Bug 1254674

Summary: SELinux is preventing /usr/bin/tmux from 'read' accesses on the directory /home/plautrba/devel/github/fedora-selinux/setroubleshoot.git/framework.
Product: [Fedora] Fedora Reporter: Petr Lautrbach <plautrba>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 23CC: dominick.grift, dwalsh, lvrabec, mgrepl, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:b71eb65d9c8707ff47e08720b4a72111af5511cf6636c57a65d7bd67bb8eabba
Fixed In Version: selinux-policy-3.13.1-147.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1257682 (view as bug list) Environment:
Last Closed: 2015-09-25 07:58:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1257682    

Description Petr Lautrbach 2015-08-18 15:50:13 UTC 
Description of problem:
I've logged in as staff_u and run tmux in my terminal. I usually use tmux in the split screen mode which runs another shell.
SELinux is preventing /usr/bin/tmux from 'read' accesses on the directory /home/plautrba/devel/github/fedora-selinux/setroubleshoot.git/framework.

*****  Plugin restorecon_source (99.5 confidence) suggests   *****************

If you want to fix the label. 
/usr/bin/tmux default label should be screen_exec_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /usr/bin/tmux

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that tmux should be allowed read access on the framework directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep tmux /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                staff_u:staff_r:staff_screen_t:s0
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/plautrba/devel/github/fedora-
                              selinux/setroubleshoot.git/framework [ dir ]
Source                        tmux
Source Path                   /usr/bin/tmux
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           tmux-2.0-2.fc23.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-141.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.2.0-0.rc6.git0.2.fc23.x86_64 #1
                              SMP Wed Aug 12 21:39:36 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-08-18 17:44:02 CEST
Last Seen                     2015-08-18 17:44:02 CEST
Local ID                      ccd6488e-4cbc-4739-81bb-298ba0bdb541

Raw Audit Messages
type=AVC msg=audit(1439912642.550:1348): avc:  denied  { read } for  pid=11718 comm="tmux" name="framework" dev="dm-3" ino=1319655 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1


type=SYSCALL msg=audit(1439912642.550:1348): arch=x86_64 syscall=open success=yes exit=EINVAL a0=1616320 a1=10000 a2=1616320 a3=1 items=1 ppid=1 pid=11718 auid=13558 uid=13558 gid=1000 euid=13558 suid=13558 fsuid=13558 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm=tmux exe=/usr/bin/tmux subj=staff_u:staff_r:staff_screen_t:s0 key=(null)

type=CWD msg=audit(1439912642.550:1348): cwd=/home/plautrba

type=PATH msg=audit(1439912642.550:1348): item=0 name=/home/plautrba/devel/github/fedora-selinux/setroubleshoot.git/framework inode=1319655 dev=fd:03 mode=040775 ouid=13558 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=NORMAL

Hash: tmux,staff_screen_t,user_home_t,dir,read

Version-Release number of selected component:
selinux-policy-3.13.1-141.fc23.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.0-0.rc6.git0.2.fc23.x86_64
type:           libreport
Comment 1 Miroslav Grepl 2015-08-27 16:33:27 UTC 
It looks we should have a boolean for this.
Comment 2 Petr Lautrbach 2015-09-02 14:55:05 UTC 
I think that staff_screen_t should be allowed to do same things on user_home_t as it's allowed to do on user_home_dir_t given that I can split a screen in $HOME directory and then just change it.
Comment 3 Miroslav Grepl 2015-09-11 10:14:47 UTC 
That makes sense.

https://github.com/fedora-selinux/selinux-policy/commit/85c52ce41c8314635df82e1ddd58fd31e8f11031
Comment 4 Fedora Update System 2015-09-14 10:37:58 UTC 
selinux-policy-3.13.1-147.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-15804
Comment 5 Petr Lautrbach 2015-09-14 13:40:11 UTC 
There's another issue:

----
time->Mon Sep 14 15:37:50 2015
type=PROCTITLE msg=audit(1442237870.069:1144): proctitle=7368002D6300746D757820646973706C61792D6D657373616765202D7020227A736822207C20677265702076696D
type=SYSCALL msg=audit(1442237870.069:1144): arch=c000003e syscall=16 success=no exit=-25 a0=0 a1=5401 a2=7ffd546de8b0 a3=45 items=0 ppid=5708 pid=6334 auid=13558 uid=13558 gid=1000 euid=13558 suid=13558 fsuid=13558 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="sh" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1442237870.069:1144): avc:  denied  { ioctl } for  pid=6334 comm="sh" path="socket:[69334]" dev="sockfs" ino=69334 ioctlcmd=5401 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_screen_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
----
time->Mon Sep 14 15:37:49 2015
type=PROCTITLE msg=audit(1442237869.234:1143): proctitle="tmux"
type=PATH msg=audit(1442237869.234:1143): item=0 name="/home/plautrba/devel/github/fedora-selinux/selinux.git" inode=6301128 dev=fd:03 mode=040775 ouid=13558 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=NORMAL
type=CWD msg=audit(1442237869.234:1143):  cwd="/home/plautrba"
type=SYSCALL msg=audit(1442237869.234:1143): arch=c000003e syscall=2 success=yes exit=12 a0=1f906e0 a1=10000 a2=1f906e0 a3=1 items=1 ppid=1 pid=5708 auid=13558 uid=13558 gid=1000 euid=13558 suid=13558 fsuid=13558 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="tmux" exe="/usr/bin/tmux" subj=staff_u:staff_r:staff_screen_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1442237869.234:1143): avc:  denied  { read } for  pid=5708 comm="tmux" name="selinux.git" dev="dm-3" ino=6301128 scontext=staff_u:staff_r:staff_screen_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1



$ rpm -q selinux-policy-targeted
selinux-policy-targeted-3.13.1-147.fc24.noarch
Comment 6 Fedora Update System 2015-09-14 17:50:34 UTC 
selinux-policy-3.13.1-147.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-15804
Comment 7 Fedora Update System 2015-09-25 07:57:53 UTC 
selinux-policy-3.13.1-147.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.