[Resolvconf-devel] Bug#850783: resolvconf: needs to set correct SE Linux context on created directories and files

Tue Jan 10 05:14:35 UTC 2017

Package: resolvconf
Version: 1.79
Severity: normal
Tags: patch

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740685

I've written SE Linux policy to fix the above bug, but also we need 2 minor
changes to resolvconf.

d /run/resolvconf 0755 root root -
d /run/resolvconf/interface 0755 root root -
f /run/resolvconf/resolv.conf 644 root root -
f /run/resolvconf/enable-updates 644 root root -

A file named /usr/lib/tmpfiles.d/resolvconf.conf with contents like the above
will cause systemd to create the temporary directories and files with the
correct SE Linux context.  It will also remove the need for making a
directory in the ExecStartPre section of /lib/systemd/system/resolvconf.service.
This works for me on one of my test systems.

A patch like the below should make it work correctly on SysVInit.  On systems
that don't run SE Linux it will have no effect.

--- /etc/init.d/resolvconf.orig	2017-01-10 04:15:38.668000000 +0000
+++ /etc/init.d/resolvconf	2017-01-10 04:31:47.140000000 +0000
@@ -60,10 +60,14 @@
 		# Create directory at the target
 		mkdir "$RUN_CANONICALDIR" || log_action_end_msg_and_exit 1 "Error creating directory $RUN_CANONICALDIR"
 	fi
+	[ -x /sbin/restorecon ] && /sbin/restorecon "$RUN_CANONICALDIR"
+
 	# The resolvconf run directory now exists.
 	if [ ! -d "${RUN_DIR}/interface" ] ; then
 		mkdir "${RUN_DIR}/interface" || log_action_end_msg_and_exit 1 "Error creating directory ${RUN_DIR}/interface"
 	fi
+	[ -x /sbin/restorecon ] && /sbin/restorecon "${RUN_DIR}/interface" "${RUN_DIR}/resolv.conf "${RUN_DIR}/enable-updates
+
 	# The interface directory now exists.  We are done.
 	return
 }

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.8.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages resolvconf depends on:
ii  debconf [debconf-2.0]  1.5.59
ii  ifupdown               0.8.16
ii  init-system-helpers    1.46
ii  lsb-base               9.20161125

resolvconf recommends no packages.

resolvconf suggests no packages.

-- Configuration Files:
/etc/init.d/resolvconf changed:
[ -x /sbin/resolvconf ] || exit 0
PATH=/sbin:/bin
RUN_DIR=/etc/resolvconf/run
ENABLE_UPDATES_FLAGFILE="${RUN_DIR}/enable-updates"
POSTPONED_UPDATE_FLAGFILE="${RUN_DIR}/postponed-update"
. /lib/lsb/init-functions
case "$1" in
  start|restart|force-reload)
	init_is_upstart && exit 1
	;;
  stop)
	init_is_upstart && exit 0
	;;
esac
log_action_end_msg_and_exit()
{
	log_action_end_msg "$1" ${2:+"$2"}
	exit $1
}
create_runtime_directories()
{
	umask 022
	if [ ! -d "$RUN_DIR" ] ; then
		[ -L "$RUN_DIR" ] || log_action_end_msg_and_exit 1 "$RUN_DIR is neither a directory nor a symbolic link"
		# It's a symlink. Its target is not a dir.
		{ RUN_CANONICALDIR="$(readlink -f "$RUN_DIR")" && [ "$RUN_CANONICALDIR" ] ; } || log_action_end_msg_and_exit 1 "Canonical path of the run directory could not be determined"
		# Create directory at the target
		mkdir "$RUN_CANONICALDIR" || log_action_end_msg_and_exit 1 "Error creating directory $RUN_CANONICALDIR"
	fi
	[ -x /sbin/restorecon ] && /sbin/restorecon "$RUN_CANONICALDIR"
	# The resolvconf run directory now exists.
	if [ ! -d "${RUN_DIR}/interface" ] ; then
		mkdir "${RUN_DIR}/interface" || log_action_end_msg_and_exit 1 "Error creating directory ${RUN_DIR}/interface"
	fi
	[ -x /sbin/restorecon ] && /sbin/restorecon "${RUN_DIR}/interface" "${RUN_DIR}/resolv.conf "${RUN_DIR}/enable-updates
	# The interface directory now exists.  We are done.
	return
}
wipe_runtime_directories()
{
	# Delete files in the resolvconf run directory (target) but not the directory itself
	[ -d "$RUN_DIR" ] || return
	rm -f "$RUN_DIR"/resolv.conf
	rm -f "$ENABLE_UPDATES_FLAGFILE"
	rm -f "$POSTPONED_UPDATE_FLAGFILE"
	rm -rf "${RUN_DIR}/interface/*"
	return
}
case "$1" in
  start)
	# The "start" method should only be used at boot time.
	# Don't run this on package upgrade, for example.
	log_action_begin_msg "Setting up resolvconf"
	# Wipe runtime directories in case they aren't on a tmpfs
	wipe_runtime_directories
	# Create runtime directories in case they are on a tmpfs
	create_runtime_directories
	# Request a postponed update (needed in case the base file has content).
	:> "$POSTPONED_UPDATE_FLAGFILE" || log_action_end_msg_and_exit 1 "failed requesting update"
	# Enable updates and perform the postponed update.
	resolvconf --enable-updates || log_action_end_msg_and_exit 1 "failed to enable updates"
	log_action_end_msg_and_exit 0
	;;
  stop)
	# The "stop" method should only be used at shutdown time.
	log_action_begin_msg "Stopping resolvconf"
	resolvconf --disable-updates || log_action_end_msg_and_exit 1 "failed to disable updates"
	log_action_end_msg_and_exit 0
	;;
  restart)
	log_action_begin_msg "Restarting resolvconf"
	resolvconf --enable-updates || log_action_end_msg_and_exit 1 "failed to enable updates"
	log_action_end_msg_and_exit 0
	;;
  reload|force-reload)
	resolvconf -u || log_action_end_msg_and_exit 1 "failed to update"
	exit 0
	;;
  enable-updates)
	resolvconf --enable-updates || log_action_end_msg_and_exit 1 "failed to enable updates"
	exit 0
	;;
  disable-updates)
	resolvconf --disable-updates || log_action_end_msg_and_exit 1 "failed to disable updates"
	exit 0
	;;
  status)
	if resolvconf --updates-are-enabled ; then
		log_success_msg "resolvconf updates are enabled"
	else
		log_failure_msg "resolvconf updates are disabled"
	fi
	exit 0
	;;
  *)
	echo "Usage: /etc/init.d/resolvconf {start|stop|restart|reload|force-reload|enable-updates|disable-updates|status}" >&2
	exit 3
	;;
esac
exit 99


-- debconf information:
  resolvconf/reboot-recommended-after-removal:
  resolvconf/link-tail-to-original: false
  resolvconf/downup-interfaces:
  resolvconf/linkify-resolvconf: true

