Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   userhelper consolehelper role (http://www.linux-archive.org/fedora-selinux-support/376292-userhelper-consolehelper-role.html)

Matthew Ife 05-26-2010 12:29 AM
userhelper consolehelper role
 
It would appear that this is a new macro in fedora 13 but I dont believe
it is complete.

Whenever you run consolehelper from a RBAC account (in my case staff_t)
it does not work. When I ran audit2allow it was apparent a whole bunch
of different access vectors are needed to properly run graphical
utilities that might take advantage of consolehelper.

Running as sysadm_t was unaffected (I assume theres no transition in
this type to a consolehelper domain). I was running the command
"system-config-users" at the time.

Here is the audit2allow output. I've not sanitized this at all to find
out what is really relevent and what isnt.

require {
type staff_t;
type sysadm_t;
type staff_consolehelper_t;
type admin_home_t;
type xdm_var_run_t;
type xauth_exec_t;
type xauth_home_t;
class process { setsched transition };
class capability { sys_nice chown dac_override };
class dir { write search remove_name add_name };
class shm { unix_read write unix_write read destroy create };
class file { execute setattr read create execute_no_trans write getattr
link unlink open };
role sysadm_r;
}

#============= staff_consolehelper_t ==============
#!!!! The source type 'staff_consolehelper_t' can write to a 'dir' of
the following type:
# pcscd_var_run_t

allow staff_consolehelper_t admin_home_t:dir { write remove_name search
add_name };
#!!!! The source type 'staff_consolehelper_t' can write to a 'file' of
the following types:
# pcscd_var_run_t, krb5_host_rcache_t

allow staff_consolehelper_t admin_home_t:file { write getattr link read
create unlink open };
allow staff_consolehelper_t self:capability { sys_nice chown
dac_override };
allow staff_consolehelper_t self:process setsched;
allow staff_consolehelper_t self:shm { unix_read write unix_write read
destroy create };
allow staff_consolehelper_t xauth_exec_t:file { read execute open
execute_no_trans };
#!!!! The source type 'staff_consolehelper_t' can write to a 'file' of
the following types:
# pcscd_var_run_t, krb5_host_rcache_t

allow staff_consolehelper_t xauth_home_t:file { write getattr setattr
read create unlink open };
#!!!! The source type 'staff_consolehelper_t' can write to a 'dir' of
the following type:
# pcscd_var_run_t

allow staff_consolehelper_t xdm_var_run_t:dir { write remove_name
add_name };
allow staff_consolehelper_t xdm_var_run_t:file { write create unlink
link };
auth_read_pam_pid(staff_consolehelper_t)
corecmd_shell_entry_type(staff_consolehelper_t)
files_list_tmp(staff_consolehelper_t)
files_read_usr_files(staff_consolehelper_t)
files_read_usr_symlinks(staff_consolehelper_t)
files_rw_etc_files(staff_consolehelper_t)
files_search_home(staff_consolehelper_t)
fs_getattr_xattr_fs(staff_consolehelper_t)
fs_rw_tmpfs_files(staff_consolehelper_t)
gnome_read_gconf_home_files(staff_consolehelper_t)
kernel_read_system_state(staff_consolehelper_t)
miscfiles_read_fonts(staff_consolehelper_t)
rpm_delete_db(staff_consolehelper_t)
rpm_read_db(staff_consolehelper_t)
userdom_list_user_home_dirs(staff_consolehelper_t)
userdom_read_user_home_content_files(staff_console helper_t)


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 05-27-2010 01:30 PM
userhelper consolehelper role
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/25/2010 08:29 PM, Matthew Ife wrote:
> It would appear that this is a new macro in fedora 13 but I dont believe
> it is complete.
>
> Whenever you run consolehelper from a RBAC account (in my case staff_t)
> it does not work. When I ran audit2allow it was apparent a whole bunch
> of different access vectors are needed to properly run graphical
> utilities that might take advantage of consolehelper.
>
> Running as sysadm_t was unaffected (I assume theres no transition in
> this type to a consolehelper domain). I was running the command
> "system-config-users" at the time.
>
> Here is the audit2allow output. I've not sanitized this at all to find
> out what is really relevent and what isnt.
>
> require {
> type staff_t;
> type sysadm_t;
> type staff_consolehelper_t;
> type admin_home_t;
> type xdm_var_run_t;
> type xauth_exec_t;
> type xauth_home_t;
> class process { setsched transition };
> class capability { sys_nice chown dac_override };
> class dir { write search remove_name add_name };
> class shm { unix_read write unix_write read destroy create };
> class file { execute setattr read create execute_no_trans write getattr
> link unlink open };
> role sysadm_r;
> }
>
> #============= staff_consolehelper_t ==============
> #!!!! The source type 'staff_consolehelper_t' can write to a 'dir' of
> the following type:
> # pcscd_var_run_t
>
> allow staff_consolehelper_t admin_home_t:dir { write remove_name search
> add_name };
> #!!!! The source type 'staff_consolehelper_t' can write to a 'file' of
> the following types:
> # pcscd_var_run_t, krb5_host_rcache_t
>
> allow staff_consolehelper_t admin_home_t:file { write getattr link read
> create unlink open };
> allow staff_consolehelper_t self:capability { sys_nice chown
> dac_override };
> allow staff_consolehelper_t self:process setsched;
> allow staff_consolehelper_t self:shm { unix_read write unix_write read
> destroy create };
> allow staff_consolehelper_t xauth_exec_t:file { read execute open
> execute_no_trans };
> #!!!! The source type 'staff_consolehelper_t' can write to a 'file' of
> the following types:
> # pcscd_var_run_t, krb5_host_rcache_t
>
> allow staff_consolehelper_t xauth_home_t:file { write getattr setattr
> read create unlink open };
> #!!!! The source type 'staff_consolehelper_t' can write to a 'dir' of
> the following type:
> # pcscd_var_run_t
>
> allow staff_consolehelper_t xdm_var_run_t:dir { write remove_name
> add_name };
> allow staff_consolehelper_t xdm_var_run_t:file { write create unlink
> link };
> auth_read_pam_pid(staff_consolehelper_t)
> corecmd_shell_entry_type(staff_consolehelper_t)
> files_list_tmp(staff_consolehelper_t)
> files_read_usr_files(staff_consolehelper_t)
> files_read_usr_symlinks(staff_consolehelper_t)
> files_rw_etc_files(staff_consolehelper_t)
> files_search_home(staff_consolehelper_t)
> fs_getattr_xattr_fs(staff_consolehelper_t)
> fs_rw_tmpfs_files(staff_consolehelper_t)
> gnome_read_gconf_home_files(staff_consolehelper_t)
> kernel_read_system_state(staff_consolehelper_t)
> miscfiles_read_fonts(staff_consolehelper_t)
> rpm_delete_db(staff_consolehelper_t)
> rpm_read_db(staff_consolehelper_t)
> userdom_list_user_home_dirs(staff_consolehelper_t)
> userdom_read_user_home_content_files(staff_console helper_t)
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>

Currently I do not have plans to support most of consolehelper commands
from a confined user. In a few cases (shutdown), I have fixed the
code. The problem with most of consolehelper apps is they give too much
privs. I believe staff_t should be the role of a confined administrator.
If staff_t can run all of the system-config-* tools, it is unconfined.
Fedora is going away from consolehelper apps towards, dbus activation.
We actually have a system-config-selinux package that is being dbusified.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkv+c/wACgkQrlYvE4MpobNo4QCg3Ntr8q5dzX43eH/hOxa5wz5g
X+EAnjmN3MYVEi9rhyMLieK8vr0WVzFZ
=NokW
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 05:57 AM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.