Il 2020-05-05 10:43 Gionatan Danti ha scritto:
Il 2020-04-27 12:18 Gionatan Danti ha scritto:
> Il 2020-04-27 09:04 Zdenek Pytela ha scritto:
>> Hi,
>>
>> Daemons/domains usually have the access to symlinks granted. Can you
>> give a particular example? I checked mysql:
>
> Hi Zdenek,
> an example take from a server running postfix with mysql integration
> on a CentOS 8 box:
>
> [root@localhost ~]# sesearch -A -s postfix_master_t | grep lnk_file |
> grep mysql
> allow postfix_master_t mysqld_etc_t:lnk_file { getattr read };
>
> As you can see, the master process can read mysqld_etc_t links but not
> mysqld_db_t ones.
>
> Another example, from relocating mongodb (this time on a CentOS 7
> box):
> semanage fcontext -a -e /var/lib/mongo /tank/graylog/var/lib/mongo
> mv /var/lib/mongo /tank/graylog/var/lib/mongo
> ln -s /tank/graylog/var/lib/mongo /var/lib/mongo
> restorecon /var/lib/mongo
> systemctl restart mongod
>
> Result:
> MongoDB does not start. Issuing "cat /var/log/audit/audit.log |
> audit2allow" show the following error: "allow mongod_t
> mongod_var_lib_t:lnk_file read;"
>
> Indeed, sesearch can not find any permission to read mongod_var_lib_t
> links:
> [root@localhost ~]# sesearch -A -s mongod_t | grep lnk_file | grep
> mongod_var_lib_t
>
> Finally, in the past I opened a buzilla
> (
https://bugzilla.redhat.com/show_bug.cgi?id=1598593) against virtlogd
> which was denied reading from a relocated /var/lib/libvirt directory.
>
So I was wondering why each symlink type is specifically allowed
rather than giving any processes a generic access to symlinks. Is this
kind of rule not permitted by selinux? Can it open the door to other
attacks? If so, why?
>
> Thanks.
Hi, anyone with some suggestion? Am I missing something?
Thanks.
Hi all, sorry for the long quote, but I think it can be useful to add
some context.
Today, relocating a mysql database on a new partition, I was bitten by
the same issue depicted in this thread: the lacking of lnk_read
permission for many selinux policy.
After moving /var/lib/mysql in /data/lib/mysql and creating a symlink
for the new location, I used semanage fcontext to add the relative
equivalency rules. Moreover, I changed my.cnf to explicitly point to the
new data dir and socket file. So far, so good.
When restarting apache, I noticed it can't connect to mysql. ausearch -m
avc showed the following:
...
type=AVC msg=audit(1596055762.070:175569): avc: denied { read } for
pid=72946 comm="httpd" name="mysql" dev="sda2" ino=103
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file permissive=0
The log above clearly states that httpd policy lacks lnk_read permission
for mysqld_db_t type. While I solved the issue by leaving the socket
file inside the original directory (removing the /var/lib/mysql symlink
and recreating the mysql dir), my original questions stand:
So I was wondering why each symlink type is specifically allowed
rather than giving any processes a generic access to symlinks. Is this
kind of rule not permitted by selinux? Can it open the door to other
attacks? If so, why?
On one of the bugzilla issue I opened regarding various processes
lacking lnk_read permission, one reply stated that denying lnk_read
permission lead to "unnecessary fragility". Is that true?
Finally, I am missing something?
Thanks.
--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. -
www.assyoma.it
email: g.danti(a)assyoma.it - info(a)assyoma.it
GPG public key ID: FF5F32A8