| Summary: | screen doesn't work without unconfined | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Robin Powell <rlpowell> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.9.16-35.fc15 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-08-02 02:04:22 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Fixed in selinux-policy-3.9.16-35.fc15 selinux-policy-3.9.16-35.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-35.fc15 Package selinux-policy-3.9.16-35.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-35.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-35.fc15 then log in and leave karma (feedback). selinux-policy-3.9.16-35.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30 Neither staff_u nor user_u can run screen, nor attach to existing screen sessions. I don't know if user_u *should* be allowed, as I'm unclear on user_u's purpose, but I'm pretty sure staff_u should. The following fixes all the things I've tried to do, which are fairly basic. Note that this is a partly hand-tweaked policy, so it may not be perfectly minimal: module myscreen 1.0; require { type staff_t; type user_t; type screen_var_run_t; type user_screen_t; type staff_screen_t; type screen_home_t; class unix_stream_socket { read write connectto }; class sock_file { write getattr setattr create unlink }; } #============= staff_t ============== allow staff_t staff_screen_t:unix_stream_socket { read write }; #============= staff_screen_t ============== allow staff_screen_t screen_home_t:sock_file { create getattr write unlink setattr }; allow staff_screen_t screen_var_run_t:sock_file { create getattr write unlink setattr }; allow staff_screen_t self:unix_stream_socket connectto; #============= user_t ============== allow user_t user_screen_t:unix_stream_socket { read write }; #============= user_screen_t ============== allow user_screen_t screen_home_t:sock_file { create getattr write unlink setattr }; allow user_screen_t screen_var_run_t:sock_file { create getattr write unlink setattr }; allow user_screen_t self:unix_stream_socket connectto; Reproducible: Always Steps to Reproduce: 1. Disable unconfined 2. Try to run screen as a staff_u or user_u user Actual Results: Various permission denied errors. I marked it as "high" because screen is a pretty common utility.