From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 17 Apr 2018 20:15:15 -0400 Subject: [refpolicy] [PATCH-v2 1/1] Interface to read /run/systemd/resolve/resolv.conf In-Reply-To: <20180416200753.10186-1-dsugar@tresys.com> References: <20180416200753.10186-1-dsugar@tresys.com> Message-ID: <8b959e99-24c1-a056-5b80-1e9621a4d1b7@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/16/2018 04:07 PM, Dave Sugar via refpolicy wrote: > With systemd, /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf allow domains with access to read network configuration to read this file. > Please note, this can't be in optional due to tunable_policy in nis_authenticate interface. > > type=AVC msg=audit(1523455881.596:214): avc: denied { search } for pid=944 comm="chronyd" name="resolve" dev="tmpfs" ino=14267 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=dir > type=AVC msg=audit(1523455881.596:214): avc: denied { read } for pid=944 comm="chronyd" name="resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file > type=AVC msg=audit(1523455881.596:214): avc: denied { open } for pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file > type=AVC msg=audit(1523455881.596:215): avc: denied { getattr } for pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file > > Signed-off-by: Dave Sugar > --- > policy/modules/system/sysnetwork.if | 2 ++ > policy/modules/system/systemd.if | 19 +++++++++++++++++++ > 2 files changed, 21 insertions(+) > > diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if > index a53122b1..1f7cf460 100644 > --- a/policy/modules/system/sysnetwork.if > +++ b/policy/modules/system/sysnetwork.if > @@ -348,6 +348,8 @@ interface(`sysnet_read_config',` > files_search_etc($1) > allow $1 net_conf_t:file read_file_perms; > > + systemd_read_resolved_runtime($1) > + > ifdef(`distro_debian',` > files_search_pids($1) > allow $1 net_conf_t:dir list_dir_perms; > diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if > index f6e34102..866838fe 100644 > --- a/policy/modules/system/systemd.if > +++ b/policy/modules/system/systemd.if > @@ -715,3 +715,22 @@ interface(`systemd_tmpfilesd_managed',` > > allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create }; > ') > + > +####################################### > +## > +## Allow domain to read resolv.conf file generated by systemd_resolved > +## > +## > +## > +## domain allowed access > +## > +## > +# > +interface(`systemd_read_resolved_runtime',` > + gen_require(` > + type systemd_resolved_var_run_t; > + ') > + > + read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) > +') > + Merged. -- Chris PeBenito