Il 2020-04-27 09:04 Zdenek Pytela ha scritto:
Hi,
Daemons/domains usually have the access to symlinks granted. Can you
give a particular example? I checked mysql:
Hi Zdenek,
an example take from a server running postfix with mysql integration on
a CentOS 8 box:
[root@localhost ~]# sesearch -A -s postfix_master_t | grep lnk_file |
grep mysql
allow postfix_master_t mysqld_etc_t:lnk_file { getattr read };
As you can see, the master process can read mysqld_etc_t links but not
mysqld_db_t ones.
Another example, from relocating mongodb (this time on a CentOS 7 box):
semanage fcontext -a -e /var/lib/mongo /tank/graylog/var/lib/mongo
mv /var/lib/mongo /tank/graylog/var/lib/mongo
ln -s /tank/graylog/var/lib/mongo /var/lib/mongo
restorecon /var/lib/mongo
systemctl restart mongod
Result:
MongoDB does not start. Issuing "cat /var/log/audit/audit.log |
audit2allow" show the following error: "allow mongod_t
mongod_var_lib_t:lnk_file read;"
Indeed, sesearch can not find any permission to read mongod_var_lib_t
links:
[root@localhost ~]# sesearch -A -s mongod_t | grep lnk_file | grep
mongod_var_lib_t
Finally, in the past I opened a buzilla
(https://bugzilla.redhat.com/show_bug.cgi?id=1598593) against virtlogd
which was denied reading from a relocated /var/lib/libvirt directory.
So I was wondering why each symlink type is specifically allowed rather
than giving any processes a generic access to symlinks. Is this kind of
rule not permitted by selinux? Can it open the door to other attacks? If
so, why?
Thanks.
--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it [1]
email: g.danti@xxxxxxxxxx - info@xxxxxxxxxx
GPG public key ID: FF5F32A8
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx