Bug 740462

Summary: More tmux + unconfined issues
Product: [Fedora] Fedora Reporter: Robin Powell <rlpowell>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: dominick.grift, dwalsh, mgrepl, sven
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.9.16-48.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-04 02:36:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robin Powell 2011-09-22 06:40:34 UTC 
So I've started more actively using the box that https://bugzilla.redhat.com/show_bug.cgi?id=723391 was generated on, running tmux as my confined (staff_u) user, and it's again generating AVCs about once a second.  Here's what I've had to do to fix them so far:


module mytmux3 1.0;

require {
        type staff_t;
        type staff_screen_t;
        type ssh_t;
        type staff_sudo_t;
        class dir { search };
        class file { read open getattr };
}

#============= staff_screen_t ==============
allow staff_screen_t ssh_t:dir search;
allow staff_screen_t ssh_t:file { read open getattr };                                                                                                                                                                                          allow staff_screen_t staff_t:file { read open getattr };
allow staff_screen_t staff_sudo_t:dir search;
allow staff_screen_t staff_sudo_t:file { read open getattr };         

(this is on top of selinux-policy 3.9.16-40.fc15 )

The problem here is that as far as I can tell what's happening is that it's checking /proc/[pid] for any pid I'm running, so theoretically that list could grow without bound?  Not sure.  Just wanted to warn you that this may not be complete.

As far as I know it's *only* reading the cmdline file in each case, so I guess a possible fix would be for that file to have its own type?  I'm starting to wish selinux files could have more than one type at a time...

-Robin
Comment 1 Miroslav Grepl 2011-09-22 08:42:53 UTC 
Did you need to add this policy to make this working in enforcing mode?
Comment 2 Robin Powell 2011-09-22 17:55:53 UTC 
Yes.

Now, having said that, the behaviour loss when it *isn't* working is fairly minimal: it only fails to auto-rename windows based on what commands I'm running.  But the flood of AVCs is pretty bad, and I'd certainly *prefer* that feature to work.

-Robin
Comment 3 Daniel Walsh 2011-09-22 20:11:16 UTC 
I just modified F16 policy to allow this, you can probably just backport the change to F15.   And RHEL6.
Comment 4 Miroslav Grepl 2011-09-26 10:05:53 UTC 
Fixed in selinux-policy-3.9.16-41.fc15
Comment 5 Robin Powell 2011-10-07 22:03:27 UTC 
I'm running -42, and this is not quite fixed.  Here's some AVCs:


----
type=AVC msg=audit(10/07/2011 14:57:32.391:325956) : avc:  denied  { open } for  pid=2936 comm=tmux name=cmdline dev=proc ino=1377572 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:staff_sudo_t:s0 tclass=file
type=AVC msg=audit(10/07/2011 14:57:32.391:325956) : avc:  denied  { read } for  pid=2936 comm=tmux name=cmdline dev=proc ino=1377572 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:staff_sudo_t:s0 tclass=file
type=AVC msg=audit(10/07/2011 14:57:32.391:325956) : avc:  denied  { search } for  pid=2936 comm=tmux name=12056 dev=proc ino=1377531 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:staff_sudo_t:s0 tclass=dir
----
type=AVC msg=audit(10/07/2011 14:57:32.392:325957) : avc:  denied  { getattr } for  pid=2936 comm=tmux path=/proc/12056/cmdline dev=proc ino=1377572 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:staff_sudo_t:s0 tclass=file

That's from me running a sudo command under tmux.

Here's the AVC from me running an ssh command under tmux:

----
type=AVC msg=audit(10/07/2011 15:01:51.095:326122) : avc:  denied  { search } for  pid=2936 comm=tmux name=25194 dev=proc ino=1377286 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:ssh_t:s0 tclass=dir
----
type=AVC msg=audit(10/07/2011 15:01:59.107:326136) : avc:  denied  { open } for  pid=2936 comm=tmux name=cmdline dev=proc ino=1377528 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:ssh_t:s0 tclass=file
type=AVC msg=audit(10/07/2011 15:01:59.107:326136) : avc:  denied  { read } for  pid=2936 comm=tmux name=cmdline dev=proc ino=1377528 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:ssh_t:s0 tclass=file
----
type=AVC msg=audit(10/07/2011 15:01:59.107:326137) : avc:  denied  { getattr } for  pid=2936 comm=tmux path=/proc/25194/cmdline dev=proc ino=1377528 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:ssh_t:s0 tclass=file

I assume this will continue to happen with every possible command selinux type, and when the proc check fails tmux hammers at it every second or so (which, by the way Dan, is what led to setroubleshootd taking all my CPU).

Here's what I'm currently running in my local tmux module.  The last bit is for tmux having sockets in /tmp/, which the version I'm currently running (1.5 from a src rpm) does, but the released Fedora version does not.  None the less, it's something you probably want to support.


# handle the per-window proc check stuff.
allow staff_screen_t ssh_t:dir search;
allow staff_screen_t ssh_t:file { read open getattr };
allow staff_screen_t staff_sudo_t:dir search;
allow staff_screen_t staff_sudo_t:file { read open getattr };

allow user_screen_t ssh_t:dir search;
allow user_screen_t ssh_t:file { read open getattr };

# deal with sockets in /tmp/
manage_dirs_pattern(staff_screen_t, screen_tmp_t, screen_tmp_t);
manage_files_pattern(staff_screen_t, screen_tmp_t, screen_tmp_t);
manage_dirs_pattern(user_screen_t, screen_tmp_t, screen_tmp_t);
manage_files_pattern(user_screen_t, screen_tmp_t, screen_tmp_t);
allow user_screen_t screen_tmp_t:sock_file { create getattr write unlink setattr };
allow staff_screen_t screen_tmp_t:sock_file { create getattr write unlink setattr };

-Robin
Comment 6 Robin Powell 2011-10-08 00:30:10 UTC 
Here's another example, while I was entering data into "mailx".  Note the timestamps.


----
type=AVC msg=audit(10/07/2011 17:28:46.944:342616) : avc:  denied  { search } for  pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st
aff_r:user_mail_t:s0 tclass=dir
----
type=AVC msg=audit(10/07/2011 17:28:47.444:342617) : avc:  denied  { search } for  pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st
aff_r:user_mail_t:s0 tclass=dir
----
type=AVC msg=audit(10/07/2011 17:28:47.945:342618) : avc:  denied  { search } for  pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st
aff_r:user_mail_t:s0 tclass=dir

----
type=AVC msg=audit(10/07/2011 17:28:48.446:342619) : avc:  denied  { search } for  pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st
aff_r:user_mail_t:s0 tclass=dir
----
type=AVC msg=audit(10/07/2011 17:28:48.947:342620) : avc:  denied  { search } for  pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st
aff_r:user_mail_t:s0 tclass=dir


----
type=AVC msg=audit(10/07/2011 17:28:49.947:342622) : avc:  denied  { search } for  pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st
aff_r:user_mail_t:s0 tclass=dir
----
type=AVC msg=audit(10/07/2011 17:28:49.448:342621) : avc:  denied  { search } for  pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st
aff_r:user_mail_t:s0 tclass=dir
----
type=AVC msg=audit(10/07/2011 17:28:50.449:342623) : avc:  denied  { search } for  pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st
aff_r:user_mail_t:s0 tclass=dir
----
type=AVC msg=audit(10/07/2011 17:28:50.949:342624) : avc:  denied  { search } for  pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st
aff_r:user_mail_t:s0 tclass=dir
----
type=AVC msg=audit(10/07/2011 17:28:51.449:342625) : avc:  denied  { search } for  pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st
aff_r:user_mail_t:s0 tclass=dir
----
type=AVC msg=audit(10/07/2011 17:28:51.950:342626) : avc:  denied  { search } for  pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st
aff_r:user_mail_t:s0 tclass=dir
----
type=AVC msg=audit(10/07/2011 17:28:52.952:342628) : avc:  denied  { search } for  pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st
aff_r:user_mail_t:s0 tclass=dir
----
type=AVC msg=audit(10/07/2011 17:28:52.452:342627) : avc:  denied  { search } for  pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st
aff_r:user_mail_t:s0 tclass=dir
----
type=AVC msg=audit(10/07/2011 17:28:53.955:342630) : avc:  denied  { search } for  pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st
aff_r:user_mail_t:s0 tclass=dir
----
type=AVC msg=audit(10/07/2011 17:28:53.453:342629) : avc:  denied  { search } for  pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st
aff_r:user_mail_t:s0 tclass=dir
----
type=AVC msg=audit(10/07/2011 17:28:54.455:342631) : avc:  denied  { search } for  pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st
aff_r:user_mail_t:s0 tclass=dir
----
type=AVC msg=audit(10/07/2011 17:28:54.956:342634) : avc:  denied  { search } for  pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st
aff_r:user_mail_t:s0 tclass=dir
----
type=AVC msg=audit(10/07/2011 17:28:55.959:342636) : avc:  denied  { search } for  pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st
aff_r:user_mail_t:s0 tclass=dir
----
type=AVC msg=audit(10/07/2011 17:28:55.457:342635) : avc:  denied  { search } for  pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st
aff_r:user_mail_t:s0 tclass=dir
----
type=AVC msg=audit(10/07/2011 17:28:56.961:342638) : avc:  denied  { search } for  pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st
aff_r:user_mail_t:s0 tclass=dir
----
type=AVC msg=audit(10/07/2011 17:28:56.460:342637) : avc:  denied  { search } for  pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st
aff_r:user_mail_t:s0 tclass=dir
Comment 7 Miroslav Grepl 2011-10-10 11:17:27 UTC 
I am fixing issues which relate with reading of domain state.

Fixed in selinux-policy-3.9.16-43.fc15


But the sock file should be located in /var/run/tmux which I believe is in Fedora release.
Comment 8 Robin Powell 2011-10-14 17:50:53 UTC 
I don't know if your solution is fully general; just in case it isn't, here's another one:

type=PATH msg=audit(10/13/2011 16:23:31.430:532091) : item=0 name=/proc/1157/cmdline
type=CWD msg=audit(10/13/2011 16:23:31.430:532091) :  cwd=/home/rlpowell
type=SYSCALL msg=audit(10/13/2011 16:23:31.430:532091) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=179cc40 a1=0 a2=1b6 a3=9 items=1 ppid=1 pid=2936 auid=rlpowell uid=rlpowell gid=rlpowell euid=rlpowell suid=rlpowell fsuid=rlpowell egid=rlpowell sgid=rlpowell fsgid=rlpowell tty=(none) ses=7 comm=tmux exe=/usr/bin/tmux subj=staff_u:staff_r:staff_screen_t:s0 key=(null)
type=AVC msg=audit(10/13/2011 16:23:31.430:532091) : avc:  denied  { search } for  pid=2936 comm=tmux name=1157 dev=proc ino=5006644 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:traceroute_t:s0 tclass=dir

And yeah, the sock file thing is less interesting/important.

-Robin
Comment 9 Daniel Walsh 2011-10-18 14:30:51 UTC 
Miroslav lets add

domain_dontaudit_read_all_domains_state(screen_domain)
Comment 10 Fedora Update System 2011-11-16 16:17:51 UTC 
selinux-policy-3.9.16-48.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-48.fc15
Comment 11 Fedora Update System 2011-11-17 23:36:11 UTC 
Package selinux-policy-3.9.16-48.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-48.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-16023/selinux-policy-3.9.16-48.fc15
then log in and leave karma (feedback).
Comment 12 Fedora Update System 2011-12-04 02:36:06 UTC 
selinux-policy-3.9.16-48.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Robin Powell 2012-02-29 08:28:16 UTC 
(In reply to comment #7)
> I am fixing issues which relate with reading of domain state.
> 
> Fixed in selinux-policy-3.9.16-43.fc15
> 
> 
> But the sock file should be located in /var/run/tmux which I believe is in
> Fedora release.

Well, here's the *fun* part: it changed.

Latest tmux, in Fedora 16:

tmux-1.6-1.fc16.x86_64

type=SOCKADDR msg=audit(02/29/2012 00:27:03.214:119263) : saddr=local /tmp//tmux-1000/default
type=AVC msg=audit(02/29/2012 00:27:03.214:119263) : avc:  denied  { create } for  pid=25142 comm=tmux name=default scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:object_r:screen_tmp_t:s0 tclass=sock_file

But if I downgrade to tmux-1.4-4.fc16.x86_64 , it works fine.

I've checked with strace, and the old version is using /var/run/tmux, and the new is using /tmp/

I can make this a bug against them if you like.

-Robin
Comment 14 Miroslav Grepl 2012-02-29 08:51:48 UTC 
Ok, could you open a new bug for tmux. Why did they change it to use /tmp.
Comment 15 Robin Powell 2012-02-29 08:57:47 UTC 
Will do.  No idea.

-Robin
Comment 16 Robin Powell 2012-02-29 09:01:11 UTC 
The tmux bug is https://bugzilla.redhat.com/show_bug.cgi?id=798554 in case you want to follow it.

-Robin
Comment 17 Sven Lankes 2012-04-16 11:55:50 UTC 
The scoket location has been changed "back" to /tmp/ in order to comply with upstreams location.

The patch to change to save to /var/run/tmux was a custom modification which I took from the debian package. Debian has since then reverted back to the upstream default too.