On Fri, 2004-06-18 at 00:35, Russell Coker wrote:
On Thu, 17 Jun 2004 22:08, Francis K Shim
<francis.shim(a)sympatico.ca> wrote:
> Edited to make relevant details clear:
>
> execute_no_trans
> exe=/usr/sbin/userhelper
> path=/usr/X11R6/bin/xauth
> scontext=user:staff_r:staff_userhelper_t
> tcontext=system_u:object_r:xauth_exec_t
> tclass=file
In macros/program/userhelper_macros.te at (or near) line 133 there is the
following:
domain_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
That expands to:
domain_auto_trans(staff_userhelper_t, xauth_exec_t, staff_xauth_t)
It's strange that you aren't seeing it automatically run in staff_xauth_t.
What version of the policy are you using?
I checked the userhelper_macros.te file and what I have is the
following:
ifdef(`xauth.te', `
domain_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
allow $1_userhelper_t $1_home_xauth_t:file { getattr read };
')
The versions of the packages are as follows:
policy-sources-1.11.3-3
checkpolicy-1.10-1
policy-1.11.3-3
policycoreutils-1.11-2
libselinux-1.11.4-1
> read
> exe=/sbin/iptables
> path=/var/run/sudo/USER/unknown
> scontext=USER:system_r:iptables_t
> tcontext=USER:object_r:pam_var_run_t
> tclass=file
> read
> exe=/usr/sbin/ntpdate
> path=/var/run/sudo/USER/unknown
> scontext=USER:system_r:ntpd_t
> tcontext=USER:object_r:pam_var_run_t
> tclass=file
> read
> exe=/sbin/hwclock
> path=/var/run/sudo/USER/unknown
> scontext=USER:system_r:hwclock_t
> tcontext=USER:object_r:pam_var_run_t
> tclass=file
For these, I guess that the file handle is inherited from userhelper. The
code which opens /var/run/sudo/USER/unknown should either set it as
close-on-exec or explicitly close it before a child is executed.
Okay. I am using the GNOME desktop manager and session manager so my
guess would be that it would be the gnome userhelper application.
> write
> exe=/usr/sbin/userhelper
> name=USER
> scontext=USER:staff_r:staff_userhelper_t
> tcontext=USER:object_r:staff_home_dir_t
> tclass=dir
> remove_name
> exe/usr/sbin/userhelper
> name=.xauthxxxxx
> scontext=USER:staff_r:staff_userhelper_t
> tcontext=USER:object_r:staff_home_dir_t
> tclass=dir
> unlink
> exe=/usr/sbin/userhelper
> name=.xauthxxxxx
> scontext=USER:staff_r:staff_userhelper_t
> tcontext=USER:object_r:staff_home_dir_t
> tclass=file
What's this about?
I am not sure; however, I do remember restarting the userhelper
application and noticing that I was not being prompted for the root
password the second time around!!!... however, the third restart and on,
it seemed to prompt for the password. Puzzling. It might have to do
with a timing of the close of the child process from above.
--
Francis K Shim <francis.shim(a)sympatico.ca>