CVE-2011-0997: How strictly confined is dhcpc_t?

yersinia yersinia.spiros at gmail.com
Thu Apr 7 14:11:18 UTC 2011 

On Thu, Apr 7, 2011 at 3:33 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/07/2011 08:33 AM, yersinia wrote:
>> On Thu, Apr 7, 2011 at 1:04 PM, Christoph A. <casmls at gmail.com> wrote:
>>> Hi,
>>>
>>> in the light of the security vulnerability in the ISC DHCP client
>>> [1][2][3], the obvious question for a fedora/rh/centos user is:
>>> Does SELinux prevent dhclient from accessing my $HOME (user_home_dir_t)
>>> and /media (mnt_t)?
>>> How strictly confined is dhcpc_t?
>> In my knowledge of selinux  nobody in the selinux world can access
>> home directory by default. And this also true for dhcpc. I have not
>> found, also on fc12, rilevant permission given
>> to dhcpc_t on user_home_dir_t and /mnt_t : the only found are for or
>> reading the fs attribute and similar read permission.
>>
>> Best Regards
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> You can check the access using sesesearch
>
> On F15 I see
>
> sesearch -A -s dhcpc_t -t user_home_type
> Found 2 semantic av rules:
>   allow daemon user_tmp_t : file { getattr append } ;
>   allow daemon user_home_t : file { getattr append } ;
>
> Meaning that SELinux would allow dhcpc_t to append to a file in the
> homedir IFF it was passed as an open file descriptor.
>
> That would be the only allowed access.
sesearch -A -s dhcpc_t -t user_home_t
Found 2 semantic av rules:
   allow daemon user_home_t : file { getattr append } ;
   allow dhcpc_t file_type : filesystem getattr ;

The second rule is for fs_getattr_all_fs(dhcpd_t) in dhcp.te in the
selinux policy. However,
it is very common rule in the selinux policy.

Regards
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk2dvUMACgkQrlYvE4MpobMBHwCgknKWOHjyxtNNL3NBIU8jPBY9
> NfoAnipIeUxwsQpRrGEFxe4W3gTls0sC
> =1+on
> -----END PGP SIGNATURE-----
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>

More information about the selinux mailing list