Il 2020-07-31 15:12 Stephen Smalley ha scritto:
The lnk_file read permission check can be used to protect processes
from following/reading untrusted symlinks, often used in malicious
symlink attacks.
The more broadly you allow it, the more potential for the process to
be misdirected to an unexpected file in order to overwrite some file
or leak its contents.
Hi Stephen,
I generally know the catchs with symlinks, but I fail to understand how
this can be a problem for selinux: after all, the real/target file must
be labeled with the correct type, otherwise the service binary (running
in its confined domain) will not be able to open it. In other words, it
is my understanding that selinux not only matches the symlink, but the
target file also. So it should not be possible to fool it by chaning the
symlink target on the fly. Am I missing something?
That said, I think the policy macros/interfaces could allow it more
widely than is currently done without too much risk. That's more of a
question for selinux-refpolicy for upstream policy and/or the Fedora
selinux list for their fork of it. The alternative approach for
relocating directories is to use bind mounts.
Well, I'm coming from the fedora selinux mailing list ;)
But if you think I should write to selinux-refpolicy, I will do that.
Thanks.
--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti@xxxxxxxxxx - info@xxxxxxxxxx
GPG public key ID: FF5F32A8
