Bug 1384769
Summary: | Selinux preventing /usr/bin/tmux as login shell | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Han Han <hhan> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.3 | CC: | dyuan, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, xuzhang, yafu |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-220.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-10-30 09:59:46 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Han Han
2016-10-14 06:09:10 UTC
Caught in enforcing mode: ---- type=PATH msg=audit(10/14/2016 08:23:31.726:610) : item=0 name=/usr/bin/tmux inode=17261415 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:screen_exec_t:s0 objtype=NORMAL type=CWD msg=audit(10/14/2016 08:23:31.726:610) : cwd=/root type=SYSCALL msg=audit(10/14/2016 08:23:31.726:610) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x2076fe6 a1=0x7fffb6d52ac8 a2=0x2084170 a3=0x7fffb6d52600 items=1 ppid=603 pid=3433 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=tty1 ses=38 comm=login exe=/usr/bin/login subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(10/14/2016 08:23:31.726:610) : avc: denied { entrypoint } for pid=3433 comm=login path=/usr/bin/tmux dev="vda2" ino=17261415 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:screen_exec_t:s0 tclass=file ---- Caught in permissive mode: ---- type=PATH msg=audit(10/14/2016 08:25:18.201:657) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=33640401 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL type=PATH msg=audit(10/14/2016 08:25:18.201:657) : item=0 name=/usr/bin/tmux inode=17261415 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:screen_exec_t:s0 objtype=NORMAL type=CWD msg=audit(10/14/2016 08:25:18.201:657) : cwd=/root type=EXECVE msg=audit(10/14/2016 08:25:18.201:657) : argc=1 a0=-tmux type=SYSCALL msg=audit(10/14/2016 08:25:18.201:657) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x1ec8fe6 a1=0x7ffe84bab208 a2=0x1ed6170 a3=0x7ffe84baad40 items=2 ppid=3438 pid=3797 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=tty1 ses=43 comm=tmux exe=/usr/bin/tmux subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(10/14/2016 08:25:18.201:657) : avc: denied { entrypoint } for pid=3797 comm=login path=/usr/bin/tmux dev="vda2" ino=17261415 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:screen_exec_t:s0 tclass=file ---- Doesn't matter if try to log in via ssh or text console, tmux always prints following message: can't create socket If we decide to allow tmux as login shell for unconfined users, then we should think about the same for confined users too: ---- type=PATH msg=audit(10/14/2016 08:39:46.790:780) : item=0 name=/usr/bin/tmux inode=17261415 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:screen_exec_t:s0 objtype=NORMAL type=CWD msg=audit(10/14/2016 08:39:46.790:780) : cwd=/home/pokusnik type=SYSCALL msg=audit(10/14/2016 08:39:46.790:780) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x1c5c005 a1=0x7fffcf415f08 a2=0x1c69220 a3=0x7fffcf415a40 items=1 ppid=6163 pid=6239 auid=pokusnik uid=pokusnik gid=pokusnik euid=pokusnik suid=pokusnik fsuid=pokusnik egid=pokusnik sgid=pokusnik fsgid=pokusnik tty=tty1 ses=52 comm=login exe=/usr/bin/login subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(10/14/2016 08:39:46.790:780) : avc: denied { entrypoint } for pid=6239 comm=login path=/usr/bin/tmux dev="vda2" ino=17261415 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:screen_exec_t:s0 tclass=file ---- It works with the latest selinux-policy rpm package: [root@localhost ~]# getenforce Enforcing [root@localhost ~]# ssh unconfined@localhost unconfined@localhost's password: -sh-4.2$ echo $TERM screen [root@localhost ~]# ausearch -m AVC -ts recent <no matches> If policy module with following content is loaded, then manual login works as expected: ( allow staff_t screen_exec_t ( file ( entrypoint ))) ( allow user_t screen_exec_t ( file ( entrypoint ))) ( allow unconfined_t screen_exec_t ( file ( entrypoint ))) ( allow sysadm_t screen_exec_t ( file ( entrypoint ))) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3111 |