policy-1.11.3-3, permissive mode Running screen as user causes the following denies: May 11 10:34:08 a3aan kernel: audit(1084264448.257:0): avc: denied { execute } for pid=2683 exe=/usr/bin/screen name=utempter dev=hda2 ino=27698 scontext=user_u:user_r:user_screen_t tcontext=system_u:object_r:utempter_exec_t tclass=file May 11 10:34:08 a3aan kernel: audit(1084264448.258:0): avc: denied { execute_no_trans } for pid=2683 exe=/usr/bin/screen path=/usr/sbin/utempter dev=hda2 ino=27698 scontext=user_u:user_r:user_screen_t tcontext=system_u:object_r:utempter_exec_t tclass=file May 11 10:34:08 a3aan kernel: audit(1084264448.258:0): avc: denied { read } for pid=2683 exe=/usr/bin/screen path=/usr/sbin/utempter dev=hda2 ino=27698 scontext=user_u:user_r:user_screen_t tcontext=system_u:object_r:utempter_exec_t tclass=file May 11 10:34:08 a3aan kernel: audit(1084264448.298:0): avc: denied { search } for pid=2683 exe=/usr/sbin/utempter name=log dev=hda2 ino=388629 scontext=user_u:user_r:user_screen_t tcontext=system_u:object_r:var_log_t tclass=dir May 11 10:34:08 a3aan kernel: audit(1084264448.300:0): avc: denied { write } for pid=2683 exe=/usr/sbin/utempter name=wtmp dev=hda2 ino=390201 scontext=user_u:user_r:user_screen_t tcontext=system_u:object_r:wtmp_t tclass=file May 11 10:34:08 a3aan kernel: audit(1084264448.301:0): avc: denied { lock } for pid=2683 exe=/usr/sbin/utempter path=/var/log/wtmp dev=hda2 ino=390201 scontext=user_u:user_r:user_screen_t tcontext=system_u:object_r:wtmp_t tclass=file
Created attachment 100181 [details] policy-screen.patch Even if screen is allowed to execute utempter, utempter fails because it can't read/write ptmx devices. So I think this should be a dontaudit.
Fixed in selinux-policy-strict-1.13.2-7
Fixed in Rawhide