I just started playing around with confining users in rawhide using selinux-policy-3.6.32-24.fc12.noarch and am having an issue running screen.  <br>When running screen with selinux enforcing I get the following error with no AVC.<br>
<br>[b1gb0y@imarks-ws ~]$ id -Z<br>user_u:user_r:user_t:s0<br>[b1gb0y@imarks-ws ~]$ screen <br>Cannot make directory &#39;/var/run/screen&#39;: File exists<br><br>When I run screen with selinux in permissive mode it works as expected and generates AVCs.  I have tried to run audit2allow against the follow AVCs but the module is not able to load.<br>
<br>234. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir write system_u:object_r:screen_var_run_t:s0 denied 26464<br>235. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir add_name system_u:object_r:screen_var_run_t:s0 denied 26464<br>
236. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir create user_u:object_r:screen_var_run_t:s0 denied 26464<br>237. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 92 dir setattr user_u:object_r:screen_var_run_t:s0 denied 26465<br>
238. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 dir write user_u:object_r:screen_var_run_t:s0 denied 26467<br>239. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 dir add_name user_u:object_r:screen_var_run_t:s0 denied 26467<br>
240. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 fifo_file create user_u:object_r:screen_var_run_t:s0 denied 26467<br>241. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file read user_u:object_r:screen_var_run_t:s0 denied 26468<br>
242. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file open user_u:object_r:screen_var_run_t:s0 denied 26468<br>243. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file write user_u:object_r:screen_var_run_t:s0 denied 26471<br>
244. 10/11/2009 12:53:40 screen user_u:user_r:user_t:s0 87 dir remove_name user_u:object_r:screen_var_run_t:s0 denied 26478<br>245. 10/11/2009 12:53:40 screen user_u:user_r:user_t:s0 87 fifo_file unlink user_u:object_r:screen_var_run_t:s0 denied 26478<br>
<br> ausearch --start today -m avc | audit2allow -M screen<br><br>[root@imarks-ws ~]# cat screen.te <br><br>module screen 1.0;<br><br>require {<br>        type screen_var_run_t;<br>        type user_t;<br>        class dir { write remove_name create add_name setattr };<br>
        class fifo_file { read write create unlink open };<br>}<br><br>#============= user_t ==============<br>allow user_t screen_var_run_t:dir { write remove_name create add_name setattr };<br>allow user_t screen_var_run_t:fifo_file { read write create unlink open };<br>
<br>semodule -i screen.pp<br>libsepol.print_missing_requirements: screen&#39;s global requirements were not met: type/attribute screen_var_run_t (No such file or directory).<br>libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).<br>
semodule:  Failed!<br><br><br>I know user_u should only be able to write to /tmp and /~ so this may be a bad idea all together..  <br>Any suggests on getting this work would be much appreciated.<br><br>Thanks,<br>Ian <br>
<br>