Bug 1384769

Summary: Selinux preventing /usr/bin/tmux as login shell
Product: Red Hat Enterprise Linux 7 Reporter: Han Han <hhan>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: dyuan, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, xuzhang, yafu
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-220.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 09:59:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Han Han 2016-10-14 06:09:10 UTC 
Description of problem:
As subject

Version-Release number of selected component (if applicable):
tmux-1.8-4.el7.x86_64
selinux-policy-3.13.1-102.el7.noarch

How reproducible:
100%

Steps to Reproduce:
1. Install tmux
# yum install tmux -y
# chsh -l|grep tmux
chsh -l|grep tmux

2. Set tmux as default shell
# chsh -s /usr/bin/tmux 
Changing shell for root.
Shell changed.

3. Logout root then login.
Login will fail and get permission deny.

4. selinux logs
In /var/log/messages:
Oct 14 13:51:50 localhost setroubleshoot: SELinux is preventing /usr/bin/login from entrypoint access on the file /usr/bin/tmux. For complete SELinux messages. run sealert -l de73f3f8-135d-402b-86a3-35653bb8d57e
Oct 14 13:51:50 localhost python: SELinux is preventing /usr/bin/login from entrypoint access on the file /usr/bin/tmux.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that login should be allowed entrypoint access on the tmux file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'login' --raw | audit2allow -M my-login#012# semodule -i my-login.pp#012

In audit.log:
type=CRED_REFR msg=audit(1476424309.613:137): pid=10450 uid=0 auid=0 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_securetty,pam_unix acct="root" exe="/usr/bin/login" hostname=? addr=? terminal=tty1 res=success'
type=USER_LOGIN msg=audit(1476424309.614:138): pid=10450 uid=0 auid=0 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/bin/login" hostname=? addr=? terminal=tty1 res=success'
type=AVC msg=audit(1476424309.620:139): avc:  denied  { entrypoint } for  pid=10455 comm="login" path="/usr/bin/tmux" dev="dm-0" ino=13997476 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:screen_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1476424309.620:139): arch=c000003e syscall=59 success=no exit=-13 a0=1bfe7f6 a1=7ffc0ba6c388 a2=1c08c40 a3=7ffc0ba6bec0 items=0 ppid=10450 pid=10455 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=3 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)

Actual results:
as step3

Expected results:
selinux allows tmux as login shell

Additional info:
Comment 1 Milos Malik 2016-10-14 06:32:37 UTC 
Caught in enforcing mode:
----
type=PATH msg=audit(10/14/2016 08:23:31.726:610) : item=0 name=/usr/bin/tmux inode=17261415 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:screen_exec_t:s0 objtype=NORMAL 
type=CWD msg=audit(10/14/2016 08:23:31.726:610) :  cwd=/root 
type=SYSCALL msg=audit(10/14/2016 08:23:31.726:610) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x2076fe6 a1=0x7fffb6d52ac8 a2=0x2084170 a3=0x7fffb6d52600 items=1 ppid=603 pid=3433 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=tty1 ses=38 comm=login exe=/usr/bin/login subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(10/14/2016 08:23:31.726:610) : avc:  denied  { entrypoint } for  pid=3433 comm=login path=/usr/bin/tmux dev="vda2" ino=17261415 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:screen_exec_t:s0 tclass=file 
----

Caught in permissive mode:
----
type=PATH msg=audit(10/14/2016 08:25:18.201:657) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=33640401 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL 
type=PATH msg=audit(10/14/2016 08:25:18.201:657) : item=0 name=/usr/bin/tmux inode=17261415 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:screen_exec_t:s0 objtype=NORMAL 
type=CWD msg=audit(10/14/2016 08:25:18.201:657) :  cwd=/root 
type=EXECVE msg=audit(10/14/2016 08:25:18.201:657) : argc=1 a0=-tmux 
type=SYSCALL msg=audit(10/14/2016 08:25:18.201:657) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x1ec8fe6 a1=0x7ffe84bab208 a2=0x1ed6170 a3=0x7ffe84baad40 items=2 ppid=3438 pid=3797 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=tty1 ses=43 comm=tmux exe=/usr/bin/tmux subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(10/14/2016 08:25:18.201:657) : avc:  denied  { entrypoint } for  pid=3797 comm=login path=/usr/bin/tmux dev="vda2" ino=17261415 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:screen_exec_t:s0 tclass=file 
----

Doesn't matter if try to log in via ssh or text console, tmux always prints following message:

can't create socket
Comment 2 Milos Malik 2016-10-14 06:42:13 UTC 
If we decide to allow tmux as login shell for unconfined users, then we should think about the same for confined users too:
----
type=PATH msg=audit(10/14/2016 08:39:46.790:780) : item=0 name=/usr/bin/tmux inode=17261415 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:screen_exec_t:s0 objtype=NORMAL 
type=CWD msg=audit(10/14/2016 08:39:46.790:780) :  cwd=/home/pokusnik 
type=SYSCALL msg=audit(10/14/2016 08:39:46.790:780) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x1c5c005 a1=0x7fffcf415f08 a2=0x1c69220 a3=0x7fffcf415a40 items=1 ppid=6163 pid=6239 auid=pokusnik uid=pokusnik gid=pokusnik euid=pokusnik suid=pokusnik fsuid=pokusnik egid=pokusnik sgid=pokusnik fsgid=pokusnik tty=tty1 ses=52 comm=login exe=/usr/bin/login subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(10/14/2016 08:39:46.790:780) : avc:  denied  { entrypoint } for  pid=6239 comm=login path=/usr/bin/tmux dev="vda2" ino=17261415 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:screen_exec_t:s0 tclass=file 
----
Comment 6 Lukas Vrabec 2018-06-26 09:24:13 UTC 
It works with the latest selinux-policy rpm package: 

[root@localhost ~]# getenforce 
Enforcing
[root@localhost ~]# ssh unconfined@localhost
unconfined@localhost's password: 

-sh-4.2$ echo $TERM
screen

[root@localhost ~]# ausearch -m AVC -ts recent 
<no matches>
Comment 11 Milos Malik 2018-08-07 14:14:31 UTC 
If policy module with following content is loaded, then manual login works as expected:

( allow staff_t screen_exec_t ( file ( entrypoint )))
( allow user_t screen_exec_t ( file ( entrypoint )))
( allow unconfined_t screen_exec_t ( file ( entrypoint )))
( allow sysadm_t screen_exec_t ( file ( entrypoint )))
Comment 18 errata-xmlrpc 2018-10-30 09:59:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111