Ensure that resolved.conf.d is accessible

systemd-resolved runs as user systemd-resolve. Ensure that resolved.conf.d drop-in directory is accessible when installer runs with restricted umask. Also ensure the file and directory has correct SELinux context. The parent directory /etc/systemd exists on all platforms. Fixes: https://pagure.io/freeipa/issue/8275 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-09-28 12:00:01 +02:00
parent 2c393c09e0
commit 34e47778b4
1 changed files with 9 additions and 1 deletions
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -336,7 +336,11 @@ class BaseTaskNamespace:
            from ipaplatform.services import knownservices

            confd = os.path.dirname(paths.SYSTEMD_RESOLVED_IPA_CONF)
-            os.makedirs(confd, exist_ok=True)
+            if not os.path.isdir(confd):
+                os.mkdir(confd)
+                # owned by root, readable by systemd-resolve user
+                os.chmod(confd, 0o755)
+                tasks.restore_context(confd, force=True)

            cfg = RESOLVE1_IPA_CONF.format(
                searchdomains=" ".join(searchdomains)
@@ -345,6 +349,10 @@ class BaseTaskNamespace:
                os.fchmod(f.fileno(), 0o644)
                f.write(cfg)

+            tasks.restore_context(
+                paths.SYSTEMD_RESOLVED_IPA_CONF, force=True
+            )
+
            knownservices["systemd-resolved"].reload_or_restart()

    def unconfigure_dns_resolver(self, fstore=None):