[Dnsmasq-discuss] Upgrade to [x]ubuntu 23.10 means dnsmasg can't read /run/NetworkManager

Petr Menšík pemensik at redhat.com
Fri Feb 9 12:51:07 UTC 2024 

I would consider it a bug and it should be reported to distribution 
bugtracker (launchpad?).

We have something similar and I admit there are different SELinux 
contexts assigned for those files.

$ LANG=C.UTF-8 ls -lZ /run/NetworkManager/*resolv.conf
-rw-r--r--. 1 root root system_u:object_r:NetworkManager_var_run_t:s0 
281 Feb  9 13:29 /run/NetworkManager/no-stub-resolv.conf
-rw-r--r--. 1 root root system_u:object_r:net_conf_t:s0               
281 Feb  9 13:29 /run/NetworkManager/resolv.conf

I think Ubuntu is using AppArmor instead, but anyway. I do not think 
this file is meant to be private or has any good reason to be. That 
should be read-only for any service needing that information.

Similar files are produced by systemd-resolved:

# ls -lZ /run/systemd/resolve/*resolv.conf
-rw-r--r--. 1 systemd-resolve systemd-resolve 
unconfined_u:object_r:user_tmp_t:s0 788 Feb  9 13:48 
/run/systemd/resolve/resolv.conf
-rw-r--r--. 1 systemd-resolve systemd-resolve 
unconfined_u:object_r:user_tmp_t:s0 920 Feb  9 13:48 
/run/systemd/resolve/stub-resolv.conf

Which should be readable by other services as well.

Fill a bug for your distribution please.

On 12/14/23 23:46, Chris Green wrote:
> Up until now I have the following in my /etc/dnsmasq.conf:-
>
>      resolv-file=/run/NetworkManager/no-stub-resolv.conf
>
> This means that dnsmasq uses the upstream DNS that Network Manager
> configures.  When I'm on the local LAN this resolves to 'my' DNS
> server at 192.168.1.2, when I'm connected somewhere else Network
> Manager sorts things out accordingly and dnsmasq gets the right
> upstream DNS server.
>
> However the latest Ubuntu update has tightened the permissions on
> /etc/NetworkManager and dnsmasq can't read the file
> /run/NetworkManager/no-stub-resolv.conf.
>
> I know this is a slightly non-standard configuration but it has worked
> very nicely for me for some years.  Can anyone suggest a way to fix
> this?   Obviously /run/NetworkManager/no-stub-resolv.conf is created
> at every boot so the permissions will revert to 'too strict' every
> time I start the system.
>
-- 
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the Dnsmasq-discuss mailing list