lnk_file read permission

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear list,
I am writing this email as suggested here:
https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx/message/GWEWGDUQS6PERAYEJHL2EE4GDO432IAO/
To recap: I have issue with selinux permission when relocating specific daemon data directory, and using symlink in the original location. For example, lets consider moving /var/lib/mysql in a new, bigger volume.
After moving /var/lib/mysql in /data/lib/mysql and creating a symlink for the new location, I used semanage fcontext to add the relative equivalency rules. Moreover, I changed my.cnf to explicitly point to the new data dir and socket file. So far, so good.
When restarting apache, I noticed it can't connect to mysql. ausearch -m avc showed the following: 
...
type=AVC msg=audit(1596055762.070:175569): avc: denied { read } for pid=72946 comm="httpd" name="mysql" dev="sda2" ino=103 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file permissive=0
The log above clearly states that httpd policy lacks lnk_read permission for mysqld_db_t type. While I solved the issue by leaving the socket file inside the original directory (removing the /var/lib/mysql symlink and recreating the mysql dir), I was wondering why each symlink type is specifically allowed 
rather than giving any processes a generic access to symlinks.
Is this kind of rule not permitted by selinux? Can it open the door to other attacks? If so, why? Generally, what is the least invasive approach to relocate services?
As a side note, consider that the above applies to other common services as libvirt (fixed via this BZ https://bugzilla.redhat.com/show_bug.cgi?id=1598593) and mongodb [1]. 

Thanks.
[1] Another example, from relocating mongodb (this time on a CentOS 7 box): 
semanage fcontext -a -e /var/lib/mongo /tank/graylog/var/lib/mongo
mv /var/lib/mongo /tank/graylog/var/lib/mongo
ln -s /tank/graylog/var/lib/mongo /var/lib/mongo
restorecon /var/lib/mongo
systemctl restart mongod

Result:
MongoDB does not start. Issuing "cat /var/log/audit/audit.log |
audit2allow" show the following error: "allow mongod_t
mongod_var_lib_t:lnk_file read;"
Indeed, sesearch can not find any permission to read mongod_var_lib_t links: 
[root@localhost ~]# sesearch -A -s mongod_t | grep lnk_file | grep
mongod_var_lib_t

--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti@xxxxxxxxxx - info@xxxxxxxxxx
GPG public key ID: FF5F32A8
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux