On Sun, Oct 11, 2009 at 01:22:14PM -0400, Ian Lists wrote:
I just started playing around with confining users in rawhide using
selinux-policy-3.6.32-24.fc12.noarch and am having an issue running screen.
When running screen with selinux enforcing I get the following error with no
AVC.
[b1gb0y@imarks-ws ~]$ id -Z
user_u:user_r:user_t:s0
[b1gb0y@imarks-ws ~]$ screen
Cannot make directory '/var/run/screen': File exists
When I run screen with selinux in permissive mode it works as expected and
generates AVCs. I have tried to run audit2allow against the follow AVCs but
the module is not able to load.
234. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir write
system_u:object_r:screen_var_run_t:s0 denied 26464
235. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir add_name
system_u:object_r:screen_var_run_t:s0 denied 26464
236. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir create
user_u:object_r:screen_var_run_t:s0 denied 26464
237. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 92 dir setattr
user_u:object_r:screen_var_run_t:s0 denied 26465
238. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 dir write
user_u:object_r:screen_var_run_t:s0 denied 26467
239. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 dir add_name
user_u:object_r:screen_var_run_t:s0 denied 26467
240. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 fifo_file create
user_u:object_r:screen_var_run_t:s0 denied 26467
241. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file read
user_u:object_r:screen_var_run_t:s0 denied 26468
242. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file open
user_u:object_r:screen_var_run_t:s0 denied 26468
243. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file write
user_u:object_r:screen_var_run_t:s0 denied 26471
244. 10/11/2009 12:53:40 screen user_u:user_r:user_t:s0 87 dir remove_name
user_u:object_r:screen_var_run_t:s0 denied 26478
245. 10/11/2009 12:53:40 screen user_u:user_r:user_t:s0 87 fifo_file unlink
user_u:object_r:screen_var_run_t:s0 denied 26478
ausearch --start today -m avc | audit2allow -M screen
[root@imarks-ws ~]# cat screen.te
module screen 1.0;
require {
type screen_var_run_t;
type user_t;
class dir { write remove_name create add_name setattr };
class fifo_file { read write create unlink open };
}
#============= user_t ==============
allow user_t screen_var_run_t:dir { write remove_name create add_name
setattr };
allow user_t screen_var_run_t:fifo_file { read write create unlink open };
semodule -i screen.pp
libsepol.print_missing_requirements: screen's global requirements were not
met: type/attribute screen_var_run_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).
semodule: Failed!
I know user_u should only be able to write to /tmp and /~ so this may be a
bad idea all together..
Any suggests on getting this work would be much appreciated.
Thanks,
Ian
You should called the screen_role to make user_t transition to the screen domain:
echo "policy_module(myuser, 0.0.1)" > myuser.te;
echo "require { type user_t; }" >> myuser.te;
echo "screen_role_template(user, user_r, user_t)" >> myuser.te;
make -f /usr/share/selinux/devel/Makefile myuser.pp
sudo semodule -i myuser.pp
The problem is that you may have overwritten the shipped screen module with your custom
policy module. If that is true than this wont install. If that is the case make sure you
reinstall fedoras screen module.
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list