SELinux Archive on lore.kernel.org
 help / color / Atom feed
* lnk_file read permission
@ 2020-07-31  9:57 Gionatan Danti
  2020-07-31 13:12 ` Stephen Smalley
  2020-07-31 16:25 ` Christian Göttsche
  0 siblings, 2 replies; 11+ messages in thread
From: Gionatan Danti @ 2020-07-31  9:57 UTC (permalink / raw)
  To: selinux

Dear list,
I am writing this email as suggested here:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org/message/GWEWGDUQS6PERAYEJHL2EE4GDO432IAO/

To recap: I have issue with selinux permission when relocating specific 
daemon data directory, and using symlink in the original location. For 
example, lets consider moving /var/lib/mysql in a new, bigger volume.

After moving /var/lib/mysql in /data/lib/mysql and creating a symlink 
for the new location, I used semanage fcontext to add the relative 
equivalency rules. Moreover, I changed my.cnf to explicitly point to the 
new data dir and socket file. So far, so good.

When restarting apache, I noticed it can't connect to mysql. ausearch -m 
avc showed the following:
...
type=AVC msg=audit(1596055762.070:175569): avc:  denied  { read } for  
pid=72946 comm="httpd" name="mysql" dev="sda2" ino=103 
scontext=system_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file permissive=0

The log above clearly states that httpd policy lacks lnk_read permission 
for mysqld_db_t type. While I solved the issue by leaving the socket 
file inside the original directory (removing the /var/lib/mysql symlink 
and recreating the mysql dir), I was wondering why each symlink type is 
specifically allowed
rather than giving any processes a generic access to symlinks.

Is this kind of rule not permitted by selinux? Can it open the door to 
other attacks? If so, why? Generally, what is the least invasive 
approach to relocate services?

As a side note, consider that the above applies to other common services 
as libvirt (fixed via this BZ 
https://bugzilla.redhat.com/show_bug.cgi?id=1598593) and mongodb [1].

Thanks.

[1] Another example, from relocating mongodb (this time on a CentOS 7 
box):
semanage fcontext -a -e /var/lib/mongo /tank/graylog/var/lib/mongo
mv /var/lib/mongo /tank/graylog/var/lib/mongo
ln -s /tank/graylog/var/lib/mongo /var/lib/mongo
restorecon /var/lib/mongo
systemctl restart mongod

Result:
MongoDB does not start. Issuing "cat /var/log/audit/audit.log |
audit2allow" show the following error: "allow mongod_t
mongod_var_lib_t:lnk_file read;"

Indeed, sesearch can not find any permission to read mongod_var_lib_t 
links:
[root@localhost ~]# sesearch -A -s mongod_t | grep lnk_file | grep
mongod_var_lib_t

-- 
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti@assyoma.it - info@assyoma.it
GPG public key ID: FF5F32A8

^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, back to index

Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-31  9:57 lnk_file read permission Gionatan Danti
2020-07-31 13:12 ` Stephen Smalley
2020-07-31 16:56   ` Gionatan Danti
2020-07-31 16:25 ` Christian Göttsche
2020-07-31 16:53   ` Dominick Grift
2020-07-31 17:09     ` Gionatan Danti
2020-07-31 19:37       ` Gionatan Danti
2020-07-31 19:44         ` Dominick Grift
2020-07-31 19:49           ` Gionatan Danti
2020-07-31 17:00   ` Gionatan Danti
2020-07-31 17:45   ` Dominick Grift

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git