Description of problem: I've logged in as staff_u and run tmux in my terminal. I usually use tmux in the split screen mode which runs another shell. SELinux is preventing /usr/bin/tmux from 'read' accesses on the directory /home/plautrba/devel/github/fedora-selinux/setroubleshoot.git/framework. ***** Plugin restorecon_source (99.5 confidence) suggests ***************** If you want to fix the label. /usr/bin/tmux default label should be screen_exec_t. Then you can run restorecon. Do # /sbin/restorecon -v /usr/bin/tmux ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that tmux should be allowed read access on the framework directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep tmux /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context staff_u:staff_r:staff_screen_t:s0 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects /home/plautrba/devel/github/fedora- selinux/setroubleshoot.git/framework [ dir ] Source tmux Source Path /usr/bin/tmux Port <Unknown> Host (removed) Source RPM Packages tmux-2.0-2.fc23.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-141.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.2.0-0.rc6.git0.2.fc23.x86_64 #1 SMP Wed Aug 12 21:39:36 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-08-18 17:44:02 CEST Last Seen 2015-08-18 17:44:02 CEST Local ID ccd6488e-4cbc-4739-81bb-298ba0bdb541 Raw Audit Messages type=AVC msg=audit(1439912642.550:1348): avc: denied { read } for pid=11718 comm="tmux" name="framework" dev="dm-3" ino=1319655 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1 type=SYSCALL msg=audit(1439912642.550:1348): arch=x86_64 syscall=open success=yes exit=EINVAL a0=1616320 a1=10000 a2=1616320 a3=1 items=1 ppid=1 pid=11718 auid=13558 uid=13558 gid=1000 euid=13558 suid=13558 fsuid=13558 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm=tmux exe=/usr/bin/tmux subj=staff_u:staff_r:staff_screen_t:s0 key=(null) type=CWD msg=audit(1439912642.550:1348): cwd=/home/plautrba type=PATH msg=audit(1439912642.550:1348): item=0 name=/home/plautrba/devel/github/fedora-selinux/setroubleshoot.git/framework inode=1319655 dev=fd:03 mode=040775 ouid=13558 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=NORMAL Hash: tmux,staff_screen_t,user_home_t,dir,read Version-Release number of selected component: selinux-policy-3.13.1-141.fc23.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.2.0-0.rc6.git0.2.fc23.x86_64 type: libreport
It looks we should have a boolean for this.
I think that staff_screen_t should be allowed to do same things on user_home_t as it's allowed to do on user_home_dir_t given that I can split a screen in $HOME directory and then just change it.
That makes sense. https://github.com/fedora-selinux/selinux-policy/commit/85c52ce41c8314635df82e1ddd58fd31e8f11031
selinux-policy-3.13.1-147.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-15804
There's another issue: ---- time->Mon Sep 14 15:37:50 2015 type=PROCTITLE msg=audit(1442237870.069:1144): proctitle=7368002D6300746D757820646973706C61792D6D657373616765202D7020227A736822207C20677265702076696D type=SYSCALL msg=audit(1442237870.069:1144): arch=c000003e syscall=16 success=no exit=-25 a0=0 a1=5401 a2=7ffd546de8b0 a3=45 items=0 ppid=5708 pid=6334 auid=13558 uid=13558 gid=1000 euid=13558 suid=13558 fsuid=13558 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="sh" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1442237870.069:1144): avc: denied { ioctl } for pid=6334 comm="sh" path="socket:[69334]" dev="sockfs" ino=69334 ioctlcmd=5401 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_screen_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 ---- time->Mon Sep 14 15:37:49 2015 type=PROCTITLE msg=audit(1442237869.234:1143): proctitle="tmux" type=PATH msg=audit(1442237869.234:1143): item=0 name="/home/plautrba/devel/github/fedora-selinux/selinux.git" inode=6301128 dev=fd:03 mode=040775 ouid=13558 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=NORMAL type=CWD msg=audit(1442237869.234:1143): cwd="/home/plautrba" type=SYSCALL msg=audit(1442237869.234:1143): arch=c000003e syscall=2 success=yes exit=12 a0=1f906e0 a1=10000 a2=1f906e0 a3=1 items=1 ppid=1 pid=5708 auid=13558 uid=13558 gid=1000 euid=13558 suid=13558 fsuid=13558 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="tmux" exe="/usr/bin/tmux" subj=staff_u:staff_r:staff_screen_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1442237869.234:1143): avc: denied { read } for pid=5708 comm="tmux" name="selinux.git" dev="dm-3" ino=6301128 scontext=staff_u:staff_r:staff_screen_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1 $ rpm -q selinux-policy-targeted selinux-policy-targeted-3.13.1-147.fc24.noarch
selinux-policy-3.13.1-147.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-15804
selinux-policy-3.13.1-147.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.