net-dns/openresolv is a tool that manages /etc/resolv.conf when many different things try and add dns servers. NetworkManager starts properly and gets and IP address but nothing gets written to /etc/resolv.conf i needed to add the following labels because its original label was not allowed write access to /etc/resolv.conf: /sbin/resolvconf -- system_u:object_r:NetworkManager_exec_t /var/run/resolvconf(/.*)? system_u:object_r:NetworkManager_var_run_t I am not sure if something like resolvconf should have its own domain since it can be called from many places but it seems to work when I used the NetworkManager domain and things like wpa_supplicant are labelled as NetworkManager to also. Reproducible: Always Steps to Reproduce: 1. enable the "resolvconf" USE-flag 2. emerge net-misc/networkmanager and it will also pull in net-dns/openresolv 3. start network manager and connect to a network 4. ping 8.8.8.8 5. ping google.com Actual Results: step 5 fails with host not found. Expected Results: both pings should succeed.
When /sbin/resolvconf is "just" bin_t (assuming that it's label), did you get any failures from NetworkManager trying to execute it? NetworkManager_t has execute rights on shells and binaries, so this shouldn't give any issue(s). The /var/run/resolvconf(/.*)? one might be the culprit. What is this location used for by resolvconf? If it is directly used by resolvconf, then either we need to create a specific domain for resolvconf (and allow it to manage that location) or use a type that all network management domains can write to (which will not be easy to find).
> The /var/run/resolvconf(/.*)? one might be the culprit. What is this > location used for by resolvconf? basically the way resolvconf is used by different things (eg wifi and vpn): echo "nameserver 8.8.8.8" | resolvconf -a wlan0 then later you turn on the vpn and you get something like: echo "nameserver 192.168.1.1" | resolvconf -a tun0 it uses all the information to build /etc/resolv.conf, later when tun0 is taken down it still knows about the previous dns servers so you dont end up with an empty resolv.conf. in this case you get the following files (among a couple other minor things): /var/run/resolvconf/interfaces/{wlan0,tun0} nothing else needs to be able to access those files only resolvconf. Ideally I think a new label is the best but I did notice that things like wpa_supplicant were labelled with NetworkManager_exec_t too so I thought perhaps that was the standard way to label things.
Created attachment 379512 [details] resolvconf.te (type enforcement settings) plus other domain calls Type enforcement module for openresolv. It currently calls dhcpc_t directly as a matter of testing, but I will make the policy support resolvconf_client attributes instead later (after more testing).
Created attachment 379514 [details] resolvconf.if (interface definitions) Interface definitions to be exported. Still needs to be enhanced with a resolvconf_client() and resolvconf_client_perms() method
Created attachment 379516 [details] resolvconf.fc (file context definitions) File context definitions for openresolv.
The attached files are just an intermediate result of some light policy development. I still need to do further testing and validation, and make a proper client domain so that clients can just call "openresolv_client(mydomain_t)" or "openresolv_client_perms(mydomain_t)" instead of having the various interfaces called. Also, users running "resolvconf -l" or "resolvconf -u" is currently not supported yet (the application in the current policy is only allowed to be called by the clients) which also needs to happen. Minor changes, but it's late here so just informing you guys about the progress.
Created attachment 379662 [details] resolvconf.if (interface definitions) Updated interface. Important ones to consider: resolvconf_client_domain() to assign to the services that will call resolvconf. For instance: resolvconf_client_domain(dhcpc_t) There is also a resolvconf_client_domain_privs() in case you need to selectively apply this (within a tunable_policy statement). resolvconf_exec() to assign to the user domain. It allows the user to execute resolvconf (without transition). I'm not sure if we need to have a resolvconf_role() for now, but we can add that in later.
Created attachment 379664 [details] resolvconf.te (type enforcement settings) plus other domain calls Updated .te file, now includes resolvconf_client attribute.
Policy is in live repository, sec-policy/selinux-resolvconf package is available. Support in networkmanager and dhcpc_t is also added to the policy (you'll need to rebuild selinux-base and selinux-base-policy first before selinux-networkmanager).
r4 is in the tree
r5 is stable