Re: lnk_file read permission

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Il 2020-04-27 09:04 Zdenek Pytela ha scritto:

Hi,

Daemons/domains usually have the access to symlinks granted. Can you
give a particular example? I checked mysql:


Hi Zdenek,
an example take from a server running postfix with mysql integration on a CentOS 8 box:
[root@localhost ~]# sesearch -A -s postfix_master_t | grep lnk_file | grep mysql 
allow postfix_master_t mysqld_etc_t:lnk_file { getattr read };
As you can see, the master process can read mysqld_etc_t links but not mysqld_db_t ones. 

Another example, from relocating mongodb (this time on a CentOS 7 box):
semanage fcontext -a -e /var/lib/mongo /tank/graylog/var/lib/mongo
mv /var/lib/mongo /tank/graylog/var/lib/mongo
ln -s /tank/graylog/var/lib/mongo /var/lib/mongo
restorecon /var/lib/mongo
systemctl restart mongod

Result:
MongoDB does not start. Issuing "cat /var/log/audit/audit.log | audit2allow" show the following error: "allow mongod_t mongod_var_lib_t:lnk_file read;"
Indeed, sesearch can not find any permission to read mongod_var_lib_t links: [root@localhost ~]# sesearch -A -s mongod_t | grep lnk_file | grep mongod_var_lib_t
Finally, in the past I opened a buzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1598593) against virtlogd which was denied reading from a relocated /var/lib/libvirt directory.
So I was wondering why each symlink type is specifically allowed rather than giving any processes a generic access to symlinks. Is this kind of rule not permitted by selinux? Can it open the door to other attacks? If so, why? 

Thanks.

--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it [1]
email: g.danti@xxxxxxxxxx - info@xxxxxxxxxx
GPG public key ID: FF5F32A8
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux