Re: X-user xauthed to execute a "root"/system level configuration helper yield denials

Russell Coker <russell@xxxxxxxxxxxx> · Fri, 18 Jun 2004 14:35:48 +1000

On Thu, 17 Jun 2004 22:08, Francis K Shim <francis.shim@xxxxxxxxxxxx> wrote:
> Edited to make relevant details clear:
>
> execute_no_trans
> 	exe=/usr/sbin/userhelper
> 	path=/usr/X11R6/bin/xauth
> 	scontext=user:staff_r:staff_userhelper_t
> 	tcontext=system_u:object_r:xauth_exec_t
> 	tclass=file

In macros/program/userhelper_macros.te at (or near) line 133 there is the 
following:
domain_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)

That expands to:
domain_auto_trans(staff_userhelper_t, xauth_exec_t, staff_xauth_t)

It's strange that you aren't seeing it automatically run in staff_xauth_t.
What version of the policy are you using?

> read
> 	exe=/sbin/iptables
> 	path=/var/run/sudo/USER/unknown
> 	scontext=USER:system_r:iptables_t
> 	tcontext=USER:object_r:pam_var_run_t
> 	tclass=file
> read
> 	exe=/usr/sbin/ntpdate
> 	path=/var/run/sudo/USER/unknown
> 	scontext=USER:system_r:ntpd_t
> 	tcontext=USER:object_r:pam_var_run_t
> 	tclass=file
> read
> 	exe=/sbin/hwclock
> 	path=/var/run/sudo/USER/unknown
> 	scontext=USER:system_r:hwclock_t
> 	tcontext=USER:object_r:pam_var_run_t
> 	tclass=file

For these, I guess that the file handle is inherited from userhelper.  The 
code which opens /var/run/sudo/USER/unknown should either set it as 
close-on-exec or explicitly close it before a child is executed.

> write
> 	exe=/usr/sbin/userhelper
> 	name=USER
> 	scontext=USER:staff_r:staff_userhelper_t
> 	tcontext=USER:object_r:staff_home_dir_t
> 	tclass=dir
> remove_name
> 	exe/usr/sbin/userhelper
> 	name=.xauthxxxxx
> 	scontext=USER:staff_r:staff_userhelper_t
> 	tcontext=USER:object_r:staff_home_dir_t
> 	tclass=dir
> unlink
> 	exe=/usr/sbin/userhelper
> 	name=.xauthxxxxx
> 	scontext=USER:staff_r:staff_userhelper_t
> 	tcontext=USER:object_r:staff_home_dir_t
> 	tclass=file

What's this about?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page