From: pebenito@ieee.org (Chris PeBenito)
Date: Tue, 17 Apr 2018 20:15:15 -0400
Subject: [refpolicy] [PATCH-v2 1/1] Interface to read
 /run/systemd/resolve/resolv.conf
In-Reply-To: <20180416200753.10186-1-dsugar@tresys.com>
References: <20180416200753.10186-1-dsugar@tresys.com>
Message-ID: <8b959e99-24c1-a056-5b80-1e9621a4d1b7@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/16/2018 04:07 PM, Dave Sugar via refpolicy wrote:
> With systemd, /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf allow domains with access to read network configuration to read this file.
> Please note, this can't be in optional due to tunable_policy in nis_authenticate interface.
> 
> type=AVC msg=audit(1523455881.596:214): avc:  denied  { search } for  pid=944 comm="chronyd" name="resolve" dev="tmpfs" ino=14267 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=dir
> type=AVC msg=audit(1523455881.596:214): avc:  denied  { read } for  pid=944 comm="chronyd" name="resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
> type=AVC msg=audit(1523455881.596:214): avc:  denied  { open } for  pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
> type=AVC msg=audit(1523455881.596:215): avc:  denied  { getattr } for  pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/system/sysnetwork.if |  2 ++
>   policy/modules/system/systemd.if    | 19 +++++++++++++++++++
>   2 files changed, 21 insertions(+)
> 
> diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
> index a53122b1..1f7cf460 100644
> --- a/policy/modules/system/sysnetwork.if
> +++ b/policy/modules/system/sysnetwork.if
> @@ -348,6 +348,8 @@ interface(`sysnet_read_config',`
>   	files_search_etc($1)
>   	allow $1 net_conf_t:file read_file_perms;
>   
> +	systemd_read_resolved_runtime($1)
> +
>   	ifdef(`distro_debian',`
>   		files_search_pids($1)
>   		allow $1 net_conf_t:dir list_dir_perms;
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index f6e34102..866838fe 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -715,3 +715,22 @@ interface(`systemd_tmpfilesd_managed',`
>   
>   	allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
>   ')
> +
> +#######################################
> +## <summary>
> +##  Allow domain to read resolv.conf file generated by systemd_resolved
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +##  domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_read_resolved_runtime',`
> +	gen_require(`
> +		type systemd_resolved_var_run_t;
> +	')
> +
> +	read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
> +')
> +

Merged.

-- 
Chris PeBenito