SELinux Archive on lore.kernel.org
 help / color / Atom feed
From: Dominick Grift <dominick.grift@defensec.nl>
To: "Christian Göttsche" <cgzones@googlemail.com>
Cc: Gionatan Danti <g.danti@assyoma.it>, selinux@vger.kernel.org
Subject: Re: lnk_file read permission
Date: Fri, 31 Jul 2020 18:53:21 +0200
Message-ID: <ypjld04bmxry.fsf@defensec.nl> (raw)
In-Reply-To: <CAJ2a_Dcev_o+NyuwUqh2ANseRniZRMQJ4dhDtrF1BtCmFSLgpg@mail.gmail.com> ("Christian \=\?utf-8\?Q\?G\=C3\=B6ttsche\=22's\?\= message of "Fri, 31 Jul 2020 18:25:55 +0200")

Christian Göttsche <cgzones@googlemail.com> writes:

> Am Fr., 31. Juli 2020 um 12:03 Uhr schrieb Gionatan Danti <g.danti@assyoma.it>:
>>
>> Dear list,
>> I am writing this email as suggested here:
>> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org/message/GWEWGDUQS6PERAYEJHL2EE4GDO432IAO/
>>
>> To recap: I have issue with selinux permission when relocating specific
>> daemon data directory, and using symlink in the original location. For
>> example, lets consider moving /var/lib/mysql in a new, bigger volume.
>>
>> After moving /var/lib/mysql in /data/lib/mysql and creating a symlink
>> for the new location, I used semanage fcontext to add the relative
>> equivalency rules. Moreover, I changed my.cnf to explicitly point to the
>> new data dir and socket file. So far, so good.
>>
>> When restarting apache, I noticed it can't connect to mysql. ausearch -m
>> avc showed the following:
>> ...
>> type=AVC msg=audit(1596055762.070:175569): avc:  denied  { read } for
>> pid=72946 comm="httpd" name="mysql" dev="sda2" ino=103
>> scontext=system_u:system_r:httpd_t:s0
>> tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file permissive=0
>>
>> The log above clearly states that httpd policy lacks lnk_read permission
>> for mysqld_db_t type. While I solved the issue by leaving the socket
>> file inside the original directory (removing the /var/lib/mysql symlink
>> and recreating the mysql dir), I was wondering why each symlink type is
>> specifically allowed
>> rather than giving any processes a generic access to symlinks.
>>
>> Is this kind of rule not permitted by selinux? Can it open the door to
>> other attacks? If so, why? Generally, what is the least invasive
>> approach to relocate services?
>>
>
> An alternative would be, since these symlinks are trusted and
> permanent, to label them as their parent directory (e.g. var_lib_t
> (use the '-l' file type specifier)) and allow the applications to read
> these lnk types.
> This also prevents e.g. mysqld_t to alter the symlink /var/lib/mysqld
> (since it probably has write permission to mysql_db_t:lnk_file but not
> var_lib_t:lnk_file).

I agree with this, also for compatibility with systemds' StateDirectory=
in conjunction with DynamicUsers=.

I you would for example have a mysqld service with StateDirectory=mysqld
and DynamicUser=yes then systemd would maintain a symlink
/var/lib/mysqld that points to /var/lib/private/mysqld

Even if you do not use that functionality it should still be compatible
with /data/lib /var/lib equivalency.

I do this consistently in my personal policy. ie instead of using
"/var/lib/mysqld(/.*)? i use /var/lib/mysqld -d and /var/lib/mysqld/.*
so that the symlink context stay's generic

Regardless, this is a policy design issue that you should probably take
to your distribution maintainer.

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

  reply index

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-31  9:57 Gionatan Danti
2020-07-31 13:12 ` Stephen Smalley
2020-07-31 16:56   ` Gionatan Danti
2020-07-31 16:25 ` Christian Göttsche
2020-07-31 16:53   ` Dominick Grift [this message]
2020-07-31 17:09     ` Gionatan Danti
2020-07-31 19:37       ` Gionatan Danti
2020-07-31 19:44         ` Dominick Grift
2020-07-31 19:49           ` Gionatan Danti
2020-07-31 17:00   ` Gionatan Danti
2020-07-31 17:45   ` Dominick Grift

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ypjld04bmxry.fsf@defensec.nl \
    --to=dominick.grift@defensec.nl \
    --cc=cgzones@googlemail.com \
    --cc=g.danti@assyoma.it \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git