[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: X-user xauthed to execute a "root"/system level configuration helper yield denials



On Fri, 2004-06-18 at 00:35, Russell Coker wrote:
> On Thu, 17 Jun 2004 22:08, Francis K Shim <francis shim sympatico ca> wrote:
> > Edited to make relevant details clear:
> >
> > execute_no_trans
> > 	exe=/usr/sbin/userhelper
> > 	path=/usr/X11R6/bin/xauth
> > 	scontext=user:staff_r:staff_userhelper_t
> > 	tcontext=system_u:object_r:xauth_exec_t
> > 	tclass=file
> 
> In macros/program/userhelper_macros.te at (or near) line 133 there is the 
> following:
> domain_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
> 
> That expands to:
> domain_auto_trans(staff_userhelper_t, xauth_exec_t, staff_xauth_t)
> 
> It's strange that you aren't seeing it automatically run in staff_xauth_t.
> What version of the policy are you using?

I checked the userhelper_macros.te file and what I have is the
following:

ifdef(`xauth.te', `
domain_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
allow $1_userhelper_t $1_home_xauth_t:file { getattr read };
')

The versions of the packages are as follows:

policy-sources-1.11.3-3
checkpolicy-1.10-1
policy-1.11.3-3
policycoreutils-1.11-2
libselinux-1.11.4-1

> > read
> > 	exe=/sbin/iptables
> > 	path=/var/run/sudo/USER/unknown
> > 	scontext=USER:system_r:iptables_t
> > 	tcontext=USER:object_r:pam_var_run_t
> > 	tclass=file
> > read
> > 	exe=/usr/sbin/ntpdate
> > 	path=/var/run/sudo/USER/unknown
> > 	scontext=USER:system_r:ntpd_t
> > 	tcontext=USER:object_r:pam_var_run_t
> > 	tclass=file
> > read
> > 	exe=/sbin/hwclock
> > 	path=/var/run/sudo/USER/unknown
> > 	scontext=USER:system_r:hwclock_t
> > 	tcontext=USER:object_r:pam_var_run_t
> > 	tclass=file
> 
> For these, I guess that the file handle is inherited from userhelper.  The 
> code which opens /var/run/sudo/USER/unknown should either set it as 
> close-on-exec or explicitly close it before a child is executed.

Okay.  I am using the GNOME desktop manager and session manager so my
guess would be that it would be the gnome userhelper application.

> 
> > write
> > 	exe=/usr/sbin/userhelper
> > 	name=USER
> > 	scontext=USER:staff_r:staff_userhelper_t
> > 	tcontext=USER:object_r:staff_home_dir_t
> > 	tclass=dir
> > remove_name
> > 	exe/usr/sbin/userhelper
> > 	name=.xauthxxxxx
> > 	scontext=USER:staff_r:staff_userhelper_t
> > 	tcontext=USER:object_r:staff_home_dir_t
> > 	tclass=dir
> > unlink
> > 	exe=/usr/sbin/userhelper
> > 	name=.xauthxxxxx
> > 	scontext=USER:staff_r:staff_userhelper_t
> > 	tcontext=USER:object_r:staff_home_dir_t
> > 	tclass=file
> 
> What's this about?

I am not sure; however, I do remember restarting the userhelper
application and noticing that I was not being prompted for the root
password the second time around!!!... however, the third restart and on,
it seemed to prompt for the password.  Puzzling.  It might have to do
with a timing of the close of the child process from above.


-- 
Francis K Shim <francis shim sympatico ca>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]