Bug#850783: marked as done (resolvconf: needs to set correct SE Linux context on created directories and files)

Thu, 19 Dec 2019 06:43:12 -0800 

Your message dated Thu, 19 Dec 2019 14:39:22 +0000
with message-id <[email protected]>
and subject line Bug#850783: fixed in resolvconf 1.81
has caused the Debian Bug report #850783,
regarding resolvconf: needs to set correct SE Linux context on created 
directories and files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
850783: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850783
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: resolvconf
Version: 1.79
Severity: normal
Tags: patch

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740685

I've written SE Linux policy to fix the above bug, but also we need 2 minor
changes to resolvconf.

d /run/resolvconf 0755 root root -
d /run/resolvconf/interface 0755 root root -
f /run/resolvconf/resolv.conf 644 root root -
f /run/resolvconf/enable-updates 644 root root -

A file named /usr/lib/tmpfiles.d/resolvconf.conf with contents like the above
will cause systemd to create the temporary directories and files with the
correct SE Linux context.  It will also remove the need for making a
directory in the ExecStartPre section of /lib/systemd/system/resolvconf.service.
This works for me on one of my test systems.

A patch like the below should make it work correctly on SysVInit.  On systems
that don't run SE Linux it will have no effect.

--- /etc/init.d/resolvconf.orig 2017-01-10 04:15:38.668000000 +0000
+++ /etc/init.d/resolvconf      2017-01-10 04:31:47.140000000 +0000
@@ -60,10 +60,14 @@
                # Create directory at the target
                mkdir "$RUN_CANONICALDIR" || log_action_end_msg_and_exit 1 
"Error creating directory $RUN_CANONICALDIR"
        fi
+       [ -x /sbin/restorecon ] && /sbin/restorecon "$RUN_CANONICALDIR"
+
        # The resolvconf run directory now exists.
        if [ ! -d "${RUN_DIR}/interface" ] ; then
                mkdir "${RUN_DIR}/interface" || log_action_end_msg_and_exit 1 
"Error creating directory ${RUN_DIR}/interface"
        fi
+       [ -x /sbin/restorecon ] && /sbin/restorecon "${RUN_DIR}/interface" 
"${RUN_DIR}/resolv.conf "${RUN_DIR}/enable-updates
+
        # The interface directory now exists.  We are done.
        return
 }

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.8.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages resolvconf depends on:
ii  debconf [debconf-2.0]  1.5.59
ii  ifupdown               0.8.16
ii  init-system-helpers    1.46
ii  lsb-base               9.20161125

resolvconf recommends no packages.

resolvconf suggests no packages.

-- Configuration Files:
/etc/init.d/resolvconf changed:
[ -x /sbin/resolvconf ] || exit 0
PATH=/sbin:/bin
RUN_DIR=/etc/resolvconf/run
ENABLE_UPDATES_FLAGFILE="${RUN_DIR}/enable-updates"
POSTPONED_UPDATE_FLAGFILE="${RUN_DIR}/postponed-update"
. /lib/lsb/init-functions
case "$1" in
  start|restart|force-reload)
        init_is_upstart && exit 1
        ;;
  stop)
        init_is_upstart && exit 0
        ;;
esac
log_action_end_msg_and_exit()
{
        log_action_end_msg "$1" ${2:+"$2"}
        exit $1
}
create_runtime_directories()
{
        umask 022
        if [ ! -d "$RUN_DIR" ] ; then
                [ -L "$RUN_DIR" ] || log_action_end_msg_and_exit 1 "$RUN_DIR is 
neither a directory nor a symbolic link"
                # It's a symlink. Its target is not a dir.
                { RUN_CANONICALDIR="$(readlink -f "$RUN_DIR")" && [ 
"$RUN_CANONICALDIR" ] ; } || log_action_end_msg_and_exit 1 "Canonical path of 
the run directory could not be determined"
                # Create directory at the target
                mkdir "$RUN_CANONICALDIR" || log_action_end_msg_and_exit 1 
"Error creating directory $RUN_CANONICALDIR"
        fi
        [ -x /sbin/restorecon ] && /sbin/restorecon "$RUN_CANONICALDIR"
        # The resolvconf run directory now exists.
        if [ ! -d "${RUN_DIR}/interface" ] ; then
                mkdir "${RUN_DIR}/interface" || log_action_end_msg_and_exit 1 
"Error creating directory ${RUN_DIR}/interface"
        fi
        [ -x /sbin/restorecon ] && /sbin/restorecon "${RUN_DIR}/interface" 
"${RUN_DIR}/resolv.conf "${RUN_DIR}/enable-updates
        # The interface directory now exists.  We are done.
        return
}
wipe_runtime_directories()
{
        # Delete files in the resolvconf run directory (target) but not the 
directory itself
        [ -d "$RUN_DIR" ] || return
        rm -f "$RUN_DIR"/resolv.conf
        rm -f "$ENABLE_UPDATES_FLAGFILE"
        rm -f "$POSTPONED_UPDATE_FLAGFILE"
        rm -rf "${RUN_DIR}/interface/*"
        return
}
case "$1" in
  start)
        # The "start" method should only be used at boot time.
        # Don't run this on package upgrade, for example.
        log_action_begin_msg "Setting up resolvconf"
        # Wipe runtime directories in case they aren't on a tmpfs
        wipe_runtime_directories
        # Create runtime directories in case they are on a tmpfs
        create_runtime_directories
        # Request a postponed update (needed in case the base file has content).
        :> "$POSTPONED_UPDATE_FLAGFILE" || log_action_end_msg_and_exit 1 
"failed requesting update"
        # Enable updates and perform the postponed update.
        resolvconf --enable-updates || log_action_end_msg_and_exit 1 "failed to 
enable updates"
        log_action_end_msg_and_exit 0
        ;;
  stop)
        # The "stop" method should only be used at shutdown time.
        log_action_begin_msg "Stopping resolvconf"
        resolvconf --disable-updates || log_action_end_msg_and_exit 1 "failed 
to disable updates"
        log_action_end_msg_and_exit 0
        ;;
  restart)
        log_action_begin_msg "Restarting resolvconf"
        resolvconf --enable-updates || log_action_end_msg_and_exit 1 "failed to 
enable updates"
        log_action_end_msg_and_exit 0
        ;;
  reload|force-reload)
        resolvconf -u || log_action_end_msg_and_exit 1 "failed to update"
        exit 0
        ;;
  enable-updates)
        resolvconf --enable-updates || log_action_end_msg_and_exit 1 "failed to 
enable updates"
        exit 0
        ;;
  disable-updates)
        resolvconf --disable-updates || log_action_end_msg_and_exit 1 "failed 
to disable updates"
        exit 0
        ;;
  status)
        if resolvconf --updates-are-enabled ; then
                log_success_msg "resolvconf updates are enabled"
        else
                log_failure_msg "resolvconf updates are disabled"
        fi
        exit 0
        ;;
  *)
        echo "Usage: /etc/init.d/resolvconf 
{start|stop|restart|reload|force-reload|enable-updates|disable-updates|status}" 
>&2
        exit 3
        ;;
esac
exit 99


-- debconf information:
  resolvconf/reboot-recommended-after-removal:
  resolvconf/link-tail-to-original: false
  resolvconf/downup-interfaces:
  resolvconf/linkify-resolvconf: true

--- End Message ---
--- Begin Message --- 
Source: resolvconf
Source-Version: 1.81

We believe that the bug you reported is fixed in the latest version of
resolvconf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andrej Shadura <[email protected]> (supplier of updated resolvconf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 19 Dec 2019 15:19:16 +0100
Source: resolvconf
Architecture: source
Version: 1.81
Distribution: unstable
Urgency: medium
Maintainer: resolvconf team <[email protected]>
Changed-By: Andrej Shadura <[email protected]>
Closes: 850783 946609
Changes:
 resolvconf (1.81) unstable; urgency=medium
 .
   [ Russell Coker ]
   * Set correct SE Linux context on created directories and files
     (Closes: #850783).
 .
   [ Jakub Wilk ]
   * Drop symlink resolving logic from the init script (Closes: #946609).
Checksums-Sha1:
 7765917b0be729dfaa4d867b3b480e8cff9bb735 1483 resolvconf_1.81.dsc
 a05a36af2f8cba3d00339bc02ea52ccd5e4b687d 72900 resolvconf_1.81.tar.xz
Checksums-Sha256:
 7e2bb5f62686b94715657fd6e3f87bfde6a4a5afdb3706dba2e61692fc0246ce 1483 
resolvconf_1.81.dsc
 68c0700befb473355d353ce5ea20d44b62e0a7b01a0ac5e214e33ea692934d3e 72900 
resolvconf_1.81.tar.xz
Files:
 20e58ff37fcddfdae9564f7bf5318c07 1483 net optional resolvconf_1.81.dsc
 016294998dafc3b28b1c8c418c2040c5 72900 net optional resolvconf_1.81.tar.xz

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEeuS9ZL8A0js0NGiOXkCM2RzYOdIFAl37hw0ACgkQXkCM2RzY
OdL3HQf/cph4Uq6yIi83+uGycy1HXQs8eNUd0XkMBEx/KUp3pyyrQWvhEnV77CiK
MZ7Rt3grB/AVxICRJmX5Zeb/uqiozpajsSz4zmsb1EqPnR+JEy9f/cu/pqisA7mj
D7pEkMzx1lupbz2PO1fvGVM5FBOQ/D9p/w1D6V3MFrofJyRmKuLPqHjR0+V+Frbf
7hbhrweHB1CEb13gi0ol9UE23xVVmtsCm3m73G5a7AXN6m8b01no7HPGM2Q92ujM
cOAA1n9DEUNZbtt0keWTDhdFz+EM7fGoj9RhjQnWci2Aguo2/jzyyXXFNgUU3IF1
S9K+zIk4qMNMaa6JbxrSbgYRUN8UuQ==
=7sOC
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to