X-user xauthed to execute a "root"/system level configuration helper yield denials
Francis K Shim
francis.shim at sympatico.ca
Fri Jun 18 11:38:15 UTC 2004
On Fri, 2004-06-18 at 00:35, Russell Coker wrote:
> On Thu, 17 Jun 2004 22:08, Francis K Shim <francis.shim at sympatico.ca> wrote:
> > Edited to make relevant details clear:
> >
> > execute_no_trans
> > exe=/usr/sbin/userhelper
> > path=/usr/X11R6/bin/xauth
> > scontext=user:staff_r:staff_userhelper_t
> > tcontext=system_u:object_r:xauth_exec_t
> > tclass=file
>
> In macros/program/userhelper_macros.te at (or near) line 133 there is the
> following:
> domain_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
>
> That expands to:
> domain_auto_trans(staff_userhelper_t, xauth_exec_t, staff_xauth_t)
>
> It's strange that you aren't seeing it automatically run in staff_xauth_t.
> What version of the policy are you using?
I checked the userhelper_macros.te file and what I have is the
following:
ifdef(`xauth.te', `
domain_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
allow $1_userhelper_t $1_home_xauth_t:file { getattr read };
')
The versions of the packages are as follows:
policy-sources-1.11.3-3
checkpolicy-1.10-1
policy-1.11.3-3
policycoreutils-1.11-2
libselinux-1.11.4-1
> > read
> > exe=/sbin/iptables
> > path=/var/run/sudo/USER/unknown
> > scontext=USER:system_r:iptables_t
> > tcontext=USER:object_r:pam_var_run_t
> > tclass=file
> > read
> > exe=/usr/sbin/ntpdate
> > path=/var/run/sudo/USER/unknown
> > scontext=USER:system_r:ntpd_t
> > tcontext=USER:object_r:pam_var_run_t
> > tclass=file
> > read
> > exe=/sbin/hwclock
> > path=/var/run/sudo/USER/unknown
> > scontext=USER:system_r:hwclock_t
> > tcontext=USER:object_r:pam_var_run_t
> > tclass=file
>
> For these, I guess that the file handle is inherited from userhelper. The
> code which opens /var/run/sudo/USER/unknown should either set it as
> close-on-exec or explicitly close it before a child is executed.
Okay. I am using the GNOME desktop manager and session manager so my
guess would be that it would be the gnome userhelper application.
>
> > write
> > exe=/usr/sbin/userhelper
> > name=USER
> > scontext=USER:staff_r:staff_userhelper_t
> > tcontext=USER:object_r:staff_home_dir_t
> > tclass=dir
> > remove_name
> > exe/usr/sbin/userhelper
> > name=.xauthxxxxx
> > scontext=USER:staff_r:staff_userhelper_t
> > tcontext=USER:object_r:staff_home_dir_t
> > tclass=dir
> > unlink
> > exe=/usr/sbin/userhelper
> > name=.xauthxxxxx
> > scontext=USER:staff_r:staff_userhelper_t
> > tcontext=USER:object_r:staff_home_dir_t
> > tclass=file
>
> What's this about?
I am not sure; however, I do remember restarting the userhelper
application and noticing that I was not being prompted for the root
password the second time around!!!... however, the third restart and on,
it seemed to prompt for the password. Puzzling. It might have to do
with a timing of the close of the child process from above.
--
Francis K Shim <francis.shim at sympatico.ca>
More information about the fedora-selinux-list
mailing list