| 1 |
On Thu, Apr 20, 2017 at 09:05:59PM +0800, Jason Zaman wrote: |
| 2 |
> On Wed, Apr 19, 2017 at 02:12:36PM +0100, Robert Sharp wrote: |
| 3 |
[...] |
| 4 |
> > One possibility is that it got into this context when my interface went |
| 5 |
> > down and up again. I had a problem last night with my Virgin fibre modem |
| 6 |
> > and I noticed that after the inevitable hardware reset, a bunch of |
| 7 |
> > services had been restarted. Besides the issue that dnsmasq is not bound |
| 8 |
> > to the interface in question, I guess I could test it quite easily, |
| 9 |
> > although I am not sure everyone else on the LAN will be too keen. |
| 10 |
> |
| 11 |
> Resolvconf is a thing that handles your /etc/resolv.conf file if many |
| 12 |
> interfaces have stuff and would otherwise clobber each other. I assume |
| 13 |
> you are using dnsmasq as a local caching resolver on your machine? |
| 14 |
> What probably happened is your internet went down then up, you got new |
| 15 |
> DNS servers so resolv.conf updated the settings then reloaded/restarted |
| 16 |
> dnsmasq. We may be missing a transition from resolvconf_t to dnsmasq_t |
| 17 |
> |
| 18 |
> # sesearch -T -s resolvconf_t |
| 19 |
> type_transition resolvconf_t initrc_exec_t:process initrc_t; |
| 20 |
> type_transition resolvconf_t rc_exec_t:process initrc_t; |
| 21 |
> type_transition resolvconf_t var_run_t:dir resolvconf_var_run_t; |
| 22 |
> type_transition resolvconf_t var_run_t:file resolvconf_var_run_t; |
| 23 |
> |
| 24 |
> # sesearch -T -t dnsmasq_exec_t |
| 25 |
> type_transition NetworkManager_t dnsmasq_exec_t:process dnsmasq_t; |
| 26 |
> type_transition initrc_t dnsmasq_exec_t:process dnsmasq_t; |
| 27 |
> type_transition virtd_t dnsmasq_exec_t:process dnsmasq_t; |
| 28 |
> |
| 29 |
> There is no type_trans from resolvconf_t to dnsmasq_exec_t, i'll add it |
| 30 |
> to the next version of the policies |
| 31 |
|
| 32 |
Also, one way to potentially facilitate debugging of (non)transitioning, is |
| 33 |
to enable auditing on the transitions themselves, and perhaps on the |
| 34 |
execute_no_trans (although that one you should do too broadly because it is |
| 35 |
triggered many times). |
| 36 |
|
| 37 |
auditallow domain domain:process transition; |
| 38 |
|
| 39 |
Wkr, |
| 40 |
Sven Vermeulen |
Archives