userhelper consolehelper role
Daniel J Walsh
dwalsh at redhat.com
Thu May 27 13:30:36 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/25/2010 08:29 PM, Matthew Ife wrote:
> It would appear that this is a new macro in fedora 13 but I dont believe
> it is complete.
>
> Whenever you run consolehelper from a RBAC account (in my case staff_t)
> it does not work. When I ran audit2allow it was apparent a whole bunch
> of different access vectors are needed to properly run graphical
> utilities that might take advantage of consolehelper.
>
> Running as sysadm_t was unaffected (I assume theres no transition in
> this type to a consolehelper domain). I was running the command
> "system-config-users" at the time.
>
> Here is the audit2allow output. I've not sanitized this at all to find
> out what is really relevent and what isnt.
>
> require {
> type staff_t;
> type sysadm_t;
> type staff_consolehelper_t;
> type admin_home_t;
> type xdm_var_run_t;
> type xauth_exec_t;
> type xauth_home_t;
> class process { setsched transition };
> class capability { sys_nice chown dac_override };
> class dir { write search remove_name add_name };
> class shm { unix_read write unix_write read destroy create };
> class file { execute setattr read create execute_no_trans write getattr
> link unlink open };
> role sysadm_r;
> }
>
> #============= staff_consolehelper_t ==============
> #!!!! The source type 'staff_consolehelper_t' can write to a 'dir' of
> the following type:
> # pcscd_var_run_t
>
> allow staff_consolehelper_t admin_home_t:dir { write remove_name search
> add_name };
> #!!!! The source type 'staff_consolehelper_t' can write to a 'file' of
> the following types:
> # pcscd_var_run_t, krb5_host_rcache_t
>
> allow staff_consolehelper_t admin_home_t:file { write getattr link read
> create unlink open };
> allow staff_consolehelper_t self:capability { sys_nice chown
> dac_override };
> allow staff_consolehelper_t self:process setsched;
> allow staff_consolehelper_t self:shm { unix_read write unix_write read
> destroy create };
> allow staff_consolehelper_t xauth_exec_t:file { read execute open
> execute_no_trans };
> #!!!! The source type 'staff_consolehelper_t' can write to a 'file' of
> the following types:
> # pcscd_var_run_t, krb5_host_rcache_t
>
> allow staff_consolehelper_t xauth_home_t:file { write getattr setattr
> read create unlink open };
> #!!!! The source type 'staff_consolehelper_t' can write to a 'dir' of
> the following type:
> # pcscd_var_run_t
>
> allow staff_consolehelper_t xdm_var_run_t:dir { write remove_name
> add_name };
> allow staff_consolehelper_t xdm_var_run_t:file { write create unlink
> link };
> auth_read_pam_pid(staff_consolehelper_t)
> corecmd_shell_entry_type(staff_consolehelper_t)
> files_list_tmp(staff_consolehelper_t)
> files_read_usr_files(staff_consolehelper_t)
> files_read_usr_symlinks(staff_consolehelper_t)
> files_rw_etc_files(staff_consolehelper_t)
> files_search_home(staff_consolehelper_t)
> fs_getattr_xattr_fs(staff_consolehelper_t)
> fs_rw_tmpfs_files(staff_consolehelper_t)
> gnome_read_gconf_home_files(staff_consolehelper_t)
> kernel_read_system_state(staff_consolehelper_t)
> miscfiles_read_fonts(staff_consolehelper_t)
> rpm_delete_db(staff_consolehelper_t)
> rpm_read_db(staff_consolehelper_t)
> userdom_list_user_home_dirs(staff_consolehelper_t)
> userdom_read_user_home_content_files(staff_consolehelper_t)
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
Currently I do not have plans to support most of consolehelper commands
from a confined user. In a few cases (shutdown), I have fixed the
code. The problem with most of consolehelper apps is they give too much
privs. I believe staff_t should be the role of a confined administrator.
If staff_t can run all of the system-config-* tools, it is unconfined.
Fedora is going away from consolehelper apps towards, dbus activation.
We actually have a system-config-selinux package that is being dbusified.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkv+c/wACgkQrlYvE4MpobNo4QCg3Ntr8q5dzX43eH/hOxa5wz5g
X+EAnjmN3MYVEi9rhyMLieK8vr0WVzFZ
=NokW
-----END PGP SIGNATURE-----
More information about the selinux
mailing list