From: Gionatan Danti <g.danti@assyoma.it>
To: selinux@vger.kernel.org
Subject: lnk_file read permission
Date: Fri, 31 Jul 2020 11:57:48 +0200 [thread overview]
Message-ID: <9c20af23bf7b70d6e01ca6772cc31f88@assyoma.it> (raw)
Dear list,
I am writing this email as suggested here:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org/message/GWEWGDUQS6PERAYEJHL2EE4GDO432IAO/
To recap: I have issue with selinux permission when relocating specific
daemon data directory, and using symlink in the original location. For
example, lets consider moving /var/lib/mysql in a new, bigger volume.
After moving /var/lib/mysql in /data/lib/mysql and creating a symlink
for the new location, I used semanage fcontext to add the relative
equivalency rules. Moreover, I changed my.cnf to explicitly point to the
new data dir and socket file. So far, so good.
When restarting apache, I noticed it can't connect to mysql. ausearch -m
avc showed the following:
...
type=AVC msg=audit(1596055762.070:175569): avc: denied { read } for
pid=72946 comm="httpd" name="mysql" dev="sda2" ino=103
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file permissive=0
The log above clearly states that httpd policy lacks lnk_read permission
for mysqld_db_t type. While I solved the issue by leaving the socket
file inside the original directory (removing the /var/lib/mysql symlink
and recreating the mysql dir), I was wondering why each symlink type is
specifically allowed
rather than giving any processes a generic access to symlinks.
Is this kind of rule not permitted by selinux? Can it open the door to
other attacks? If so, why? Generally, what is the least invasive
approach to relocate services?
As a side note, consider that the above applies to other common services
as libvirt (fixed via this BZ
https://bugzilla.redhat.com/show_bug.cgi?id=1598593) and mongodb [1].
Thanks.
[1] Another example, from relocating mongodb (this time on a CentOS 7
box):
semanage fcontext -a -e /var/lib/mongo /tank/graylog/var/lib/mongo
mv /var/lib/mongo /tank/graylog/var/lib/mongo
ln -s /tank/graylog/var/lib/mongo /var/lib/mongo
restorecon /var/lib/mongo
systemctl restart mongod
Result:
MongoDB does not start. Issuing "cat /var/log/audit/audit.log |
audit2allow" show the following error: "allow mongod_t
mongod_var_lib_t:lnk_file read;"
Indeed, sesearch can not find any permission to read mongod_var_lib_t
links:
[root@localhost ~]# sesearch -A -s mongod_t | grep lnk_file | grep
mongod_var_lib_t
--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti@assyoma.it - info@assyoma.it
GPG public key ID: FF5F32A8
next reply other threads:[~2020-07-31 10:03 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-31 9:57 Gionatan Danti [this message]
2020-07-31 13:12 ` lnk_file read permission Stephen Smalley
2020-07-31 16:56 ` Gionatan Danti
2020-07-31 16:25 ` Christian Göttsche
2020-07-31 16:53 ` Dominick Grift
2020-07-31 17:09 ` Gionatan Danti
2020-07-31 19:37 ` Gionatan Danti
2020-07-31 19:44 ` Dominick Grift
2020-07-31 19:49 ` Gionatan Danti
2020-07-31 17:00 ` Gionatan Danti
2020-07-31 17:45 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9c20af23bf7b70d6e01ca6772cc31f88@assyoma.it \
--to=g.danti@assyoma.it \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).