dhclient and restorecon

[Daniel J Walsh]

Russell Coker wrote:

>Why do we have restorecon being called from /sbin/dhclient-script?
>
>In the latest strict policy in rawhide dhcpc_t is not permitted to execute
>restorecon and a cursory glance at the targeted policy suggests that it can't
>execute it there either.
>
>dhcpc_t can only create files of types dhcpc_var_run_t, net_conf_t,
>dhcpc_tmp_t, and dhcpc_state_t.  Of those the type net_conf_t is specified by
>the domain_auto_trans() rule for files created under /etc.  I can't work out
>how dhclient could create a file with the wrong type to the call to
>restorecon seems redundant.
>  
>
Yes this is a reported bug.  dhcpc_t was not in targeted policy, so the 
dhcpc maintainer added this call
which would work from unconfined_t.   Rawhide/FC4 policy has the dhcpc 
policy, so the files will
get created with the correct context and the restorecon can be removed.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=153244

>We don't want to use the policy domain_auto_trans(dhcpc_t, restorecon_exec_t,
>restorecon_t) because restorecon_t is a highly privileged domain that we want
>to limit access to (every domain that has such a transition should ideally
>have it's main programs audited).
>
>We don't want to use the policy can_exec(dhcpc_t, restorecon_exec_t) as that
>will require allowing dhcpc_t to read the policy source which may be regarded
>as secret (and therefore something that we don't want to give to a program
>that is always running and has network access).
>
>I think it would be best if dhclient-script did not call restorecon at all.
>
>--
>http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
>http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
>http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
>http://www.coker.com.au/~russell/  My home page
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
>


--