Bug 723102 - screen doesn't work without unconfined
Summary: screen doesn't work without unconfined
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-07-19 04:49 UTC by Robin Powell
Modified: 2011-08-02 02:04 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.9.16-35.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-08-02 02:04:22 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Robin Powell 2011-07-19 04:49:40 UTC 
User-Agent:       Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30

Neither staff_u nor user_u can run screen, nor attach to existing screen sessions.  I don't know if user_u *should* be allowed, as I'm unclear on user_u's purpose, but I'm pretty sure staff_u should.  The following fixes all the things I've tried to do, which are fairly basic.  Note that this is a partly hand-tweaked policy, so it may not be perfectly minimal:



module myscreen 1.0;

require {
        type staff_t;
        type user_t;
        type screen_var_run_t;
        type user_screen_t;
        type staff_screen_t;
        type screen_home_t;
        class unix_stream_socket { read write connectto };
        class sock_file { write getattr setattr create unlink };
}

#============= staff_t ==============

allow staff_t staff_screen_t:unix_stream_socket { read write };

#============= staff_screen_t ==============

allow staff_screen_t screen_home_t:sock_file { create getattr write unlink setattr };
allow staff_screen_t screen_var_run_t:sock_file { create getattr write unlink setattr };
allow staff_screen_t self:unix_stream_socket connectto;

#============= user_t ==============

allow user_t user_screen_t:unix_stream_socket { read write };

#============= user_screen_t ==============

allow user_screen_t screen_home_t:sock_file { create getattr write unlink setattr };
allow user_screen_t screen_var_run_t:sock_file { create getattr write unlink setattr };
allow user_screen_t self:unix_stream_socket connectto;


Reproducible: Always

Steps to Reproduce:
1. Disable unconfined
2. Try to run screen as a staff_u or user_u user

Actual Results:  
Various permission denied errors.


I marked it as "high" because screen is a pretty common utility.
Comment 1 Miroslav Grepl 2011-07-19 14:03:29 UTC 
Fixed in selinux-policy-3.9.16-35.fc15
Comment 2 Fedora Update System 2011-07-21 06:02:06 UTC 
selinux-policy-3.9.16-35.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-35.fc15
Comment 3 Fedora Update System 2011-07-23 01:55:19 UTC 
Package selinux-policy-3.9.16-35.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-35.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-35.fc15
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2011-08-02 02:03:51 UTC 
selinux-policy-3.9.16-35.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.