1254674 – SELinux is preventing /usr/bin/tmux from 'read' accesses on the directory /home/plautrba/devel/github/fedora-selinux/setroubleshoot.git/framework.

Bug 1254674 - SELinux is preventing /usr/bin/tmux from 'read' accesses on the directory /home/plautrba/devel/github/fedora-selinux/setroubleshoot.git/framework.

Summary: SELinux is preventing /usr/bin/tmux from 'read' accesses on the directory /ho...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	23
Hardware:	x86_64
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Lukas Vrabec 🐦
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:b71eb65d9c8707ff47e08720b4a...
Depends On:
Blocks:	1257682
TreeView+	depends on / blocked

Reported:	2015-08-18 15:50 UTC by Petr Lautrbach 👨
Modified:	2015-09-25 07:58 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.13.1-147.fc23
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1257682 (view as bug list)
Environment:
Last Closed:	2015-09-25 07:58:03 UTC
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Petr Lautrbach 👨 2015-08-18 15:50:13 UTC

Description of problem:
I've logged in as staff_u and run tmux in my terminal. I usually use tmux in the split screen mode which runs another shell.
SELinux is preventing /usr/bin/tmux from 'read' accesses on the directory /home/plautrba/devel/github/fedora-selinux/setroubleshoot.git/framework.

*****  Plugin restorecon_source (99.5 confidence) suggests   *****************

If you want to fix the label. 
/usr/bin/tmux default label should be screen_exec_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /usr/bin/tmux

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that tmux should be allowed read access on the framework directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep tmux /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                staff_u:staff_r:staff_screen_t:s0
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/plautrba/devel/github/fedora-
                              selinux/setroubleshoot.git/framework [ dir ]
Source                        tmux
Source Path                   /usr/bin/tmux
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           tmux-2.0-2.fc23.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-141.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.2.0-0.rc6.git0.2.fc23.x86_64 #1
                              SMP Wed Aug 12 21:39:36 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-08-18 17:44:02 CEST
Last Seen                     2015-08-18 17:44:02 CEST
Local ID                      ccd6488e-4cbc-4739-81bb-298ba0bdb541

Raw Audit Messages
type=AVC msg=audit(1439912642.550:1348): avc:  denied  { read } for  pid=11718 comm="tmux" name="framework" dev="dm-3" ino=1319655 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1


type=SYSCALL msg=audit(1439912642.550:1348): arch=x86_64 syscall=open success=yes exit=EINVAL a0=1616320 a1=10000 a2=1616320 a3=1 items=1 ppid=1 pid=11718 auid=13558 uid=13558 gid=1000 euid=13558 suid=13558 fsuid=13558 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm=tmux exe=/usr/bin/tmux subj=staff_u:staff_r:staff_screen_t:s0 key=(null)

type=CWD msg=audit(1439912642.550:1348): cwd=/home/plautrba

type=PATH msg=audit(1439912642.550:1348): item=0 name=/home/plautrba/devel/github/fedora-selinux/setroubleshoot.git/framework inode=1319655 dev=fd:03 mode=040775 ouid=13558 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=NORMAL

Hash: tmux,staff_screen_t,user_home_t,dir,read

Version-Release number of selected component:
selinux-policy-3.13.1-141.fc23.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.0-0.rc6.git0.2.fc23.x86_64
type:           libreport

Comment 1 Miroslav Grepl 2015-08-27 16:33:27 UTC

It looks we should have a boolean for this.

Comment 2 Petr Lautrbach 👨 2015-09-02 14:55:05 UTC

I think that staff_screen_t should be allowed to do same things on user_home_t as it's allowed to do on user_home_dir_t given that I can split a screen in $HOME directory and then just change it.

Comment 3 Miroslav Grepl 2015-09-11 10:14:47 UTC

That makes sense.

https://github.com/fedora-selinux/selinux-policy/commit/85c52ce41c8314635df82e1ddd58fd31e8f11031

Comment 4 Fedora Update System 2015-09-14 10:37:58 UTC

selinux-policy-3.13.1-147.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-15804

Comment 5 Petr Lautrbach 👨 2015-09-14 13:40:11 UTC

There's another issue:

----
time->Mon Sep 14 15:37:50 2015
type=PROCTITLE msg=audit(1442237870.069:1144): proctitle=7368002D6300746D757820646973706C61792D6D657373616765202D7020227A736822207C20677265702076696D
type=SYSCALL msg=audit(1442237870.069:1144): arch=c000003e syscall=16 success=no exit=-25 a0=0 a1=5401 a2=7ffd546de8b0 a3=45 items=0 ppid=5708 pid=6334 auid=13558 uid=13558 gid=1000 euid=13558 suid=13558 fsuid=13558 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="sh" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1442237870.069:1144): avc:  denied  { ioctl } for  pid=6334 comm="sh" path="socket:[69334]" dev="sockfs" ino=69334 ioctlcmd=5401 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_screen_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
----
time->Mon Sep 14 15:37:49 2015
type=PROCTITLE msg=audit(1442237869.234:1143): proctitle="tmux"
type=PATH msg=audit(1442237869.234:1143): item=0 name="/home/plautrba/devel/github/fedora-selinux/selinux.git" inode=6301128 dev=fd:03 mode=040775 ouid=13558 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=NORMAL
type=CWD msg=audit(1442237869.234:1143):  cwd="/home/plautrba"
type=SYSCALL msg=audit(1442237869.234:1143): arch=c000003e syscall=2 success=yes exit=12 a0=1f906e0 a1=10000 a2=1f906e0 a3=1 items=1 ppid=1 pid=5708 auid=13558 uid=13558 gid=1000 euid=13558 suid=13558 fsuid=13558 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="tmux" exe="/usr/bin/tmux" subj=staff_u:staff_r:staff_screen_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1442237869.234:1143): avc:  denied  { read } for  pid=5708 comm="tmux" name="selinux.git" dev="dm-3" ino=6301128 scontext=staff_u:staff_r:staff_screen_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1



$ rpm -q selinux-policy-targeted
selinux-policy-targeted-3.13.1-147.fc24.noarch

Comment 6 Fedora Update System 2015-09-14 17:50:34 UTC

selinux-policy-3.13.1-147.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-15804

Comment 7 Fedora Update System 2015-09-25 07:57:53 UTC

selinux-policy-3.13.1-147.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.