Il 2020-04-27 12:18 Gionatan Danti ha scritto:
Il 2020-04-27 09:04 Zdenek Pytela ha scritto:
> Hi,
>
> Daemons/domains usually have the access to symlinks granted. Can you
> give a particular example? I checked mysql:
Hi Zdenek,
an example take from a server running postfix with mysql integration
on a CentOS 8 box:
[root@localhost ~]# sesearch -A -s postfix_master_t | grep lnk_file |
grep mysql
allow postfix_master_t mysqld_etc_t:lnk_file { getattr read };
As you can see, the master process can read mysqld_etc_t links but not
mysqld_db_t ones.
Another example, from relocating mongodb (this time on a CentOS 7 box):
semanage fcontext -a -e /var/lib/mongo /tank/graylog/var/lib/mongo
mv /var/lib/mongo /tank/graylog/var/lib/mongo
ln -s /tank/graylog/var/lib/mongo /var/lib/mongo
restorecon /var/lib/mongo
systemctl restart mongod
Result:
MongoDB does not start. Issuing "cat /var/log/audit/audit.log |
audit2allow" show the following error: "allow mongod_t
mongod_var_lib_t:lnk_file read;"
Indeed, sesearch can not find any permission to read mongod_var_lib_t
links:
[root@localhost ~]# sesearch -A -s mongod_t | grep lnk_file | grep
mongod_var_lib_t
Finally, in the past I opened a buzilla
(
https://bugzilla.redhat.com/show_bug.cgi?id=1598593) against virtlogd
which was denied reading from a relocated /var/lib/libvirt directory.
So I was wondering why each symlink type is specifically allowed
rather than giving any processes a generic access to symlinks. Is this
kind of rule not permitted by selinux? Can it open the door to other
attacks? If so, why?
Thanks.
Hi, anyone with some suggestion? Am I missing something?
Thanks.
--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. -
www.assyoma.it [1]
email: g.danti(a)assyoma.it - info(a)assyoma.it
GPG public key ID: FF5F32A8