| 1 |
On Wed, Apr 19, 2017 at 02:12:36PM +0100, Robert Sharp wrote: |
| 2 |
> I had a problem with Dnsmasq that led to my last post on understanding |
| 3 |
> where policies come from. Now that I know and have had dnsmasq |
| 4 |
> comfortably running with udp comms to unbound on port 553, I have run |
| 5 |
> into the original problem that I thought I had caused. |
| 6 |
> |
| 7 |
> I suppose I did cause it, but not in the way I imagined. I was awash |
| 8 |
> again with AVCs from dnsmasq, but this time I took a closer look and |
| 9 |
> realised the source context was not as expected. Instead of running in |
| 10 |
> dnsmasq_t, it was running in resolvconf_t. I checked the binary and that |
| 11 |
> was as expected so I restarted using run_init just to see if that was |
| 12 |
> the problem, and it was! So now dnsmasq is running in the correct |
| 13 |
> context, but how did it ever get to resolvconf_t? Surely if I had |
| 14 |
> restarted it without using run_init then it would have been in sysadm_t? |
| 15 |
> |
| 16 |
> One possibility is that it got into this context when my interface went |
| 17 |
> down and up again. I had a problem last night with my Virgin fibre modem |
| 18 |
> and I noticed that after the inevitable hardware reset, a bunch of |
| 19 |
> services had been restarted. Besides the issue that dnsmasq is not bound |
| 20 |
> to the interface in question, I guess I could test it quite easily, |
| 21 |
> although I am not sure everyone else on the LAN will be too keen. |
| 22 |
|
| 23 |
Resolvconf is a thing that handles your /etc/resolv.conf file if many |
| 24 |
interfaces have stuff and would otherwise clobber each other. I assume |
| 25 |
you are using dnsmasq as a local caching resolver on your machine? |
| 26 |
What probably happened is your internet went down then up, you got new |
| 27 |
DNS servers so resolv.conf updated the settings then reloaded/restarted |
| 28 |
dnsmasq. We may be missing a transition from resolvconf_t to dnsmasq_t |
| 29 |
|
| 30 |
# sesearch -T -s resolvconf_t |
| 31 |
type_transition resolvconf_t initrc_exec_t:process initrc_t; |
| 32 |
type_transition resolvconf_t rc_exec_t:process initrc_t; |
| 33 |
type_transition resolvconf_t var_run_t:dir resolvconf_var_run_t; |
| 34 |
type_transition resolvconf_t var_run_t:file resolvconf_var_run_t; |
| 35 |
|
| 36 |
# sesearch -T -t dnsmasq_exec_t |
| 37 |
type_transition NetworkManager_t dnsmasq_exec_t:process dnsmasq_t; |
| 38 |
type_transition initrc_t dnsmasq_exec_t:process dnsmasq_t; |
| 39 |
type_transition virtd_t dnsmasq_exec_t:process dnsmasq_t; |
| 40 |
|
| 41 |
There is no type_trans from resolvconf_t to dnsmasq_exec_t, i'll add it |
| 42 |
to the next version of the policies |
| 43 |
|
| 44 |
-- Jason |
Archives