-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/07/2011 01:04 PM, Christoph A. wrote: > Hi, > > in the light of the security vulnerability in the ISC DHCP client > [1][2][3], the obvious question for a fedora/rh/centos user is: > Does SELinux prevent dhclient from accessing my $HOME (user_home_dir_t) > and /media (mnt_t)? > How strictly confined is dhcpc_t? > > dhclient runs in the dhcpc_t domain: > system_u:system_r:dhcpc_t:s0 root /sbin/dhclient > > Should it be the case that SELinux protects fc13+ user, it would also be > interesting if this was also the case in fc11 and fc12, even though they > are not supported any more. The default configuration of SELinux in Fedora only provides limited protection for users. > > If dhcpc_t has access to data in $HOME (directly or via a domain > transition) would it be possible to prevent this access without > impacting the functionality of dhclient to reduce the impact for similar > vulnerabilities in the future? As for dhcpc_t being able to append to inherited user_home_t and user_tmp_t files i would guess it is possible to block this access. Not sure if it would be useful to block it though because dhcpc_t is only able to append to generic user home and tmp content files and only if the already open file is passed to it. It must be noted that SELinux is a framework. The actual rules are just configuration data. You can make SELinux allow and block whatever you like. Compare it to netfilter. It is a framework that lets you control network access. The actual rules you define with for example the iptables command is just configuration data. By default when you install Fedora, port 22 is accessible from the network. That is not netfilters' decision. It is configured that way by Fedora. Netfilter framework just enabled you to do it. > kind regards, > Christoph A. > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=694005 > [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0997 > [3] https://www.isc.org/software/dhcp/advisories/cve-2011-0997 > > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2dwuMACgkQMlxVo39jgT9IKACeKYWn9r68sGIAyI6rLDnc6ygh UVwAnj62cIdKvsjYVS1d1MyxN/noq4zt =wzVF -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux