Re: [Dnsmasq-discuss] Upgrade to [x]ubuntu 23.10 means dnsmasg can't read /run/NetworkManager

Fri, 09 Feb 2024 05:40:30 -0800

I would consider it a bug and it should be reported to distribution bugtracker (launchpad?).
We have something similar and I admit there are different SELinux contexts assigned for those files. 

$ LANG=C.UTF-8 ls -lZ /run/NetworkManager/*resolv.conf

-rw-r--r--. 1 root root system_u:object_r:NetworkManager_var_run_t:s0 
281 Feb  9 13:29 /run/NetworkManager/no-stub-resolv.conf
-rw-r--r--. 1 root root system_u:object_r:net_conf_t:s0               
281 Feb  9 13:29 /run/NetworkManager/resolv.conf



I think Ubuntu is using AppArmor instead, but anyway. I do not think 
this file is meant to be private or has any good reason to be. That 
should be read-only for any service needing that information.


Similar files are produced by systemd-resolved:

# ls -lZ /run/systemd/resolve/*resolv.conf

-rw-r--r--. 1 systemd-resolve systemd-resolve 
unconfined_u:object_r:user_tmp_t:s0 788 Feb  9 13:48 
/run/systemd/resolve/resolv.conf
-rw-r--r--. 1 systemd-resolve systemd-resolve 
unconfined_u:object_r:user_tmp_t:s0 920 Feb  9 13:48 
/run/systemd/resolve/stub-resolv.conf


Which should be readable by other services as well.

Fill a bug for your distribution please.

On 12/14/23 23:46, Chris Green wrote:

Up until now I have the following in my /etc/dnsmasq.conf:-

     resolv-file=/run/NetworkManager/no-stub-resolv.conf

This means that dnsmasq uses the upstream DNS that Network Manager
configures.  When I'm on the local LAN this resolves to 'my' DNS
server at 192.168.1.2, when I'm connected somewhere else Network
Manager sorts things out accordingly and dnsmasq gets the right
upstream DNS server.

However the latest Ubuntu update has tightened the permissions on
/etc/NetworkManager and dnsmasq can't read the file
/run/NetworkManager/no-stub-resolv.conf.

I know this is a slightly non-standard configuration but it has worked
very nicely for me for some years.  Can anyone suggest a way to fix
this?   Obviously /run/NetworkManager/no-stub-resolv.conf is created
at every boot so the permissions will revert to 'too strict' every
time I start the system.


--
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB


_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss






















					Reply via email to