Re: CVE-2011-0997: How strictly confined is dhcpc_t?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/07/2011 08:33 AM, yersinia wrote:
> On Thu, Apr 7, 2011 at 1:04 PM, Christoph A. <casmls@xxxxxxxxx> wrote:
>> Hi,
>>
>> in the light of the security vulnerability in the ISC DHCP client
>> [1][2][3], the obvious question for a fedora/rh/centos user is:
>> Does SELinux prevent dhclient from accessing my $HOME (user_home_dir_t)
>> and /media (mnt_t)?
>> How strictly confined is dhcpc_t?
> In my knowledge of selinux  nobody in the selinux world can access
> home directory by default. And this also true for dhcpc. I have not
> found, also on fc12, rilevant permission given
> to dhcpc_t on user_home_dir_t and /mnt_t : the only found are for or
> reading the fs attribute and similar read permission.
> 
> Best Regards
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux


You can check the access using sesesearch

On F15 I see

sesearch -A -s dhcpc_t -t user_home_type
Found 2 semantic av rules:
   allow daemon user_tmp_t : file { getattr append } ;
   allow daemon user_home_t : file { getattr append } ;

Meaning that SELinux would allow dhcpc_t to append to a file in the
homedir IFF it was passed as an open file descriptor.

That would be the only allowed access.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2dvUMACgkQrlYvE4MpobMBHwCgknKWOHjyxtNNL3NBIU8jPBY9
NfoAnipIeUxwsQpRrGEFxe4W3gTls0sC
=1+on
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux