Bug 1862383
Summary: | Provide "domain_can_read_symlinks" boolean | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | g.danti |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED WONTFIX | QA Contact: | Milos Malik <mmalik> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 8.2 | CC: | g.danti, laurent.rineau__fedora, lvrabec, mmalik, plautrba, ssekidde |
Target Milestone: | rc | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-01-28 14:12:11 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
g.danti
2020-07-31 10:08:36 UTC
I would only add that on selinux.org mailing list and alternative approach was suggested: to let any domain normally operating on /var/lib to lnk_read any symlink labeled as var_lib_t (see here: https://lore.kernel.org/selinux/ypjl1rkrmpul.fsf@defensec.nl/). This would enable more domain to be reloated with the symlink approach, without needing a policy customization done via audit2allow and similar. Hi, After a discussion in our team, we are not going to allow permissions domain_can_read_symlinks. The alternative solution seems to be more viable, but it needs to be assessed for individual use cases and resolved not to break any existing functionality in RHEL 8. Please open a separate bz for every issue you deal with. Note in general a custom selinux policy is required whenever a significant change to default configuration is made. Please also note this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution. If your issues are critical or in any way time sensitive, raise a ticket through the regular Red Hat support channels to ensure it receives proper attention and prioritization to assure a timely resolution. (In reply to Zdenek Pytela from comment #4) > Hi, > > After a discussion in our team, we are not going to allow permissions > domain_can_read_symlinks. The alternative solution seems to be more viable, > but it needs to be assessed for individual use cases and resolved not to > break any existing functionality in RHEL 8. Please open a separate bz for > every issue you deal with. Note in general a custom selinux policy is > required whenever a significant change to default configuration is made. Hi, above I posted 3 examples of services breaking when relocated. While I have no issue in opening a separate ticket for each of them, I would like to underscore that *many* services shows the same behavior. It seems impractical to manage each of these correlated issue via separate ticket. I think that sysadmins needs a more general approach - ie: one of the two detailed above. Otherwise the only solution is to customize the security policy via audit2allow (or to game the security policy as shown in the virtlogd example) ot to completely disable selinux, which is the worst possible outcome. > Please also note this bug tracking system is not a mechanism for requesting > support, and we are not able to guarantee the timeliness or suitability of a > resolution. If your issues are critical or in any way time sensitive, raise > a ticket through the regular Red Hat support channels to ensure it receives > proper attention and prioritization to assure a timely resolution. I understand how customize the security policy, so this is not a support request ticket. Rather, I opened it to let you know how difficult is to relocate a service. While I customize the policy, many other sysadmins will simply disable selinux. Hi, I understand and thank you for all your inputs and thoughts. Based on outcomes of discussion in this bz and in the mailing list I am going to close this bz as WONTFIX. |