CentOS improper mount labeling on SELinux enabled systems

* CentOS improper mount labeling on SELinux enabled systems
@ 2018-06-16 20:47 Silvan Nagl
  2018-06-16 22:24 ` Jason A. Donenfeld
  0 siblings, 1 reply; 2+ messages in thread
From: Silvan Nagl @ 2018-06-16 20:47 UTC (permalink / raw)
  To: wireguard

Hello,

herewith I'm requesting a bug fix in the bash script 'wg-quick'. When 
'DNS' is set in the interfaces configuration file 'wg-quick' will mount 
the modified 'resolv.conf' with improper set SELinux labels which leads 
to services not being able to access the 'resolv.conf' correctly. In my 
test case it was 'syslogd_t' not being able to do the syscalls 'getattr 
read' because the normal mount will be labeled as 
'unconfined_u:object_r:user_tmp_t:s0' when i execute the script 
manually. The fix would be easily done by adding the correct mount 
labels as mount option:

mount -o context="system_u:object_r:net_conf_t:s0" -t tmpfs none /dev/shm

Greetings

Silvan

*** /bin/wg-quick    2018-06-13 19:29:40.000000000 +0200
--- wg-quick    2018-06-16 21:58:05.020633893 +0200
***************
*** 331,337 ****
           } | unshare -m --propagation shared bash -c "$(cat <<-_EOF
               set -e
               mount --make-private /dev/shm
!             mount -t tmpfs none /dev/shm
               cat > /dev/shm/resolv.conf
               mount -o remount,ro /dev/shm
               mount -o bind,ro /dev/shm/resolv.conf /etc/resolv.conf
--- 331,337 ----
           } | unshare -m --propagation shared bash -c "$(cat <<-_EOF
               set -e
               mount --make-private /dev/shm
!             mount -o context="system_u:object_r:net_conf_t:s0" -t 
tmpfs none /dev/shm
               cat > /dev/shm/resolv.conf
               mount -o remount,ro /dev/shm
               mount -o bind,ro /dev/shm/resolv.conf /etc/resolv.conf

^ permalink raw reply	[flat|nested] 2+ messages in thread