-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/25/2010 08:29 PM, Matthew Ife wrote: > It would appear that this is a new macro in fedora 13 but I dont believe > it is complete. > > Whenever you run consolehelper from a RBAC account (in my case staff_t) > it does not work. When I ran audit2allow it was apparent a whole bunch > of different access vectors are needed to properly run graphical > utilities that might take advantage of consolehelper. > > Running as sysadm_t was unaffected (I assume theres no transition in > this type to a consolehelper domain). I was running the command > "system-config-users" at the time. > > Here is the audit2allow output. I've not sanitized this at all to find > out what is really relevent and what isnt. > > require { > type staff_t; > type sysadm_t; > type staff_consolehelper_t; > type admin_home_t; > type xdm_var_run_t; > type xauth_exec_t; > type xauth_home_t; > class process { setsched transition }; > class capability { sys_nice chown dac_override }; > class dir { write search remove_name add_name }; > class shm { unix_read write unix_write read destroy create }; > class file { execute setattr read create execute_no_trans write getattr > link unlink open }; > role sysadm_r; > } > > #============= staff_consolehelper_t ============== > #!!!! The source type 'staff_consolehelper_t' can write to a 'dir' of > the following type: > # pcscd_var_run_t > > allow staff_consolehelper_t admin_home_t:dir { write remove_name search > add_name }; > #!!!! The source type 'staff_consolehelper_t' can write to a 'file' of > the following types: > # pcscd_var_run_t, krb5_host_rcache_t > > allow staff_consolehelper_t admin_home_t:file { write getattr link read > create unlink open }; > allow staff_consolehelper_t self:capability { sys_nice chown > dac_override }; > allow staff_consolehelper_t self:process setsched; > allow staff_consolehelper_t self:shm { unix_read write unix_write read > destroy create }; > allow staff_consolehelper_t xauth_exec_t:file { read execute open > execute_no_trans }; > #!!!! The source type 'staff_consolehelper_t' can write to a 'file' of > the following types: > # pcscd_var_run_t, krb5_host_rcache_t > > allow staff_consolehelper_t xauth_home_t:file { write getattr setattr > read create unlink open }; > #!!!! The source type 'staff_consolehelper_t' can write to a 'dir' of > the following type: > # pcscd_var_run_t > > allow staff_consolehelper_t xdm_var_run_t:dir { write remove_name > add_name }; > allow staff_consolehelper_t xdm_var_run_t:file { write create unlink > link }; > auth_read_pam_pid(staff_consolehelper_t) > corecmd_shell_entry_type(staff_consolehelper_t) > files_list_tmp(staff_consolehelper_t) > files_read_usr_files(staff_consolehelper_t) > files_read_usr_symlinks(staff_consolehelper_t) > files_rw_etc_files(staff_consolehelper_t) > files_search_home(staff_consolehelper_t) > fs_getattr_xattr_fs(staff_consolehelper_t) > fs_rw_tmpfs_files(staff_consolehelper_t) > gnome_read_gconf_home_files(staff_consolehelper_t) > kernel_read_system_state(staff_consolehelper_t) > miscfiles_read_fonts(staff_consolehelper_t) > rpm_delete_db(staff_consolehelper_t) > rpm_read_db(staff_consolehelper_t) > userdom_list_user_home_dirs(staff_consolehelper_t) > userdom_read_user_home_content_files(staff_consolehelper_t) > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > > Currently I do not have plans to support most of consolehelper commands from a confined user. In a few cases (shutdown), I have fixed the code. The problem with most of consolehelper apps is they give too much privs. I believe staff_t should be the role of a confined administrator. If staff_t can run all of the system-config-* tools, it is unconfined. Fedora is going away from consolehelper apps towards, dbus activation. We actually have a system-config-selinux package that is being dbusified. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkv+c/wACgkQrlYvE4MpobNo4QCg3Ntr8q5dzX43eH/hOxa5wz5g X+EAnjmN3MYVEi9rhyMLieK8vr0WVzFZ =NokW -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux