X-user xauthed to execute a "root"/system level configuration helper yield denials
Russell Coker
russell at coker.com.au
Fri Jun 18 04:35:48 UTC 2004
On Thu, 17 Jun 2004 22:08, Francis K Shim <francis.shim at sympatico.ca> wrote:
> Edited to make relevant details clear:
>
> execute_no_trans
> exe=/usr/sbin/userhelper
> path=/usr/X11R6/bin/xauth
> scontext=user:staff_r:staff_userhelper_t
> tcontext=system_u:object_r:xauth_exec_t
> tclass=file
In macros/program/userhelper_macros.te at (or near) line 133 there is the
following:
domain_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
That expands to:
domain_auto_trans(staff_userhelper_t, xauth_exec_t, staff_xauth_t)
It's strange that you aren't seeing it automatically run in staff_xauth_t.
What version of the policy are you using?
> read
> exe=/sbin/iptables
> path=/var/run/sudo/USER/unknown
> scontext=USER:system_r:iptables_t
> tcontext=USER:object_r:pam_var_run_t
> tclass=file
> read
> exe=/usr/sbin/ntpdate
> path=/var/run/sudo/USER/unknown
> scontext=USER:system_r:ntpd_t
> tcontext=USER:object_r:pam_var_run_t
> tclass=file
> read
> exe=/sbin/hwclock
> path=/var/run/sudo/USER/unknown
> scontext=USER:system_r:hwclock_t
> tcontext=USER:object_r:pam_var_run_t
> tclass=file
For these, I guess that the file handle is inherited from userhelper. The
code which opens /var/run/sudo/USER/unknown should either set it as
close-on-exec or explicitly close it before a child is executed.
> write
> exe=/usr/sbin/userhelper
> name=USER
> scontext=USER:staff_r:staff_userhelper_t
> tcontext=USER:object_r:staff_home_dir_t
> tclass=dir
> remove_name
> exe/usr/sbin/userhelper
> name=.xauthxxxxx
> scontext=USER:staff_r:staff_userhelper_t
> tcontext=USER:object_r:staff_home_dir_t
> tclass=dir
> unlink
> exe=/usr/sbin/userhelper
> name=.xauthxxxxx
> scontext=USER:staff_r:staff_userhelper_t
> tcontext=USER:object_r:staff_home_dir_t
> tclass=file
What's this about?
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list