On Sun, 2013-04-14 at 00:27 +0530, Lakshmipathi.G wrote:
Hi -
I'm trying to allow guest_u user to execute 'screen' command. When
guest_u executes screen ,access gets denied,
but I can't find any logs under /var/log/audit/audit.log . If SElinux
disabled, guest_u can properly execute screen command.
# grep screen /var/log/audit/audit.log | audit2allow -M screen
Nothing to do
How to provide screen command access to guest_u in a safe manner ?
Such a policy open up any other security issues?
Thanks for any pointers/help.
guest-t is supposed to be a minimal ssh login user and so by default the
use of screen is no supported.
To allow should be easy:
mkdir myguest; cd myguest
cat > myguest.te << EOF
policy_module(myguest, 1.0.0)
optional_policy(`
gen_require(` type guest_t; role guest_r; ')
screen_role_template(guest, guest_r, guest_t)
')
EOF
make -f /usr/share/selinux/devel/Makefile myguest.pp
sudo semodule -i myguest.pp
This will allow guest_t to run screen in the guest_screen_t domain.
You will probably want to relogin and run restorecon -R -v -F
~/.screenrc