X-user xauthed to execute a "root"/system level configuration helper yield denials
Francis K Shim
francis.shim at sympatico.ca
Thu Jun 17 12:08:53 UTC 2004
Edited to make relevant details clear:
execute_no_trans
exe=/usr/sbin/userhelper
path=/usr/X11R6/bin/xauth
scontext=user:staff_r:staff_userhelper_t
tcontext=system_u:object_r:xauth_exec_t
tclass=file
write
exe=/usr/X11R6/bin/xauth
name=user
scontext=user:staff_r:staff_userhelper_t
tcontext=user:object_r:staff_home_dir_t
tclass=dir
add_name
exe=/usr/X11R6/bin/xauth
name=.Xauthority-c
scontext=USER:staff_r:staff_userhelper_t
tcontext=USER:object_r:staff_home_dir_t
tclass=dir
create
exe=/usr/X11R6/bin/xauth
name=.Xauthority-c
scontext=USER:staff_r:staff_userhelper_t
tcontext=USER:object_r:staff_home_dir_t
tclass=file
link
exe=/usr/X11R6/bin/xauth
name=.Xauthority-c
scontext=USER:staff_r:staff_userhelper_t
tcontext=USER:object_r:staff_home_dir_t
tclass=file
write
exe=/usr/X11R6/bin/xauth
name=.Xauthority
scontext=USER:staff_r:staff_userhelper_t
tcontext=system_u:object_r:staff_home_xauth_t
tclass=file
remove_name
exe=/usr/X11R6/bin/xauth
name=.Xauthority-c
scontext=USER:staff_r:staff_userhelper_t
tcontext=USER:object_r:staff_home_dir_t
tclass=dir
unlink
exe=/usr/X11R6/bin/xauth
name=.Xauthority-c
scontext=USER:staff_r:staff_userhelper_t
tcontext=USER:object_r:staff_home_dir_t
tclass=file
setattr
exe=/usr/sbin/userhelper
name=.xauthxxxxx
scontext=USER:staff_r:staff_userhelper_t
tcontext=USER:object_r:staff_home_dir_t
tclass=file
write
exe=/usr/X11R6/bin/xauth
path=.xauthxxxxx
scontext=USER:staff_r:staff_userhelper_t
tcontext=USER:object_r:staff_home_dir_t
tclass=file
read
exe=/usr/X11R6/bin/xauth
name=.xauthxxxxx
scontext=USER:staff_r:staff_userhelper_t
tcontext=USER:object_r:staff_home_dir_t
tclass=file
getattr
exe=/usr/X11R6/bin/xauth
path=/home/USER/.xauthgxxxxx
scontext=USER:staff_r:staff_userhelper_t
tcontext=USER:object_r:staff_home_dir_t
tclass=file
execute_no_trans
exe=/usr/sbin/userhelper
path=/usr/X11R6/bin/xauth
scontext=USER:staff_r:staff_userhelper_t
tcontext=system_u:object_r:xauth_exec_t
tclass=file
write
exe=/usr/X11R6/bin/xauth
name=.Xauthority
scontext=USER:staff_r:staff_userhelper_t
tcontext=system_u:object_r:staff_home_xauth_t
tclass=file
read
exe=/sbin/iptables
path=/var/run/sudo/USER/unknown
scontext=USER:system_r:iptables_t
tcontext=USER:object_r:pam_var_run_t
tclass=file
read
exe=/sbin/hwclock
path=/var/run/sudo/USER/unknown
scontext=USER:system_r:hwclock_t
tcontext=USER:object_r:pam_var_run_t
tclass=file
execute_no_trans
exe=/usr/sbin/userhelper
path=/usr/X11R6/bin/xauth
scontext=USER:staff_r:staff_userhelper_t
tcontext=system_u:object_r:xauth_exec_t
tclass=file
write
exe=/usr/X11R6/bin/xauth
name=.Xauthority
scontext=USER:staff_r:staff_userhelper_t
tcontext=system_u:object_r:staff_home_xauth_t
tclass=file
read
exe=/sbin/iptables
path=/var/run/sudo/USER/unknown
scontext=USER:system_r:iptables_t
tcontext=USER:object_r:pam_var_run_t
tclass=file
read
exe=/usr/sbin/ntpdate
path=/var/run/sudo/USER/unknown
scontext=USER:system_r:ntpd_t
tcontext=USER:object_r:pam_var_run_t
tclass=file
read
exe=/sbin/hwclock
path=/var/run/sudo/USER/unknown
scontext=USER:system_r:hwclock_t
tcontext=USER:object_r:pam_var_run_t
tclass=file
write
exe=/usr/sbin/userhelper
name=USER
scontext=USER:staff_r:staff_userhelper_t
tcontext=USER:object_r:staff_home_dir_t
tclass=dir
remove_name
exe/usr/sbin/userhelper
name=.xauthxxxxx
scontext=USER:staff_r:staff_userhelper_t
tcontext=USER:object_r:staff_home_dir_t
tclass=dir
unlink
exe=/usr/sbin/userhelper
name=.xauthxxxxx
scontext=USER:staff_r:staff_userhelper_t
tcontext=USER:object_r:staff_home_dir_t
tclass=file
--
Francis K Shim <francis.shim at sympatico.ca>
More information about the fedora-selinux-list
mailing list