Interface DNS resolving over D-Bus with systemd-resolved

[holgersson32644]

Hi,
since I’m new to SELinux policy writing, could you please give feedback to my interface for
DNS resolution with systemd-resolved?

########################################
## <summary>
## Allow specified domain to send dbus messages to systemd-resolved
## </summary>
## <param name="domain">
##   <summary>
##     Domain allowed access.
##   </summary>
## </param>
interface(`systemd_resolved_via_dbus',`
       gen_require(`
               type systemd_resolved_t;
               class dbus send_msg;
       ')

       allow $1 systemd_resolved_t:dbus send_msg;
')

So far I added this to systemd.te and put an interface call (correct terminology?) into every other type enforcement file of modules that needed it according to auditd & audit2allow.

Thanks,
holgersson

[cgzones]

You could take systemd_dbus_chat_logind[1] as a reference:

• a better name would be systemd_dbus_chat_resolved
• you should add this interface to systemd.if
• the domain should probably be able to communicate back; hence adding allow systemd_resolved_t $1:dbus send_msg; could make sense

[1] https://github.com/TresysTechnology/refpolicy/blob/master/policy/modules/system/systemd.if#L100

[holgersson32644]

Thanks! Sorry, of course I put that InterFace into the if file ;)
If this works well after some testing, what is the preferred way of requesting a merge: Via pull a request or on the mailing list as patch?

[pebenito]

Either way is fine.