-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/07/2011 08:33 AM, yersinia wrote: > On Thu, Apr 7, 2011 at 1:04 PM, Christoph A. <casmls@xxxxxxxxx> wrote: >> Hi, >> >> in the light of the security vulnerability in the ISC DHCP client >> [1][2][3], the obvious question for a fedora/rh/centos user is: >> Does SELinux prevent dhclient from accessing my $HOME (user_home_dir_t) >> and /media (mnt_t)? >> How strictly confined is dhcpc_t? > In my knowledge of selinux nobody in the selinux world can access > home directory by default. And this also true for dhcpc. I have not > found, also on fc12, rilevant permission given > to dhcpc_t on user_home_dir_t and /mnt_t : the only found are for or > reading the fs attribute and similar read permission. > > Best Regards > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux You can check the access using sesesearch On F15 I see sesearch -A -s dhcpc_t -t user_home_type Found 2 semantic av rules: allow daemon user_tmp_t : file { getattr append } ; allow daemon user_home_t : file { getattr append } ; Meaning that SELinux would allow dhcpc_t to append to a file in the homedir IFF it was passed as an open file descriptor. That would be the only allowed access. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2dvUMACgkQrlYvE4MpobMBHwCgknKWOHjyxtNNL3NBIU8jPBY9 NfoAnipIeUxwsQpRrGEFxe4W3gTls0sC =1+on -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
