`sudo -u $USER` blocked in SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have a collection of scripts that rotate the screen and input devices
on ThinkPad Tablet devices (X220 Tablet and the like). There a hook is
installed into acpi which contains this:

    event=ibm/hotkey HKEY 00000080 0000500[9a]
    action=/usr/bin/thinkpad-rotate-hook %e

In that hook script we essentially do this:

    sudo -u $user -i env DISPLAY=:0.0 \
        /usr/bin/thinkpad-rotate $set_to --via-hook

This is the section of our code:
https://github.com/martin-ueding/thinkpad-scripts/blob/master/tps/hooks.py#L123

The content of `$user` is queried from `who -u`. This has worked just
fine on Ubuntu and Arch Linux but fails on Fedora. In the journal I get
the following (dates and hostname removed):

    thinkpad-rotate-hook[28661]: video/tabletmode TBLT 0000008A 00000001
    audit[28666]: AVC avc:  denied  { setgid } for  pid=28666
comm="sudo" capability=6  scontext=system_u:system_r:apmd_t:s0
tcontext=system_u:system_r:apmd_t:s0 tclass=capability permissive=0
    python3[28663]: detected unhandled Python exception in
'/usr/bin/thinkpad-rotate-hook'
    abrt-server[28668]: Package 'thinkpad-scripts' isn't signed with
proper key
    abrt-server[28668]: 'post-create' on
'/var/spool/abrt/Python3-2016-03-27-17:39:50-28663' exited with 1
    abrt-server[28668]: Deleting problem directory
'/var/spool/abrt/Python3-2016-03-27-17:39:50-28663'
    thinkpad-rotate-hook[28671]: video/tabletmode TBLT 0000008A 00000000
    audit[28676]: AVC avc:  denied  { setgid } for  pid=28676
comm="sudo" capability=6  scontext=system_u:system_r:apmd_t:s0
tcontext=system_u:system_r:apmd_t:s0 tclass=capability permissive=0
    python3[28673]: detected unhandled Python exception in
'/usr/bin/thinkpad-rotate-hook'
    abrt-server[28678]: Not saving repeating crash in
'/usr/bin/thinkpad-rotate-hook'

So I realize that this vom the Access Vector Cache (AVC) and comes from
SELinux. I would like to either rewrite my collection of scripts such
that it works without `sudo -u` or add a rule to SELinux in order to
allow this particular thing. As I am extremely unexperienced with
SELinux I do not know where to start. And even if I would manage to add
an exception, I would probably introduce a larger attack surface than
needed.

I would greatly appreciate if somebody could point me into the right
direction for this one. :-)

---

This `sudo -u` is used as we call programs like `xrandr` and `xinput`
which need to have `DISPLAY` set and also seem to need some part of the
environment (D-Bus?). Using `sudo -u` has given us a sufficient
environment to call those programs in the right context. Of course,
there must be some way for root to do these things as well.

This is my own upstream bug report:

https://github.com/martin-ueding/thinkpad-scripts/issues/116
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux