Hi,
in the light of the security vulnerability in the ISC DHCP client [1][2][3], the obvious question for a fedora/rh/centos user is: Does SELinux prevent dhclient from accessing my $HOME (user_home_dir_t) and /media (mnt_t)? How strictly confined is dhcpc_t?
dhclient runs in the dhcpc_t domain: system_u:system_r:dhcpc_t:s0 root /sbin/dhclient
Should it be the case that SELinux protects fc13+ user, it would also be interesting if this was also the case in fc11 and fc12, even though they are not supported any more.
If dhcpc_t has access to data in $HOME (directly or via a domain transition) would it be possible to prevent this access without impacting the functionality of dhclient to reduce the impact for similar vulnerabilities in the future?
kind regards, Christoph A.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=694005 [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0997 [3] https://www.isc.org/software/dhcp/advisories/cve-2011-0997
On Thu, Apr 7, 2011 at 1:04 PM, Christoph A. casmls@gmail.com wrote:
Hi,
in the light of the security vulnerability in the ISC DHCP client [1][2][3], the obvious question for a fedora/rh/centos user is: Does SELinux prevent dhclient from accessing my $HOME (user_home_dir_t) and /media (mnt_t)? How strictly confined is dhcpc_t?
In my knowledge of selinux nobody in the selinux world can access home directory by default. And this also true for dhcpc. I have not found, also on fc12, rilevant permission given to dhcpc_t on user_home_dir_t and /mnt_t : the only found are for or reading the fs attribute and similar read permission.
Best Regards
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/07/2011 08:33 AM, yersinia wrote:
On Thu, Apr 7, 2011 at 1:04 PM, Christoph A. casmls@gmail.com wrote:
Hi,
in the light of the security vulnerability in the ISC DHCP client [1][2][3], the obvious question for a fedora/rh/centos user is: Does SELinux prevent dhclient from accessing my $HOME (user_home_dir_t) and /media (mnt_t)? How strictly confined is dhcpc_t?
In my knowledge of selinux nobody in the selinux world can access home directory by default. And this also true for dhcpc. I have not found, also on fc12, rilevant permission given to dhcpc_t on user_home_dir_t and /mnt_t : the only found are for or reading the fs attribute and similar read permission.
Best Regards
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
You can check the access using sesesearch
On F15 I see
sesearch -A -s dhcpc_t -t user_home_type Found 2 semantic av rules: allow daemon user_tmp_t : file { getattr append } ; allow daemon user_home_t : file { getattr append } ;
Meaning that SELinux would allow dhcpc_t to append to a file in the homedir IFF it was passed as an open file descriptor.
That would be the only allowed access.
On Thu, Apr 7, 2011 at 3:33 PM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/07/2011 08:33 AM, yersinia wrote:
On Thu, Apr 7, 2011 at 1:04 PM, Christoph A. casmls@gmail.com wrote:
Hi,
in the light of the security vulnerability in the ISC DHCP client [1][2][3], the obvious question for a fedora/rh/centos user is: Does SELinux prevent dhclient from accessing my $HOME (user_home_dir_t) and /media (mnt_t)? How strictly confined is dhcpc_t?
In my knowledge of selinux nobody in the selinux world can access home directory by default. And this also true for dhcpc. I have not found, also on fc12, rilevant permission given to dhcpc_t on user_home_dir_t and /mnt_t : the only found are for or reading the fs attribute and similar read permission.
Best Regards
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
You can check the access using sesesearch
On F15 I see
sesearch -A -s dhcpc_t -t user_home_type Found 2 semantic av rules: allow daemon user_tmp_t : file { getattr append } ; allow daemon user_home_t : file { getattr append } ;
Meaning that SELinux would allow dhcpc_t to append to a file in the homedir IFF it was passed as an open file descriptor.
That would be the only allowed access.
sesearch -A -s dhcpc_t -t user_home_t Found 2 semantic av rules: allow daemon user_home_t : file { getattr append } ; allow dhcpc_t file_type : filesystem getattr ;
The second rule is for fs_getattr_all_fs(dhcpd_t) in dhcp.te in the selinux policy. However, it is very common rule in the selinux policy.
Regards
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2dvUMACgkQrlYvE4MpobMBHwCgknKWOHjyxtNNL3NBIU8jPBY9 NfoAnipIeUxwsQpRrGEFxe4W3gTls0sC =1+on
-----END PGP SIGNATURE-----
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/07/2011 01:04 PM, Christoph A. wrote:
Hi,
in the light of the security vulnerability in the ISC DHCP client [1][2][3], the obvious question for a fedora/rh/centos user is: Does SELinux prevent dhclient from accessing my $HOME (user_home_dir_t) and /media (mnt_t)? How strictly confined is dhcpc_t?
dhclient runs in the dhcpc_t domain: system_u:system_r:dhcpc_t:s0 root /sbin/dhclient
Should it be the case that SELinux protects fc13+ user, it would also be interesting if this was also the case in fc11 and fc12, even though they are not supported any more.
The default configuration of SELinux in Fedora only provides limited protection for users.
If dhcpc_t has access to data in $HOME (directly or via a domain transition) would it be possible to prevent this access without impacting the functionality of dhclient to reduce the impact for similar vulnerabilities in the future?
As for dhcpc_t being able to append to inherited user_home_t and user_tmp_t files i would guess it is possible to block this access.
Not sure if it would be useful to block it though because dhcpc_t is only able to append to generic user home and tmp content files and only if the already open file is passed to it.
It must be noted that SELinux is a framework. The actual rules are just configuration data. You can make SELinux allow and block whatever you like.
Compare it to netfilter. It is a framework that lets you control network access. The actual rules you define with for example the iptables command is just configuration data.
By default when you install Fedora, port 22 is accessible from the network. That is not netfilters' decision. It is configured that way by Fedora. Netfilter framework just enabled you to do it.
kind regards, Christoph A.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=694005 [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0997 [3] https://www.isc.org/software/dhcp/advisories/cve-2011-0997
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org
-
Christoph A. -
Daniel J Walsh -
Dominick Grift -
yersinia