It would appear that this is a new macro in fedora 13 but I dont believe
it is complete.
Whenever you run consolehelper from a RBAC account (in my case staff_t)
it does not work. When I ran audit2allow it was apparent a whole bunch
of different access vectors are needed to properly run graphical
utilities that might take advantage of consolehelper.
Running as sysadm_t was unaffected (I assume theres no transition in
this type to a consolehelper domain). I was running the command
"system-config-users" at the time.
Here is the audit2allow output. I've not sanitized this at all to find
out what is really relevent and what isnt.
require {
type staff_t;
type sysadm_t;
type staff_consolehelper_t;
type admin_home_t;
type xdm_var_run_t;
type xauth_exec_t;
type xauth_home_t;
class process { setsched transition };
class capability { sys_nice chown dac_override };
class dir { write search remove_name add_name };
class shm { unix_read write unix_write read destroy create };
class file { execute setattr read create execute_no_trans write getattr
link unlink open };
role sysadm_r;
}
#============= staff_consolehelper_t ==============
#!!!! The source type 'staff_consolehelper_t' can write to a 'dir' of
the following type:
# pcscd_var_run_t
allow staff_consolehelper_t admin_home_t:dir { write remove_name search
add_name };
#!!!! The source type 'staff_consolehelper_t' can write to a 'file' of
the following types:
# pcscd_var_run_t, krb5_host_rcache_t
allow staff_consolehelper_t admin_home_t:file { write getattr link read
create unlink open };
allow staff_consolehelper_t self:capability { sys_nice chown
dac_override };
allow staff_consolehelper_t self:process setsched;
allow staff_consolehelper_t self:shm { unix_read write unix_write read
destroy create };
allow staff_consolehelper_t xauth_exec_t:file { read execute open
execute_no_trans };
#!!!! The source type 'staff_consolehelper_t' can write to a 'file' of
the following types:
# pcscd_var_run_t, krb5_host_rcache_t
allow staff_consolehelper_t xauth_home_t:file { write getattr setattr
read create unlink open };
#!!!! The source type 'staff_consolehelper_t' can write to a 'dir' of
the following type:
# pcscd_var_run_t
allow staff_consolehelper_t xdm_var_run_t:dir { write remove_name
add_name };
allow staff_consolehelper_t xdm_var_run_t:file { write create unlink
link };
auth_read_pam_pid(staff_consolehelper_t)
corecmd_shell_entry_type(staff_consolehelper_t)
files_list_tmp(staff_consolehelper_t)
files_read_usr_files(staff_consolehelper_t)
files_read_usr_symlinks(staff_consolehelper_t)
files_rw_etc_files(staff_consolehelper_t)
files_search_home(staff_consolehelper_t)
fs_getattr_xattr_fs(staff_consolehelper_t)
fs_rw_tmpfs_files(staff_consolehelper_t)
gnome_read_gconf_home_files(staff_consolehelper_t)
kernel_read_system_state(staff_consolehelper_t)
miscfiles_read_fonts(staff_consolehelper_t)
rpm_delete_db(staff_consolehelper_t)
rpm_read_db(staff_consolehelper_t)
userdom_list_user_home_dirs(staff_consolehelper_t)
userdom_read_user_home_content_files(staff_consolehelper_t)
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
