It would appear that this is a new macro in fedora 13 but I dont believe it is complete.
Whenever you run consolehelper from a RBAC account (in my case staff_t) it does not work. When I ran audit2allow it was apparent a whole bunch of different access vectors are needed to properly run graphical utilities that might take advantage of consolehelper.
Running as sysadm_t was unaffected (I assume theres no transition in this type to a consolehelper domain). I was running the command "system-config-users" at the time.
Here is the audit2allow output. I've not sanitized this at all to find out what is really relevent and what isnt.
require { type staff_t; type sysadm_t; type staff_consolehelper_t; type admin_home_t; type xdm_var_run_t; type xauth_exec_t; type xauth_home_t; class process { setsched transition }; class capability { sys_nice chown dac_override }; class dir { write search remove_name add_name }; class shm { unix_read write unix_write read destroy create }; class file { execute setattr read create execute_no_trans write getattr link unlink open }; role sysadm_r; }
#============= staff_consolehelper_t ============== #!!!! The source type 'staff_consolehelper_t' can write to a 'dir' of the following type: # pcscd_var_run_t
allow staff_consolehelper_t admin_home_t:dir { write remove_name search add_name }; #!!!! The source type 'staff_consolehelper_t' can write to a 'file' of the following types: # pcscd_var_run_t, krb5_host_rcache_t
allow staff_consolehelper_t admin_home_t:file { write getattr link read create unlink open }; allow staff_consolehelper_t self:capability { sys_nice chown dac_override }; allow staff_consolehelper_t self:process setsched; allow staff_consolehelper_t self:shm { unix_read write unix_write read destroy create }; allow staff_consolehelper_t xauth_exec_t:file { read execute open execute_no_trans }; #!!!! The source type 'staff_consolehelper_t' can write to a 'file' of the following types: # pcscd_var_run_t, krb5_host_rcache_t
allow staff_consolehelper_t xauth_home_t:file { write getattr setattr read create unlink open }; #!!!! The source type 'staff_consolehelper_t' can write to a 'dir' of the following type: # pcscd_var_run_t
allow staff_consolehelper_t xdm_var_run_t:dir { write remove_name add_name }; allow staff_consolehelper_t xdm_var_run_t:file { write create unlink link }; auth_read_pam_pid(staff_consolehelper_t) corecmd_shell_entry_type(staff_consolehelper_t) files_list_tmp(staff_consolehelper_t) files_read_usr_files(staff_consolehelper_t) files_read_usr_symlinks(staff_consolehelper_t) files_rw_etc_files(staff_consolehelper_t) files_search_home(staff_consolehelper_t) fs_getattr_xattr_fs(staff_consolehelper_t) fs_rw_tmpfs_files(staff_consolehelper_t) gnome_read_gconf_home_files(staff_consolehelper_t) kernel_read_system_state(staff_consolehelper_t) miscfiles_read_fonts(staff_consolehelper_t) rpm_delete_db(staff_consolehelper_t) rpm_read_db(staff_consolehelper_t) userdom_list_user_home_dirs(staff_consolehelper_t) userdom_read_user_home_content_files(staff_consolehelper_t)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/25/2010 08:29 PM, Matthew Ife wrote:
It would appear that this is a new macro in fedora 13 but I dont believe it is complete.
Whenever you run consolehelper from a RBAC account (in my case staff_t) it does not work. When I ran audit2allow it was apparent a whole bunch of different access vectors are needed to properly run graphical utilities that might take advantage of consolehelper.
Running as sysadm_t was unaffected (I assume theres no transition in this type to a consolehelper domain). I was running the command "system-config-users" at the time.
Here is the audit2allow output. I've not sanitized this at all to find out what is really relevent and what isnt.
require { type staff_t; type sysadm_t; type staff_consolehelper_t; type admin_home_t; type xdm_var_run_t; type xauth_exec_t; type xauth_home_t; class process { setsched transition }; class capability { sys_nice chown dac_override }; class dir { write search remove_name add_name }; class shm { unix_read write unix_write read destroy create }; class file { execute setattr read create execute_no_trans write getattr link unlink open }; role sysadm_r; }
#============= staff_consolehelper_t ============== #!!!! The source type 'staff_consolehelper_t' can write to a 'dir' of the following type: # pcscd_var_run_t
allow staff_consolehelper_t admin_home_t:dir { write remove_name search add_name }; #!!!! The source type 'staff_consolehelper_t' can write to a 'file' of the following types: # pcscd_var_run_t, krb5_host_rcache_t
allow staff_consolehelper_t admin_home_t:file { write getattr link read create unlink open }; allow staff_consolehelper_t self:capability { sys_nice chown dac_override }; allow staff_consolehelper_t self:process setsched; allow staff_consolehelper_t self:shm { unix_read write unix_write read destroy create }; allow staff_consolehelper_t xauth_exec_t:file { read execute open execute_no_trans }; #!!!! The source type 'staff_consolehelper_t' can write to a 'file' of the following types: # pcscd_var_run_t, krb5_host_rcache_t
allow staff_consolehelper_t xauth_home_t:file { write getattr setattr read create unlink open }; #!!!! The source type 'staff_consolehelper_t' can write to a 'dir' of the following type: # pcscd_var_run_t
allow staff_consolehelper_t xdm_var_run_t:dir { write remove_name add_name }; allow staff_consolehelper_t xdm_var_run_t:file { write create unlink link }; auth_read_pam_pid(staff_consolehelper_t) corecmd_shell_entry_type(staff_consolehelper_t) files_list_tmp(staff_consolehelper_t) files_read_usr_files(staff_consolehelper_t) files_read_usr_symlinks(staff_consolehelper_t) files_rw_etc_files(staff_consolehelper_t) files_search_home(staff_consolehelper_t) fs_getattr_xattr_fs(staff_consolehelper_t) fs_rw_tmpfs_files(staff_consolehelper_t) gnome_read_gconf_home_files(staff_consolehelper_t) kernel_read_system_state(staff_consolehelper_t) miscfiles_read_fonts(staff_consolehelper_t) rpm_delete_db(staff_consolehelper_t) rpm_read_db(staff_consolehelper_t) userdom_list_user_home_dirs(staff_consolehelper_t) userdom_read_user_home_content_files(staff_consolehelper_t)
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Currently I do not have plans to support most of consolehelper commands from a confined user. In a few cases (shutdown), I have fixed the code. The problem with most of consolehelper apps is they give too much privs. I believe staff_t should be the role of a confined administrator. If staff_t can run all of the system-config-* tools, it is unconfined. Fedora is going away from consolehelper apps towards, dbus activation. We actually have a system-config-selinux package that is being dbusified.
selinux@lists.fedoraproject.org