I would consider it a bug and it should be reported to distribution
bugtracker (launchpad?).
We have something similar and I admit there are different SELinux
contexts assigned for those files.
$ LANG=C.UTF-8 ls -lZ /run/NetworkManager/*resolv.conf
-rw-r--r--. 1 root root system_u:object_r:NetworkManager_var_run_t:s0
281 Feb 9 13:29 /run/NetworkManager/no-stub-resolv.conf
-rw-r--r--. 1 root root system_u:object_r:net_conf_t:s0
281 Feb 9 13:29 /run/NetworkManager/resolv.conf
I think Ubuntu is using AppArmor instead, but anyway. I do not think
this file is meant to be private or has any good reason to be. That
should be read-only for any service needing that information.
Similar files are produced by systemd-resolved:
# ls -lZ /run/systemd/resolve/*resolv.conf
-rw-r--r--. 1 systemd-resolve systemd-resolve
unconfined_u:object_r:user_tmp_t:s0 788 Feb 9 13:48
/run/systemd/resolve/resolv.conf
-rw-r--r--. 1 systemd-resolve systemd-resolve
unconfined_u:object_r:user_tmp_t:s0 920 Feb 9 13:48
/run/systemd/resolve/stub-resolv.conf
Which should be readable by other services as well.
Fill a bug for your distribution please.
On 12/14/23 23:46, Chris Green wrote:
Up until now I have the following in my /etc/dnsmasq.conf:-
resolv-file=/run/NetworkManager/no-stub-resolv.conf
This means that dnsmasq uses the upstream DNS that Network Manager
configures. When I'm on the local LAN this resolves to 'my' DNS
server at 192.168.1.2, when I'm connected somewhere else Network
Manager sorts things out accordingly and dnsmasq gets the right
upstream DNS server.
However the latest Ubuntu update has tightened the permissions on
/etc/NetworkManager and dnsmasq can't read the file
/run/NetworkManager/no-stub-resolv.conf.
I know this is a slightly non-standard configuration but it has worked
very nicely for me for some years. Can anyone suggest a way to fix
this? Obviously /run/NetworkManager/no-stub-resolv.conf is created
at every boot so the permissions will revert to 'too strict' every
time I start the system.
--
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss