Package: resolvconf
Version: 1.79
Severity: normal
Tags: patch
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740685
I've written SE Linux policy to fix the above bug, but also we need 2 minor
changes to resolvconf.
d /run/resolvconf 0755 root root -
d /run/resolvconf/interface 0755 root root -
f /run/resolvconf/resolv.conf 644 root root -
f /run/resolvconf/enable-updates 644 root root -
A file named /usr/lib/tmpfiles.d/resolvconf.conf with contents like the above
will cause systemd to create the temporary directories and files with the
correct SE Linux context. It will also remove the need for making a
directory in the ExecStartPre section of /lib/systemd/system/resolvconf.service.
This works for me on one of my test systems.
A patch like the below should make it work correctly on SysVInit. On systems
that don't run SE Linux it will have no effect.
--- /etc/init.d/resolvconf.orig 2017-01-10 04:15:38.668000000 +0000
+++ /etc/init.d/resolvconf 2017-01-10 04:31:47.140000000 +0000
@@ -60,10 +60,14 @@
# Create directory at the target
mkdir "$RUN_CANONICALDIR" || log_action_end_msg_and_exit 1
"Error creating directory $RUN_CANONICALDIR"
fi
+ [ -x /sbin/restorecon ] && /sbin/restorecon "$RUN_CANONICALDIR"
+
# The resolvconf run directory now exists.
if [ ! -d "${RUN_DIR}/interface" ] ; then
mkdir "${RUN_DIR}/interface" || log_action_end_msg_and_exit 1
"Error creating directory ${RUN_DIR}/interface"
fi
+ [ -x /sbin/restorecon ] && /sbin/restorecon "${RUN_DIR}/interface"
"${RUN_DIR}/resolv.conf "${RUN_DIR}/enable-updates
+
# The interface directory now exists. We are done.
return
}
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.8.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages resolvconf depends on:
ii debconf [debconf-2.0] 1.5.59
ii ifupdown 0.8.16
ii init-system-helpers 1.46
ii lsb-base 9.20161125
resolvconf recommends no packages.
resolvconf suggests no packages.
-- Configuration Files:
/etc/init.d/resolvconf changed:
[ -x /sbin/resolvconf ] || exit 0
PATH=/sbin:/bin
RUN_DIR=/etc/resolvconf/run
ENABLE_UPDATES_FLAGFILE="${RUN_DIR}/enable-updates"
POSTPONED_UPDATE_FLAGFILE="${RUN_DIR}/postponed-update"
. /lib/lsb/init-functions
case "$1" in
start|restart|force-reload)
init_is_upstart && exit 1
;;
stop)
init_is_upstart && exit 0
;;
esac
log_action_end_msg_and_exit()
{
log_action_end_msg "$1" ${2:+"$2"}
exit $1
}
create_runtime_directories()
{
umask 022
if [ ! -d "$RUN_DIR" ] ; then
[ -L "$RUN_DIR" ] || log_action_end_msg_and_exit 1 "$RUN_DIR is
neither a directory nor a symbolic link"
# It's a symlink. Its target is not a dir.
{ RUN_CANONICALDIR="$(readlink -f "$RUN_DIR")" && [
"$RUN_CANONICALDIR" ] ; } || log_action_end_msg_and_exit 1 "Canonical path of
the run directory could not be determined"
# Create directory at the target
mkdir "$RUN_CANONICALDIR" || log_action_end_msg_and_exit 1
"Error creating directory $RUN_CANONICALDIR"
fi
[ -x /sbin/restorecon ] && /sbin/restorecon "$RUN_CANONICALDIR"
# The resolvconf run directory now exists.
if [ ! -d "${RUN_DIR}/interface" ] ; then
mkdir "${RUN_DIR}/interface" || log_action_end_msg_and_exit 1
"Error creating directory ${RUN_DIR}/interface"
fi
[ -x /sbin/restorecon ] && /sbin/restorecon "${RUN_DIR}/interface"
"${RUN_DIR}/resolv.conf "${RUN_DIR}/enable-updates
# The interface directory now exists. We are done.
return
}
wipe_runtime_directories()
{
# Delete files in the resolvconf run directory (target) but not the
directory itself
[ -d "$RUN_DIR" ] || return
rm -f "$RUN_DIR"/resolv.conf
rm -f "$ENABLE_UPDATES_FLAGFILE"
rm -f "$POSTPONED_UPDATE_FLAGFILE"
rm -rf "${RUN_DIR}/interface/*"
return
}
case "$1" in
start)
# The "start" method should only be used at boot time.
# Don't run this on package upgrade, for example.
log_action_begin_msg "Setting up resolvconf"
# Wipe runtime directories in case they aren't on a tmpfs
wipe_runtime_directories
# Create runtime directories in case they are on a tmpfs
create_runtime_directories
# Request a postponed update (needed in case the base file has content).
:> "$POSTPONED_UPDATE_FLAGFILE" || log_action_end_msg_and_exit 1
"failed requesting update"
# Enable updates and perform the postponed update.
resolvconf --enable-updates || log_action_end_msg_and_exit 1 "failed to
enable updates"
log_action_end_msg_and_exit 0
;;
stop)
# The "stop" method should only be used at shutdown time.
log_action_begin_msg "Stopping resolvconf"
resolvconf --disable-updates || log_action_end_msg_and_exit 1 "failed
to disable updates"
log_action_end_msg_and_exit 0
;;
restart)
log_action_begin_msg "Restarting resolvconf"
resolvconf --enable-updates || log_action_end_msg_and_exit 1 "failed to
enable updates"
log_action_end_msg_and_exit 0
;;
reload|force-reload)
resolvconf -u || log_action_end_msg_and_exit 1 "failed to update"
exit 0
;;
enable-updates)
resolvconf --enable-updates || log_action_end_msg_and_exit 1 "failed to
enable updates"
exit 0
;;
disable-updates)
resolvconf --disable-updates || log_action_end_msg_and_exit 1 "failed
to disable updates"
exit 0
;;
status)
if resolvconf --updates-are-enabled ; then
log_success_msg "resolvconf updates are enabled"
else
log_failure_msg "resolvconf updates are disabled"
fi
exit 0
;;
*)
echo "Usage: /etc/init.d/resolvconf
{start|stop|restart|reload|force-reload|enable-updates|disable-updates|status}"
>&2
exit 3
;;
esac
exit 99
-- debconf information:
resolvconf/reboot-recommended-after-removal:
resolvconf/link-tail-to-original: false
resolvconf/downup-interfaces:
resolvconf/linkify-resolvconf: true
