On Thu, Mar 11, 2004 at 11:50:18AM -0500, Steven Bonneville wrote:
Tom Mitchell mitch48@yahoo.com wrote:
I might trust my dhcp server to give me an IP address but do I also want it to set the time of day. Then what else do I trust it to do? How do I manage the list of things that dhcp might update?
For example if I have a well crafted /etc/ntp.conf file will that file be lost if I move to a different DHCP served net.
I don't have FC2t1 handy at the moment, but on RHEL 3 I believe that you can set the following options in /etc/sysconfig/network-scripts/ifcfg-* files:
PEERDNS=no (/etc/resolv.conf) PEERNTP=no (/etc/ntp.conf, /etc/ntp/step-tickers) PEERNIS=no (/etc/yp.conf)
If set to no, then those files won't get modified even if appropriate DHCP options are sent. See /sbin/dhclient-script for details.
I missed the PEER*=no flags when I first glanced at the script.
This looks like the the correct place to manage the long list of DHCP-able config items.
This permits a default "policy" configuration for the expected common situation of a responsible ISP or IT department. Individual DHCP decisions can be made and set without the complexity of editing policy. -- Cool --
My concern was the cyber cafe or hotel that a traveling businessman encounters. There have already been rumors of bad boys snooping bits and doing naughty things in the cyber cafes. DHCP smelled like a potential problem where time of day, DNS, SMTP and a list of other "important" administrative decisions could be silently co-opted.
Since all these issues exist regardless of SELinux the common and correct place do address this is via /sbin/dhclient-scrip and the associated config tools. -- Excellent --
On Fri, 12 Mar 2004 13:18, Tom Mitchell mitch48@sbcglobal.net wrote:
My concern was the cyber cafe or hotel that a traveling businessman encounters. There have already been rumors of bad boys snooping bits and doing naughty things in the cyber cafes. DHCP smelled like a potential problem where time of day, DNS, SMTP and a list of other "important" administrative decisions could be silently co-opted.
Yes, Internet cafe's can break your security in more ways than you want to imagine. If you don't do certificate checking with SSL then they can just proxy all connections too...
selinux@lists.fedoraproject.org