dhclient and restorecon

[Russell Coker]

Why do we have restorecon being called from /sbin/dhclient-script?

In the latest strict policy in rawhide dhcpc_t is not permitted to execute
restorecon and a cursory glance at the targeted policy suggests that it can't
execute it there either.

dhcpc_t can only create files of types dhcpc_var_run_t, net_conf_t,
dhcpc_tmp_t, and dhcpc_state_t.  Of those the type net_conf_t is specified by
the domain_auto_trans() rule for files created under /etc.  I can't work out
how dhclient could create a file with the wrong type to the call to
restorecon seems redundant.

We don't want to use the policy domain_auto_trans(dhcpc_t, restorecon_exec_t,
restorecon_t) because restorecon_t is a highly privileged domain that we want
to limit access to (every domain that has such a transition should ideally
have it's main programs audited).

We don't want to use the policy can_exec(dhcpc_t, restorecon_exec_t) as that
will require allowing dhcpc_t to read the policy source which may be regarded
as secret (and therefore something that we don't want to give to a program
that is always running and has network access).

I think it would be best if dhclient-script did not call restorecon at all.

--
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page