From: dsugar@tresys.com (Dave Sugar) Date: Mon, 16 Apr 2018 16:07:53 -0400 Subject: [refpolicy] [PATCH-v2 1/1] Interface to read /run/systemd/resolve/resolv.conf Message-ID: <20180416200753.10186-1-dsugar@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com With systemd, /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf allow domains with access to read network configuration to read this file. Please note, this can't be in optional due to tunable_policy in nis_authenticate interface. type=AVC msg=audit(1523455881.596:214): avc: denied { search } for pid=944 comm="chronyd" name="resolve" dev="tmpfs" ino=14267 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=dir type=AVC msg=audit(1523455881.596:214): avc: denied { read } for pid=944 comm="chronyd" name="resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file type=AVC msg=audit(1523455881.596:214): avc: denied { open } for pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file type=AVC msg=audit(1523455881.596:215): avc: denied { getattr } for pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file Signed-off-by: Dave Sugar --- policy/modules/system/sysnetwork.if | 2 ++ policy/modules/system/systemd.if | 19 +++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if index a53122b1..1f7cf460 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -348,6 +348,8 @@ interface(`sysnet_read_config',` files_search_etc($1) allow $1 net_conf_t:file read_file_perms; + systemd_read_resolved_runtime($1) + ifdef(`distro_debian',` files_search_pids($1) allow $1 net_conf_t:dir list_dir_perms; diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index f6e34102..866838fe 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -715,3 +715,22 @@ interface(`systemd_tmpfilesd_managed',` allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create }; ') + +####################################### +## +## Allow domain to read resolv.conf file generated by systemd_resolved +## +## +## +## domain allowed access +## +## +# +interface(`systemd_read_resolved_runtime',` + gen_require(` + type systemd_resolved_var_run_t; + ') + + read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) +') + -- 2.14.3