I just started playing around with confining users in rawhide using selinux-policy-3.6.32-24.fc12.noarch and am having an issue running screen.
When running screen with selinux enforcing I get the following error with no AVC.
[b1gb0y@imarks-ws ~]$ id -Z user_u:user_r:user_t:s0 [b1gb0y@imarks-ws ~]$ screen Cannot make directory '/var/run/screen': File exists
When I run screen with selinux in permissive mode it works as expected and generates AVCs. I have tried to run audit2allow against the follow AVCs but the module is not able to load.
234. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir write system_u:object_r:screen_var_run_t:s0 denied 26464 235. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir add_name system_u:object_r:screen_var_run_t:s0 denied 26464 236. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir create user_u:object_r:screen_var_run_t:s0 denied 26464 237. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 92 dir setattr user_u:object_r:screen_var_run_t:s0 denied 26465 238. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 dir write user_u:object_r:screen_var_run_t:s0 denied 26467 239. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 dir add_name user_u:object_r:screen_var_run_t:s0 denied 26467 240. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 fifo_file create user_u:object_r:screen_var_run_t:s0 denied 26467 241. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file read user_u:object_r:screen_var_run_t:s0 denied 26468 242. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file open user_u:object_r:screen_var_run_t:s0 denied 26468 243. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file write user_u:object_r:screen_var_run_t:s0 denied 26471 244. 10/11/2009 12:53:40 screen user_u:user_r:user_t:s0 87 dir remove_name user_u:object_r:screen_var_run_t:s0 denied 26478 245. 10/11/2009 12:53:40 screen user_u:user_r:user_t:s0 87 fifo_file unlink user_u:object_r:screen_var_run_t:s0 denied 26478
ausearch --start today -m avc | audit2allow -M screen
[root@imarks-ws ~]# cat screen.te
module screen 1.0;
require { type screen_var_run_t; type user_t; class dir { write remove_name create add_name setattr }; class fifo_file { read write create unlink open }; }
#============= user_t ============== allow user_t screen_var_run_t:dir { write remove_name create add_name setattr }; allow user_t screen_var_run_t:fifo_file { read write create unlink open };
semodule -i screen.pp libsepol.print_missing_requirements: screen's global requirements were not met: type/attribute screen_var_run_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed!
I know user_u should only be able to write to /tmp and /~ so this may be a bad idea all together.. Any suggests on getting this work would be much appreciated.
Thanks, Ian
On Sun, Oct 11, 2009 at 01:22:14PM -0400, Ian Lists wrote:
I just started playing around with confining users in rawhide using selinux-policy-3.6.32-24.fc12.noarch and am having an issue running screen.
When running screen with selinux enforcing I get the following error with no AVC.
[b1gb0y@imarks-ws ~]$ id -Z user_u:user_r:user_t:s0 [b1gb0y@imarks-ws ~]$ screen Cannot make directory '/var/run/screen': File exists
When I run screen with selinux in permissive mode it works as expected and generates AVCs. I have tried to run audit2allow against the follow AVCs but the module is not able to load.
- 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir write
system_u:object_r:screen_var_run_t:s0 denied 26464 235. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir add_name system_u:object_r:screen_var_run_t:s0 denied 26464 236. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir create user_u:object_r:screen_var_run_t:s0 denied 26464 237. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 92 dir setattr user_u:object_r:screen_var_run_t:s0 denied 26465 238. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 dir write user_u:object_r:screen_var_run_t:s0 denied 26467 239. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 dir add_name user_u:object_r:screen_var_run_t:s0 denied 26467 240. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 fifo_file create user_u:object_r:screen_var_run_t:s0 denied 26467 241. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file read user_u:object_r:screen_var_run_t:s0 denied 26468 242. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file open user_u:object_r:screen_var_run_t:s0 denied 26468 243. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file write user_u:object_r:screen_var_run_t:s0 denied 26471 244. 10/11/2009 12:53:40 screen user_u:user_r:user_t:s0 87 dir remove_name user_u:object_r:screen_var_run_t:s0 denied 26478 245. 10/11/2009 12:53:40 screen user_u:user_r:user_t:s0 87 fifo_file unlink user_u:object_r:screen_var_run_t:s0 denied 26478
ausearch --start today -m avc | audit2allow -M screen
[root@imarks-ws ~]# cat screen.te
module screen 1.0;
require { type screen_var_run_t; type user_t; class dir { write remove_name create add_name setattr }; class fifo_file { read write create unlink open }; }
#============= user_t ============== allow user_t screen_var_run_t:dir { write remove_name create add_name setattr }; allow user_t screen_var_run_t:fifo_file { read write create unlink open };
semodule -i screen.pp libsepol.print_missing_requirements: screen's global requirements were not met: type/attribute screen_var_run_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed!
I know user_u should only be able to write to /tmp and /~ so this may be a bad idea all together.. Any suggests on getting this work would be much appreciated.
Thanks, Ian
You should called the screen_role to make user_t transition to the screen domain:
echo "policy_module(myuser, 0.0.1)" > myuser.te; echo "require { type user_t; }" >> myuser.te; echo "screen_role_template(user, user_r, user_t)" >> myuser.te; make -f /usr/share/selinux/devel/Makefile myuser.pp sudo semodule -i myuser.pp
The problem is that you may have overwritten the shipped screen module with your custom policy module. If that is true than this wont install. If that is the case make sure you reinstall fedoras screen module.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org