代码拉取完成,页面将自动刷新
同步操作将从 src-openEuler/selinux-policy 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
From 82e42900ad8027abed98f0b5d7a0969223fa4a7b Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Fri, 11 Dec 2020 17:21:14 +0100
Reference: https://github.com/fedora-selinux/selinux-policy/commit/82e42900ad8027abed98f0b5d7a0969223fa4a7b
Conflict: NA
Subject: [PATCH] Allow stub-resolv.conf to be a symlink
It turns out that under certain configurations,
/var/run/systemd/resolve/stub-resolv.conf can be a symlink instead of a
regular file (see [1]). In such case, domains such as NetworkManager_t
and chronyd_t need to be able to read it, which is denied since the
symlink ends up being labeled as systemd_resolved_var_run_t.
So make sure that such symlink is also labeled net_conf_t and extend
sysnet_read_config() to allow also reading symlinks.
NOTE: Further unification/simplification of /etc network config symlinks
would now be possible (basically reverting f1505fca7063 ("Label
/etc/resolv.conf as net_conf_t only if it is a plain file")), but that
leads down to a deeper rabbit hole, so it's not addressed here.
[1] https://src.fedoraproject.org/rpms/selinux-policy/pull-request/135#comment-62439
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policy/modules/system/sysnetwork.fc | 2 +-
policy/modules/system/sysnetwork.if | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index 27eb98b..de92927 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -38,7 +38,7 @@ ifdef(`distro_redhat',`
/etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
/var/run/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
/var/run/systemd/resolve/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
-/var/run/systemd/resolve/stub-resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
+/var/run/systemd/resolve/stub-resolv\.conf gen_context(system_u:object_r:net_conf_t,s0)
')
/var/run/NetworkManager/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index d7b696b..25e6b13 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -456,6 +456,7 @@ interface(`sysnet_read_config',`
allow $1 net_conf_t:dir list_dir_perms;
allow $1 net_conf_t:lnk_file read_lnk_file_perms;
read_files_pattern($1, net_conf_t, net_conf_t)
+ read_lnk_files_pattern($1, net_conf_t, net_conf_t)
')
')
@@ -1144,7 +1145,7 @@ interface(`sysnet_filetrans_systemd_resolved',`
optional_policy(`
systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf")
systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
- systemd_resolved_pid_filetrans($1, net_conf_t, file, "stub-resolv.conf")
+ systemd_resolved_pid_filetrans($1, net_conf_t, { file lnk_file }, "stub-resolv.conf")
')
')
--
1.8.3.1
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手