Hi, in the light of the security vulnerability in the ISC DHCP client [1][2][3], the obvious question for a fedora/rh/centos user is: Does SELinux prevent dhclient from accessing my $HOME (user_home_dir_t) and /media (mnt_t)? How strictly confined is dhcpc_t? dhclient runs in the dhcpc_t domain: system_u:system_r:dhcpc_t:s0 root /sbin/dhclient Should it be the case that SELinux protects fc13+ user, it would also be interesting if this was also the case in fc11 and fc12, even though they are not supported any more. If dhcpc_t has access to data in $HOME (directly or via a domain transition) would it be possible to prevent this access without impacting the functionality of dhclient to reduce the impact for similar vulnerabilities in the future? kind regards, Christoph A. [1] https://bugzilla.redhat.com/show_bug.cgi?id=694005 [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0997 [3] https://www.isc.org/software/dhcp/advisories/cve-2011-0997
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
