[DSE-Dev] Bug#740685: selinux-policy-default: incompatible with resolvconf

Zack Weinberg zackw at panix.com
Tue Mar 4 02:54:15 UTC 2014 

Package: selinux-policy-default
Version: 2:2.20140206-1
Severity: normal

The SELinux policy doesn't understand resolvconf.  It doesn't appear to
throw any sort of AVC denial on the operation of resolvconf *itself*
(probably because it does all its work from uber-privileged init.d and
DHCP hook scripts, at least on my system) but it cannot handle what
resolvconf *does to /etc/resolv.conf*:

# ls -lZd /etc /etc/resolv.conf /etc/resolvconf /etc/resolvconf/run /run /run/resolvconf /run/resolvconf/resolv.conf
drwxr-xr-x. 70 root root system_u:object_r:etc_t:SystemLow            4096 Mar  2 21:44 /etc
drwxr-xr-x.  4 root root system_u:object_r:etc_t:SystemLow            4096 Oct  1 17:38 /etc/resolvconf
lrwxrwxrwx.  1 root root system_u:object_r:etc_t:SystemLow              31 Oct  1 17:38 /etc/resolv.conf -> /etc/resolvconf/run/resolv.conf
lrwxrwxrwx.  1 root root system_u:object_r:etc_t:SystemLow              15 Oct  1 17:38 /etc/resolvconf/run -> /run/resolvconf
drwxr-xr-x. 15 root root system_u:object_r:var_run_t:SystemLow         600 Mar  4 02:33 /run
drwxr-xr-x.  3 root root system_u:object_r:var_run_t:SystemLow         100 Mar  4 02:33 /run/resolvconf
-rw-r--r--.  1 root root system_u:object_r:initrc_var_run_t:SystemLow  172 Mar  4 02:33 /run/resolvconf/resolv.conf

Note the absence of 'net_conf_t'.  After substantial fiddling I have not
even been able to figure out a set of modified type-labels that will
make the various daemons that need resolv.conf happy.  Changing both
/run/resolvconf/resolv.conf and the /etc/resolv.conf symlink back to
net_conf_t almost does the trick, but I'm left with e.g.

avc:  denied  { read } for  pid=3675 comm="ntpd" name="resolv.conf" dev=xvda ino=27841 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file

.... because the rules for ntpd say it can read net_conf_t *files*,
but not *symlinks*.  Sigh.  Surely there is a way to patch this
at the semanage level, without having to change the definition of
a whole bunch of sysnet_* interfaces and regenerate the entire policy?

Moreover, I'm not at all sure how to write the rules that ensure that
the file and the symlink *stay* labeled net_conf_t.  Override rules
of the form

/etc/resolv\.conf.*                                all files          system_u:object_r:net_conf_t:s0 
/var/run/resolvconf(/.*)                           all files          system_u:object_r:net_conf_t:s0 

are not enough; the files keep getting created as (depending exactly
how you test) initrc_var_run_t, etc_t, or dhcp_something_t.  I'm not
shy of writing my own module, but I don't even know where to start.

(Why would you want to use resolvconf on a SELinux-locked-down
server?  Because you are also running unbound in forwarding mode;
unbound+resolvconf+dhclient seamlessly arrange for all local DNS requests
to go through unbound and therefore be DNSSECified ... as far as DAC is
concerned, anyway.)

zw

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (501, 'unstable'), (500, 'testing'), (101, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.13-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

More information about the SELinux-devel mailing list