CVE-2011-0997: How strictly confined is dhcpc_t?
Dominick Grift
domg472 at gmail.com
Thu Apr 7 13:57:55 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/07/2011 01:04 PM, Christoph A. wrote:
> Hi,
>
> in the light of the security vulnerability in the ISC DHCP client
> [1][2][3], the obvious question for a fedora/rh/centos user is:
> Does SELinux prevent dhclient from accessing my $HOME (user_home_dir_t)
> and /media (mnt_t)?
> How strictly confined is dhcpc_t?
>
> dhclient runs in the dhcpc_t domain:
> system_u:system_r:dhcpc_t:s0 root /sbin/dhclient
>
> Should it be the case that SELinux protects fc13+ user, it would also be
> interesting if this was also the case in fc11 and fc12, even though they
> are not supported any more.
The default configuration of SELinux in Fedora only provides limited
protection for users.
>
> If dhcpc_t has access to data in $HOME (directly or via a domain
> transition) would it be possible to prevent this access without
> impacting the functionality of dhclient to reduce the impact for similar
> vulnerabilities in the future?
As for dhcpc_t being able to append to inherited user_home_t and
user_tmp_t files i would guess it is possible to block this access.
Not sure if it would be useful to block it though because dhcpc_t is
only able to append to generic user home and tmp content files and only
if the already open file is passed to it.
It must be noted that SELinux is a framework. The actual rules are just
configuration data. You can make SELinux allow and block whatever you like.
Compare it to netfilter. It is a framework that lets you control network
access. The actual rules you define with for example the iptables
command is just configuration data.
By default when you install Fedora, port 22 is accessible from the
network. That is not netfilters' decision. It is configured that way by
Fedora. Netfilter framework just enabled you to do it.
> kind regards,
> Christoph A.
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=694005
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0997
> [3] https://www.isc.org/software/dhcp/advisories/cve-2011-0997
>
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2dwuMACgkQMlxVo39jgT9IKACeKYWn9r68sGIAyI6rLDnc6ygh
UVwAnj62cIdKvsjYVS1d1MyxN/noq4zt
=wzVF
-----END PGP SIGNATURE-----
More information about the selinux
mailing list