1 |
On Thu, Apr 20, 2017 at 09:05:59PM +0800, Jason Zaman wrote: |
2 |
> On Wed, Apr 19, 2017 at 02:12:36PM +0100, Robert Sharp wrote: |
3 |
[...] |
4 |
> > One possibility is that it got into this context when my interface went |
5 |
> > down and up again. I had a problem last night with my Virgin fibre modem |
6 |
> > and I noticed that after the inevitable hardware reset, a bunch of |
7 |
> > services had been restarted. Besides the issue that dnsmasq is not bound |
8 |
> > to the interface in question, I guess I could test it quite easily, |
9 |
> > although I am not sure everyone else on the LAN will be too keen. |
10 |
> |
11 |
> Resolvconf is a thing that handles your /etc/resolv.conf file if many |
12 |
> interfaces have stuff and would otherwise clobber each other. I assume |
13 |
> you are using dnsmasq as a local caching resolver on your machine? |
14 |
> What probably happened is your internet went down then up, you got new |
15 |
> DNS servers so resolv.conf updated the settings then reloaded/restarted |
16 |
> dnsmasq. We may be missing a transition from resolvconf_t to dnsmasq_t |
17 |
> |
18 |
> # sesearch -T -s resolvconf_t |
19 |
> type_transition resolvconf_t initrc_exec_t:process initrc_t; |
20 |
> type_transition resolvconf_t rc_exec_t:process initrc_t; |
21 |
> type_transition resolvconf_t var_run_t:dir resolvconf_var_run_t; |
22 |
> type_transition resolvconf_t var_run_t:file resolvconf_var_run_t; |
23 |
> |
24 |
> # sesearch -T -t dnsmasq_exec_t |
25 |
> type_transition NetworkManager_t dnsmasq_exec_t:process dnsmasq_t; |
26 |
> type_transition initrc_t dnsmasq_exec_t:process dnsmasq_t; |
27 |
> type_transition virtd_t dnsmasq_exec_t:process dnsmasq_t; |
28 |
> |
29 |
> There is no type_trans from resolvconf_t to dnsmasq_exec_t, i'll add it |
30 |
> to the next version of the policies |
31 |
|
32 |
Also, one way to potentially facilitate debugging of (non)transitioning, is |
33 |
to enable auditing on the transitions themselves, and perhaps on the |
34 |
execute_no_trans (although that one you should do too broadly because it is |
35 |
triggered many times). |
36 |
|
37 |
auditallow domain domain:process transition; |
38 |
|
39 |
Wkr, |
40 |
Sven Vermeulen |