From: "Christian Göttsche" <cgzones@googlemail.com>
To: Gionatan Danti <g.danti@assyoma.it>
Cc: selinux@vger.kernel.org
Subject: Re: lnk_file read permission
Date: Fri, 31 Jul 2020 18:25:55 +0200 [thread overview]
Message-ID: <CAJ2a_Dcev_o+NyuwUqh2ANseRniZRMQJ4dhDtrF1BtCmFSLgpg@mail.gmail.com> (raw)
In-Reply-To: <9c20af23bf7b70d6e01ca6772cc31f88@assyoma.it>
Am Fr., 31. Juli 2020 um 12:03 Uhr schrieb Gionatan Danti <g.danti@assyoma.it>:
>
> Dear list,
> I am writing this email as suggested here:
> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org/message/GWEWGDUQS6PERAYEJHL2EE4GDO432IAO/
>
> To recap: I have issue with selinux permission when relocating specific
> daemon data directory, and using symlink in the original location. For
> example, lets consider moving /var/lib/mysql in a new, bigger volume.
>
> After moving /var/lib/mysql in /data/lib/mysql and creating a symlink
> for the new location, I used semanage fcontext to add the relative
> equivalency rules. Moreover, I changed my.cnf to explicitly point to the
> new data dir and socket file. So far, so good.
>
> When restarting apache, I noticed it can't connect to mysql. ausearch -m
> avc showed the following:
> ...
> type=AVC msg=audit(1596055762.070:175569): avc: denied { read } for
> pid=72946 comm="httpd" name="mysql" dev="sda2" ino=103
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file permissive=0
>
> The log above clearly states that httpd policy lacks lnk_read permission
> for mysqld_db_t type. While I solved the issue by leaving the socket
> file inside the original directory (removing the /var/lib/mysql symlink
> and recreating the mysql dir), I was wondering why each symlink type is
> specifically allowed
> rather than giving any processes a generic access to symlinks.
>
> Is this kind of rule not permitted by selinux? Can it open the door to
> other attacks? If so, why? Generally, what is the least invasive
> approach to relocate services?
>
An alternative would be, since these symlinks are trusted and
permanent, to label them as their parent directory (e.g. var_lib_t
(use the '-l' file type specifier)) and allow the applications to read
these lnk types.
This also prevents e.g. mysqld_t to alter the symlink /var/lib/mysqld
(since it probably has write permission to mysql_db_t:lnk_file but not
var_lib_t:lnk_file).
next prev parent reply other threads:[~2020-07-31 16:26 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-31 9:57 lnk_file read permission Gionatan Danti
2020-07-31 13:12 ` Stephen Smalley
2020-07-31 16:56 ` Gionatan Danti
2020-07-31 16:25 ` Christian Göttsche [this message]
2020-07-31 16:53 ` Dominick Grift
2020-07-31 17:09 ` Gionatan Danti
2020-07-31 19:37 ` Gionatan Danti
2020-07-31 19:44 ` Dominick Grift
2020-07-31 19:49 ` Gionatan Danti
2020-07-31 17:00 ` Gionatan Danti
2020-07-31 17:45 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAJ2a_Dcev_o+NyuwUqh2ANseRniZRMQJ4dhDtrF1BtCmFSLgpg@mail.gmail.com \
--to=cgzones@googlemail.com \
--cc=g.danti@assyoma.it \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).