refpolicy: Use /run/resolv.conf

/var/run is incorrect because of the config/file_contexts.subs_dist - the path should use /run. Without it, /var/run/resolv.conf gets labeled improperly as initrc_var_run_t. usbvm uses the default volatiles which symlinks /etc/resolv.conf -> /var/run/resolv.conf which causes this. Also, syncvm sync-cmd can't read the mis-labeled file. Signed-off-by: Jason Andryuk <[email protected]>
OpenXT · May 18, 2023 · 64c7857 · 64c7857
1 parent 25daf31
commit 64c7857
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/patches/policy.modules.system.sysnetwork.patch b/recipes-security/refpolicy/refpolicy-mcs-2.%/patches/policy.modules.system.sysnetwork.patch
@@ -1,6 +1,6 @@
 --- a/policy/modules/system/sysnetwork.fc
 +++ b/policy/modules/system/sysnetwork.fc
-@@ -18,9 +18,11 @@ ifdef(`distro_debian',`
+@@ -18,11 +18,13 @@ ifdef(`distro_debian',`
  /etc/hosts		--	gen_context(system_u:object_r:net_conf_t,s0)
  /etc/hosts\.allow.*	--	gen_context(system_u:object_r:net_conf_t,s0)
  /etc/hosts\.deny.*	--	gen_context(system_u:object_r:net_conf_t,s0)
@@ -11,8 +11,11 @@
 -/etc/resolv\.conf.*	--	gen_context(system_u:object_r:net_conf_t,s0)
 +/etc/resolv\.conf.*		gen_context(system_u:object_r:net_conf_t,s0)
  /etc/yp\.conf.*		--	gen_context(system_u:object_r:net_conf_t,s0)
- /var/run/resolv\.conf.*	--	gen_context(system_u:object_r:net_conf_t,s0)
+-/var/run/resolv\.conf.*	--	gen_context(system_u:object_r:net_conf_t,s0)
++/run/resolv\.conf.*	--	gen_context(system_u:object_r:net_conf_t,s0)
 
+ /etc/dhcp3(/.*)?		gen_context(system_u:object_r:dhcp_etc_t,s0)
+ /etc/dhcp3?/dhclient.*		gen_context(system_u:object_r:dhcp_etc_t,s0)
 @@ -34,6 +36,15 @@ ifdef(`distro_redhat',`
  /etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
  /etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)