On Fri, Jul 31, 2020 at 6:06 AM Gionatan Danti <g.danti@xxxxxxxxxx> wrote: > > Dear list, > I am writing this email as suggested here: > https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx/message/GWEWGDUQS6PERAYEJHL2EE4GDO432IAO/ > > To recap: I have issue with selinux permission when relocating specific > daemon data directory, and using symlink in the original location. For > example, lets consider moving /var/lib/mysql in a new, bigger volume. > > After moving /var/lib/mysql in /data/lib/mysql and creating a symlink > for the new location, I used semanage fcontext to add the relative > equivalency rules. Moreover, I changed my.cnf to explicitly point to the > new data dir and socket file. So far, so good. > > When restarting apache, I noticed it can't connect to mysql. ausearch -m > avc showed the following: > ... > type=AVC msg=audit(1596055762.070:175569): avc: denied { read } for > pid=72946 comm="httpd" name="mysql" dev="sda2" ino=103 > scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file permissive=0 > > The log above clearly states that httpd policy lacks lnk_read permission > for mysqld_db_t type. While I solved the issue by leaving the socket > file inside the original directory (removing the /var/lib/mysql symlink > and recreating the mysql dir), I was wondering why each symlink type is > specifically allowed > rather than giving any processes a generic access to symlinks. > > Is this kind of rule not permitted by selinux? Can it open the door to > other attacks? If so, why? Generally, what is the least invasive > approach to relocate services? The lnk_file read permission check can be used to protect processes from following/reading untrusted symlinks, often used in malicious symlink attacks. The more broadly you allow it, the more potential for the process to be misdirected to an unexpected file in order to overwrite some file or leak its contents. That said, I think the policy macros/interfaces could allow it more widely than is currently done without too much risk. That's more of a question for selinux-refpolicy for upstream policy and/or the Fedora selinux list for their fork of it. The alternative approach for relocating directories is to use bind mounts.
