selinux-refpolicy.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Chris PeBenito <pebenito@ieee.org>
To: Petr Vorel <pvorel@suse.cz>, selinux-refpolicy@vger.kernel.org
Cc: Dan Walsh <dwalsh@redhat.com>
Subject: Re: [PATCH v3 2/2] dnsmasq: Add support for lxc-net, lxd-bridge, NetworkManager
Date: Fri, 16 Nov 2018 10:12:52 -0500	[thread overview]
Message-ID: <7abbe1dd-f459-606f-c92c-8e66297bacd0@ieee.org> (raw)
In-Reply-To: <20181112084731.27185-2-pvorel@suse.cz>

On 11/12/18 3:47 AM, Petr Vorel wrote:
> * lxc-net pid and lease files:
> /var/run/lxc/dnsmasq.pid
> /var/lib/misc/dnsmasq.*.leases
> 
> * lxd-bridge pid and lease files:
> /var/run/lxd-bridge/dnsmasq.pid
> /var/lib/lxd-bridge/dnsmasq.*.leases
> /var/lib/lxd/networks/*/dnsmasq.leases
> /var/lib/lxd/networks/*/dnsmasq.pid
> 
> * NetworkManager pid, lease and configuration files:
> /var/lib/NetworkManager/dnsmasq-*.leases
> /run/nm-dns-dnsmasq.conf
> /run/nm-dnsmasq-*.pid
> /run/sendsigs.omit.d/*dnsmasq.pid
> /run/NetworkManager/dnsmasq.conf
> /run/NetworkManager/dnsmasq.pid
> 
> + sort /var/lib/ lines.
> 
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
> Changes v2->v3:
> * more sorting
> 
> Changes v1->v2
> * fix sorting (requested by Chris PeBenito)
> * fix missing dot escapes (requested by Chris PeBenito)
> * change some stars to plus
> ---
>   policy/modules/services/dnsmasq.fc | 11 ++++++++++-
>   1 file changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc
> index 91c18d46..7df6e973 100644
> --- a/policy/modules/services/dnsmasq.fc
> +++ b/policy/modules/services/dnsmasq.fc
> @@ -5,6 +5,11 @@
>   
>   /run/dnsmasq.*			--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
>   /run/libvirt/network(/.*)?		gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
> +/run/(lxc|lxd-bridge|NetworkManager)/dnsmasq\.pid	--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
> +/run/NetworkManager/dnsmasq\.conf   gen_context(system_u:object_r:dnsmasq_etc_t,s0)
> +/run/nm-dns-dnsmasq\.conf   gen_context(system_u:object_r:dnsmasq_etc_t,s0)
> +/run/nm-dnsmasq-.+\.pid	--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
> +/run/sendsigs\.omit\.d/.*dnsmasq\.pid	--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
>   
>   /usr/bin/dnsmasq		--	gen_context(system_u:object_r:dnsmasq_exec_t,s0)
>   
> @@ -13,7 +18,11 @@
>   
>   /usr/sbin/dnsmasq		--	gen_context(system_u:object_r:dnsmasq_exec_t,s0)
>   
> -/var/lib/misc/dnsmasq\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
>   /var/lib/dnsmasq(/.*)?			gen_context(system_u:object_r:dnsmasq_lease_t,s0)
> +/var/lib/lxd-bridge/dnsmasq\..+\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
> +/var/lib/lxd/networks/\.*/dnsmasq\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
> +/var/lib/lxd/networks/\.+/dnsmasq\.pid	--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
> +/var/lib/misc/dnsmasq(\..+)?\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
> +/var/lib/NetworkManager/dnsmasq-.+\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
>   
>   /var/log/dnsmasq(.*)?\.log(\..+)	--	gen_context(system_u:object_r:dnsmasq_var_log_t,s0)

I got this error:

/sbin/setfiles: file_contexts: Multiple different specifications for 
/run/nm-dns-dnsmasq\.conf 
(system_u:object_r:NetworkManager_var_run_t:s0 and 
system_u:object_r:dnsmasq_etc_t:s0).

This made me think about this patch more.  Is NetworkManager creating 
these config files?


-- 
Chris PeBenito

  reply	other threads:[~2018-11-16 15:12 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-12  8:47 [PATCH v3 1/2] dnsmasq: Require log files to have .log suffix Petr Vorel
2018-11-12  8:47 ` [PATCH v3 2/2] dnsmasq: Add support for lxc-net, lxd-bridge, NetworkManager Petr Vorel
2018-11-16 15:12   ` Chris PeBenito [this message]
2018-11-17  6:13     ` Petr Vorel
2018-11-17 23:50 ` [PATCH v3 1/2] dnsmasq: Require log files to have .log suffix Chris PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7abbe1dd-f459-606f-c92c-8e66297bacd0@ieee.org \
    --to=pebenito@ieee.org \
    --cc=dwalsh@redhat.com \
    --cc=pvorel@suse.cz \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).