Bug 723391 - tmux doesn't work without unconfined, but this may be a tmux behaviour issue
Summary: tmux doesn't work without unconfined, but this may be a tmux behaviour issue
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-07-20 02:30 UTC by Robin Powell
Modified: 2011-09-07 00:18 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.9.16-38.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-09-07 00:18:45 UTC


Attachments (Terms of Use)

Description Robin Powell 2011-07-20 02:30:28 UTC
Description of problem:

tmux tries to create sockets in /var/run/tmux, like so:

rlpowell@stodi> sudo find /var/run/tmux -ls                                                             
 58858    0 drwxrwxr-x   5 root     tmux          100 Jul 19 16:18 /var/run/tmux
239364    0 drwx------   2 djanatyn tmux           60 Jul 19 16:18 /var/run/tmux/tmux-1052
239373    0 srw-rw----   1 djanatyn djanatyn        0 Jul 19 16:18 /var/run/tmux/tmux-1052/default
238111    0 drwx------   2 bairyn   tmux           60 Jul 19 17:24 /var/run/tmux/tmux-1055
242839    0 srw-rw----   1 bairyn   bairyn          0 Jul 19 17:24 /var/run/tmux/tmux-1055/default
237246    0 drwx------   2 rlpowell tmux           60 Jul 19 15:54 /var/run/tmux/tmux-1000
237338    0 srw-rw----   1 rlpowell rlpowell        0 Jul 19 15:54 /var/run/tmux/tmux-1000/default

This fails.  The following bit of selinux policy fix it for staff_u and user_u ; whether you think that's a good plan is your call.  tmux -S can be used to fix this, but AFAIK there's no tmux conf variable to change the socket dir, so it's a real issue in that out-of-the-box tmux doesn't work, so I think either the selinux policy or the default tmux socket dir should be changed in mainline Fedora.



module mytmux 1.0;

require {
        type staff_t;
        type user_t;
        type var_run_t;
        class sock_file { write create unlink };
        class dir { write create add_name remove_name };
}

#============= staff_t ==============
allow staff_t var_run_t:dir { write remove_name create add_name };
allow staff_t var_run_t:sock_file { write create unlink };

#============= user_t ==============
allow user_t var_run_t:dir { write create add_name remove_name };
allow user_t var_run_t:sock_file { create write unlink };

Comment 1 Miroslav Grepl 2011-07-20 10:03:41 UTC
First, thanks you try to use confined users and report bugs.

The problem is we don't have a policy for tmux. So there is no transition for confined users.

We could try to treat tmux with screen policy.

Could you try to execute

# chcon -t screen_exec_t /usr/bin/tmux
# chcon -R -t screen_var_run_t /var/run/tmux

Comment 2 Robin Powell 2011-07-23 06:02:46 UTC
Yep! That seems to do the trick.

-Robin

Comment 3 Robin Powell 2011-07-24 02:37:10 UTC
Hmm, no, not quite; that *mostly* works.  The following is required to stop the AVC messages entirely:

#============= user_screen_t ==============
allow user_screen_t user_t:unix_stream_socket connectto;

#============= staff_screen_t ==============
allow staff_screen_t staff_t:dir search;
allow staff_screen_t staff_t:file { read open getattr };

The weird part is the staff_t dir and file stuff; when I run tmux as a staff_t user, those AVCs simply print out continuously, about once a second, like so (various lines with various allows allowed or not):

type=AVC msg=audit(1311474188.863:113454): avc:  denied  { search } for  pid=31153 comm="tmux" name="31154" dev=proc ino=104906 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=dir

type=AVC msg=audit(1311474332.152:114587): avc:  denied  { read } for  pid=31235 comm="tmux" name="cmdline" dev=proc ino=105414 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=file

type=AVC msg=audit(1311474586.902:117091): avc:  denied  { open } for  pid=31711 comm="tmux" name="cmdline" dev=proc ino=106700 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=file

type=AVC msg=audit(1311474882.929:118192): avc:  denied  { getattr } for  pid=31778 comm="tmux" path="/proc/31779/cmdline" dev=proc ino=106967 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=file

So apparently tmux looks at the /proc/ cmdline file about once a second?  Dunno what's up with that (I'll let the tmux team know).

-Robin

Comment 4 Robin Powell 2011-07-24 18:33:35 UTC
Ah.  That poking at the /proc/ cmdline is a useful/needed feature; it's so that windows can be named for the command running in them.

-Robin

Comment 5 Robin Powell 2011-07-25 06:15:27 UTC
Whoops, user_t needs it too:


#============= user_screen_t ==============
allow user_screen_t user_t:unix_stream_socket connectto;
allow user_screen_t user_t:dir search;
allow user_screen_t user_t:file { read open getattr };

#============= staff_screen_t ==============
allow staff_screen_t staff_t:dir search;
allow staff_screen_t staff_t:file { read open getattr };


-Robin

Comment 6 Daniel Walsh 2011-07-25 15:49:16 UTC
Looks like we need to add

	ps_process_pattern($1_screen_t, $3)


TO screen_role_template.

I just updated the policy in F16.

Comment 7 Miroslav Grepl 2011-07-27 11:17:20 UTC
Fixed in selinux-policy-3.9.16-36.fc15

Comment 8 Fedora Update System 2011-08-05 14:00:06 UTC
selinux-policy-3.9.16-37.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-37.fc15

Comment 9 Robin Powell 2011-08-05 16:00:50 UTC
Do those chcon changes need to be propagated into the tmux package as well, or is this the entire fix?

-Robin

Comment 10 Daniel Walsh 2011-08-05 17:23:03 UTC
No the selinux-policy package will change the labels.

Comment 11 Fedora Update System 2011-08-05 23:56:11 UTC
Package selinux-policy-3.9.16-37.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-37.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-37.fc15
then log in and leave karma (feedback).

Comment 12 Fedora Update System 2011-08-12 18:20:15 UTC
Package selinux-policy-3.9.16-38.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-38.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-38.fc15
then log in and leave karma (feedback).

Comment 13 Fedora Update System 2011-09-07 00:17:26 UTC
selinux-policy-3.9.16-38.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.