolved_var_run_t; + ') + + read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) +') -- 2.14.3