Il 2020-05-05 10:43 Gionatan Danti ha scritto:
Il 2020-04-27 12:18 Gionatan Danti ha scritto:
Il 2020-04-27 09:04 Zdenek Pytela ha scritto:
Hi,
Daemons/domains usually have the access to symlinks granted. Can you
give a particular example? I checked mysql:
Hi Zdenek,
an example take from a server running postfix with mysql integration
on a CentOS 8 box:
[root@localhost ~]# sesearch -A -s postfix_master_t | grep lnk_file |
grep mysql
allow postfix_master_t mysqld_etc_t:lnk_file { getattr read };
As you can see, the master process can read mysqld_etc_t links but not
mysqld_db_t ones.
Another example, from relocating mongodb (this time on a CentOS 7
box):
semanage fcontext -a -e /var/lib/mongo /tank/graylog/var/lib/mongo
mv /var/lib/mongo /tank/graylog/var/lib/mongo
ln -s /tank/graylog/var/lib/mongo /var/lib/mongo
restorecon /var/lib/mongo
systemctl restart mongod
Result:
MongoDB does not start. Issuing "cat /var/log/audit/audit.log |
audit2allow" show the following error: "allow mongod_t
mongod_var_lib_t:lnk_file read;"
Indeed, sesearch can not find any permission to read mongod_var_lib_t
links:
[root@localhost ~]# sesearch -A -s mongod_t | grep lnk_file | grep
mongod_var_lib_t
Finally, in the past I opened a buzilla
(https://bugzilla.redhat.com/show_bug.cgi?id=1598593) against virtlogd
which was denied reading from a relocated /var/lib/libvirt directory.
So I was wondering why each symlink type is specifically allowed
rather than giving any processes a generic access to symlinks. Is this
kind of rule not permitted by selinux? Can it open the door to other
attacks? If so, why?
Thanks.
Hi, anyone with some suggestion? Am I missing something?
Thanks.
Hi all, sorry for the long quote, but I think it can be useful to add
some context.
Today, relocating a mysql database on a new partition, I was bitten by
the same issue depicted in this thread: the lacking of lnk_read
permission for many selinux policy.
After moving /var/lib/mysql in /data/lib/mysql and creating a symlink
for the new location, I used semanage fcontext to add the relative
equivalency rules. Moreover, I changed my.cnf to explicitly point to the
new data dir and socket file. So far, so good.
When restarting apache, I noticed it can't connect to mysql. ausearch -m
avc showed the following:
...
type=AVC msg=audit(1596055762.070:175569): avc: denied { read } for
pid=72946 comm="httpd" name="mysql" dev="sda2" ino=103
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file permissive=0
The log above clearly states that httpd policy lacks lnk_read permission
for mysqld_db_t type. While I solved the issue by leaving the socket
file inside the original directory (removing the /var/lib/mysql symlink
and recreating the mysql dir), my original questions stand:
So I was wondering why each symlink type is specifically allowed
rather than giving any processes a generic access to symlinks. Is this
kind of rule not permitted by selinux? Can it open the door to other
attacks? If so, why?
On one of the bugzilla issue I opened regarding various processes
lacking lnk_read permission, one reply stated that denying lnk_read
permission lead to "unnecessary fragility". Is that true?
Finally, I am missing something?
Thanks.
--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti@xxxxxxxxxx - info@xxxxxxxxxx
GPG public key ID: FF5F32A8
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
