-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/07/2011 08:33 AM, yersinia wrote:
On Thu, Apr 7, 2011 at 1:04 PM, Christoph A. casmls@gmail.com wrote:
Hi,
in the light of the security vulnerability in the ISC DHCP client [1][2][3], the obvious question for a fedora/rh/centos user is: Does SELinux prevent dhclient from accessing my $HOME (user_home_dir_t) and /media (mnt_t)? How strictly confined is dhcpc_t?
In my knowledge of selinux nobody in the selinux world can access home directory by default. And this also true for dhcpc. I have not found, also on fc12, rilevant permission given to dhcpc_t on user_home_dir_t and /mnt_t : the only found are for or reading the fs attribute and similar read permission.
Best Regards
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
You can check the access using sesesearch
On F15 I see
sesearch -A -s dhcpc_t -t user_home_type Found 2 semantic av rules: allow daemon user_tmp_t : file { getattr append } ; allow daemon user_home_t : file { getattr append } ;
Meaning that SELinux would allow dhcpc_t to append to a file in the homedir IFF it was passed as an open file descriptor.
That would be the only allowed access.