Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 497752

Summary: resolv.conf created with incorrect label if /etc/resolv.conf is a symlink to /run/resolv.conf
Product: Gentoo Linux Reporter: Dustin C. Hatch <dustin>
Component: SELinuxAssignee: SE Linux Bugs <selinux>
Status: RESOLVED WONTFIX    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Dustin C. Hatch 2014-01-11 02:42:56 UTC 
My servers have / mounted read-only and use DHCP for network configuration. As such, /etc/resolv.conf is a symlink to /run/resolv.conf so that the DHCP client can write to it. This does not work with SELinux enabled because the file gets created with an incorrect label (dhcpc_var_run_t instead of net_conf_t). I am new to SELinux, but I think this is caused by this block in sysnetwork.te:

# create pid file
manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
create_dirs_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })

I am also not sure how I can override those settings for just resolv.conf without also labelling the actual pid file with net_conf_t.

I have created a file context definition for this file, however it does not apply unless I manually run `restorecon /run/resolv.conf`:

/var/run/resolv.conf    system_u:object_r:net_conf_t


Reproducible: Always

Steps to Reproduce:
1. ln -snf /run/resolv.conf /etc/resolv.conf
2. rm -f /run/resolv.conf
3. set SELINUX=enforcing and SELINUXTYPE=strict
4. Start a net.* script with DHCP configuration
Actual Results:  
-rw-r--r--. 1 root root system_u:object_r:dhcpc_var_run_t 237 Jan 10 20:40 /run/resolv.conf


Expected Results:  
-rw-r--r--. 1 root root system_u:object_r:net_conf_t 237 Jan 10 20:40 /run/resolv.conf


Portage 2.2.7 (hardened/linux/amd64/no-multilib/selinux, gcc-4.7.3, glibc-2.17, 3.11.7-hardened-r1 x86_64)
=================================================================
System uname: Linux-3.11.7-hardened-r1-x86_64-QEMU_Virtual_CPU_version_1.5.3-with-gentoo-2.2
KiB Mem:     1020880 total,    645988 free
KiB Swap:          0 total,         0 free
Timestamp of tree: Fri, 10 Jan 2014 07:30:01 +0000
ld GNU ld (GNU Binutils) 2.23.2
app-shells/bash:          4.2_p45
dev-lang/python:          2.7.5-r3, 3.3.2-r2
dev-util/pkgconfig:       0.28
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.12.4
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.69
sys-devel/automake:       1.13.4
sys-devel/binutils:       2.23.2
sys-devel/gcc:            4.7.3-r1
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.9 (virtual/os-headers)
sys-libs/glibc:           2.17
Repositories: gentoo
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=amdfam10 -mtune=amdfam10 -mcx16 -msahf -mpopcnt -mabm 	--param l1-cache-size=64 --param l1-cache-line-size=64 	--param l2-cache-size=512"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -march=amdfam10 -mtune=amdfam10 -mcx16 -msahf -mpopcnt -mabm 	--param l1-cache-size=64 --param l1-cache-line-size=64 	--param l2-cache-size=512"
DISTDIR="/var/cache/portage/distfiles"
EMERGE_DEFAULT_OPTS="--usepkg --jobs --load-average=3 --quiet-fail=y"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs buildpkg config-protect-if-modified distcc distcc-pump distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j9"
PKGDIR="/var/cache/portage/binpkgs/default-linux/amd64/amdfam10"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/var/cache/portage/tree"
PORTDIR_OVERLAY=""
USE="3dnow 3dnowext amd64 bash-completion bzip2 caps cli cracklib crypt cxx dri filecaps hardened iconv ipv6 justify kerberos mmx mmxext modules mudflap ncurses nls nptl open_perms openmp pam pax_kernel pcre readline selinux session sse sse2 ssl tcpd unicode urandom zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, SYNC, USE_PYTHON
Comment 1 Dustin C. Hatch 2014-01-13 03:35:01 UTC 
With SwifT's help, I created the following policy to correct the issue:

policy_module(localpolicy, 1.0)

gen_require(`
  type dhcpc_t;
  type var_run_t;
  type net_conf_t;
')

filetrans_pattern(dhcpc_t, var_run_t, net_conf_t, file, "resolv.conf");
filetrans_pattern(dhcpc_t, var_run_t, net_conf_t, file, "ntp.conf");

Since most people don't have the /etc/resolv.conf -> /run/resolv.conf symlink, we deemed it not necessary to add to Gentoo's default policy. Leaving it here, though, for future reference.