Confined User using screen

Sun Oct 11 19:20:39 UTC 2009

On Sun, Oct 11, 2009 at 01:22:14PM -0400, Ian Lists wrote:
> I just started playing around with confining users in rawhide using
> selinux-policy-3.6.32-24.fc12.noarch and am having an issue running screen.
> 
> When running screen with selinux enforcing I get the following error with no
> AVC.
> 
> [b1gb0y at imarks-ws ~]$ id -Z
> user_u:user_r:user_t:s0
> [b1gb0y at imarks-ws ~]$ screen
> Cannot make directory '/var/run/screen': File exists
> 
> When I run screen with selinux in permissive mode it works as expected and
> generates AVCs.  I have tried to run audit2allow against the follow AVCs but
> the module is not able to load.
> 
> 234. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir write
> system_u:object_r:screen_var_run_t:s0 denied 26464
> 235. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir add_name
> system_u:object_r:screen_var_run_t:s0 denied 26464
> 236. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir create
> user_u:object_r:screen_var_run_t:s0 denied 26464
> 237. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 92 dir setattr
> user_u:object_r:screen_var_run_t:s0 denied 26465
> 238. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 dir write
> user_u:object_r:screen_var_run_t:s0 denied 26467
> 239. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 dir add_name
> user_u:object_r:screen_var_run_t:s0 denied 26467
> 240. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 fifo_file create
> user_u:object_r:screen_var_run_t:s0 denied 26467
> 241. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file read
> user_u:object_r:screen_var_run_t:s0 denied 26468
> 242. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file open
> user_u:object_r:screen_var_run_t:s0 denied 26468
> 243. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file write
> user_u:object_r:screen_var_run_t:s0 denied 26471
> 244. 10/11/2009 12:53:40 screen user_u:user_r:user_t:s0 87 dir remove_name
> user_u:object_r:screen_var_run_t:s0 denied 26478
> 245. 10/11/2009 12:53:40 screen user_u:user_r:user_t:s0 87 fifo_file unlink
> user_u:object_r:screen_var_run_t:s0 denied 26478
> 
>  ausearch --start today -m avc | audit2allow -M screen
> 
> [root at imarks-ws ~]# cat screen.te
> 
> module screen 1.0;
> 
> require {
>         type screen_var_run_t;
>         type user_t;
>         class dir { write remove_name create add_name setattr };
>         class fifo_file { read write create unlink open };
> }
> 
> #============= user_t ==============
> allow user_t screen_var_run_t:dir { write remove_name create add_name
> setattr };
> allow user_t screen_var_run_t:fifo_file { read write create unlink open };
> 
> semodule -i screen.pp
> libsepol.print_missing_requirements: screen's global requirements were not
> met: type/attribute screen_var_run_t (No such file or directory).
> libsemanage.semanage_link_sandbox: Link packages failed (No such file or
> directory).
> semodule:  Failed!
> 
> 
> I know user_u should only be able to write to /tmp and /~ so this may be a
> bad idea all together..
> Any suggests on getting this work would be much appreciated.
> 
> Thanks,
> Ian

You should called the screen_role to make user_t transition to the screen domain:

echo "policy_module(myuser, 0.0.1)" > myuser.te;
echo "require { type user_t; }" >> myuser.te;
echo "screen_role_template(user, user_r, user_t)" >> myuser.te;
make -f /usr/share/selinux/devel/Makefile myuser.pp
sudo semodule -i myuser.pp

The problem is that you may have overwritten the shipped screen module with your custom policy module. If that is true than this wont install. If that is the case make sure you reinstall fedoras screen module.

> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091011/ec53c7b3/attachment.sig>