X-user xauthed to execute a "root"/system level configuration helper yield denials

Thursday, 17 June 2004

Edited to make relevant details clear:

execute_no_trans
	exe=/usr/sbin/userhelper
	path=/usr/X11R6/bin/xauth
	scontext=user:staff_r:staff_userhelper_t
	tcontext=system_u:object_r:xauth_exec_t
	tclass=file
write
	exe=/usr/X11R6/bin/xauth
	name=user
	scontext=user:staff_r:staff_userhelper_t
	tcontext=user:object_r:staff_home_dir_t
	tclass=dir
add_name
	exe=/usr/X11R6/bin/xauth
	name=.Xauthority-c
	scontext=USER:staff_r:staff_userhelper_t
	tcontext=USER:object_r:staff_home_dir_t
	tclass=dir
create
	exe=/usr/X11R6/bin/xauth
	name=.Xauthority-c
	scontext=USER:staff_r:staff_userhelper_t
	tcontext=USER:object_r:staff_home_dir_t
	tclass=file
link
	exe=/usr/X11R6/bin/xauth
	name=.Xauthority-c
	scontext=USER:staff_r:staff_userhelper_t
	tcontext=USER:object_r:staff_home_dir_t
	tclass=file
write
	exe=/usr/X11R6/bin/xauth
	name=.Xauthority
	scontext=USER:staff_r:staff_userhelper_t
	tcontext=system_u:object_r:staff_home_xauth_t
	tclass=file
remove_name
	exe=/usr/X11R6/bin/xauth
	name=.Xauthority-c
	scontext=USER:staff_r:staff_userhelper_t
	tcontext=USER:object_r:staff_home_dir_t
	tclass=dir
unlink
	exe=/usr/X11R6/bin/xauth
	name=.Xauthority-c
	scontext=USER:staff_r:staff_userhelper_t
	tcontext=USER:object_r:staff_home_dir_t
	tclass=file
setattr
	exe=/usr/sbin/userhelper
	name=.xauthxxxxx
	scontext=USER:staff_r:staff_userhelper_t
	tcontext=USER:object_r:staff_home_dir_t
	tclass=file
write
	exe=/usr/X11R6/bin/xauth
	path=.xauthxxxxx
	scontext=USER:staff_r:staff_userhelper_t
	tcontext=USER:object_r:staff_home_dir_t
	tclass=file
read
	exe=/usr/X11R6/bin/xauth
	name=.xauthxxxxx
	scontext=USER:staff_r:staff_userhelper_t
	tcontext=USER:object_r:staff_home_dir_t
	tclass=file
getattr
	exe=/usr/X11R6/bin/xauth
	path=/home/USER/.xauthgxxxxx
	scontext=USER:staff_r:staff_userhelper_t
	tcontext=USER:object_r:staff_home_dir_t
	tclass=file
execute_no_trans
	exe=/usr/sbin/userhelper
	path=/usr/X11R6/bin/xauth
	scontext=USER:staff_r:staff_userhelper_t
	tcontext=system_u:object_r:xauth_exec_t
	tclass=file
write
	exe=/usr/X11R6/bin/xauth
	name=.Xauthority
	scontext=USER:staff_r:staff_userhelper_t
	tcontext=system_u:object_r:staff_home_xauth_t
	tclass=file
read
	exe=/sbin/iptables
	path=/var/run/sudo/USER/unknown
	scontext=USER:system_r:iptables_t
	tcontext=USER:object_r:pam_var_run_t
	tclass=file
read
	exe=/sbin/hwclock
	path=/var/run/sudo/USER/unknown
	scontext=USER:system_r:hwclock_t
	tcontext=USER:object_r:pam_var_run_t
	tclass=file
execute_no_trans
	exe=/usr/sbin/userhelper
	path=/usr/X11R6/bin/xauth
	scontext=USER:staff_r:staff_userhelper_t
	tcontext=system_u:object_r:xauth_exec_t
	tclass=file
write
	exe=/usr/X11R6/bin/xauth
	name=.Xauthority
	scontext=USER:staff_r:staff_userhelper_t
	tcontext=system_u:object_r:staff_home_xauth_t
	tclass=file
read
	exe=/sbin/iptables
	path=/var/run/sudo/USER/unknown
	scontext=USER:system_r:iptables_t
	tcontext=USER:object_r:pam_var_run_t
	tclass=file
read
	exe=/usr/sbin/ntpdate
	path=/var/run/sudo/USER/unknown
	scontext=USER:system_r:ntpd_t
	tcontext=USER:object_r:pam_var_run_t
	tclass=file
read
	exe=/sbin/hwclock
	path=/var/run/sudo/USER/unknown
	scontext=USER:system_r:hwclock_t
	tcontext=USER:object_r:pam_var_run_t
	tclass=file
write
	exe=/usr/sbin/userhelper
	name=USER
	scontext=USER:staff_r:staff_userhelper_t
	tcontext=USER:object_r:staff_home_dir_t
	tclass=dir
remove_name
	exe/usr/sbin/userhelper
	name=.xauthxxxxx
	scontext=USER:staff_r:staff_userhelper_t
	tcontext=USER:object_r:staff_home_dir_t
	tclass=dir
unlink
	exe=/usr/sbin/userhelper
	name=.xauthxxxxx
	scontext=USER:staff_r:staff_userhelper_t
	tcontext=USER:object_r:staff_home_dir_t
	tclass=file

-- 
Francis K Shim <francis.shim(a)sympatico.ca&gt;

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004