So I've started more actively using the box that https://bugzilla.redhat.com/show_bug.cgi?id=723391 was generated on, running tmux as my confined (staff_u) user, and it's again generating AVCs about once a second. Here's what I've had to do to fix them so far: module mytmux3 1.0; require { type staff_t; type staff_screen_t; type ssh_t; type staff_sudo_t; class dir { search }; class file { read open getattr }; } #============= staff_screen_t ============== allow staff_screen_t ssh_t:dir search; allow staff_screen_t ssh_t:file { read open getattr }; allow staff_screen_t staff_t:file { read open getattr }; allow staff_screen_t staff_sudo_t:dir search; allow staff_screen_t staff_sudo_t:file { read open getattr }; (this is on top of selinux-policy 3.9.16-40.fc15 ) The problem here is that as far as I can tell what's happening is that it's checking /proc/[pid] for any pid I'm running, so theoretically that list could grow without bound? Not sure. Just wanted to warn you that this may not be complete. As far as I know it's *only* reading the cmdline file in each case, so I guess a possible fix would be for that file to have its own type? I'm starting to wish selinux files could have more than one type at a time... -Robin
Did you need to add this policy to make this working in enforcing mode?
Yes. Now, having said that, the behaviour loss when it *isn't* working is fairly minimal: it only fails to auto-rename windows based on what commands I'm running. But the flood of AVCs is pretty bad, and I'd certainly *prefer* that feature to work. -Robin
I just modified F16 policy to allow this, you can probably just backport the change to F15. And RHEL6.
Fixed in selinux-policy-3.9.16-41.fc15
I'm running -42, and this is not quite fixed. Here's some AVCs: ---- type=AVC msg=audit(10/07/2011 14:57:32.391:325956) : avc: denied { open } for pid=2936 comm=tmux name=cmdline dev=proc ino=1377572 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:staff_sudo_t:s0 tclass=file type=AVC msg=audit(10/07/2011 14:57:32.391:325956) : avc: denied { read } for pid=2936 comm=tmux name=cmdline dev=proc ino=1377572 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:staff_sudo_t:s0 tclass=file type=AVC msg=audit(10/07/2011 14:57:32.391:325956) : avc: denied { search } for pid=2936 comm=tmux name=12056 dev=proc ino=1377531 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:staff_sudo_t:s0 tclass=dir ---- type=AVC msg=audit(10/07/2011 14:57:32.392:325957) : avc: denied { getattr } for pid=2936 comm=tmux path=/proc/12056/cmdline dev=proc ino=1377572 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:staff_sudo_t:s0 tclass=file That's from me running a sudo command under tmux. Here's the AVC from me running an ssh command under tmux: ---- type=AVC msg=audit(10/07/2011 15:01:51.095:326122) : avc: denied { search } for pid=2936 comm=tmux name=25194 dev=proc ino=1377286 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:ssh_t:s0 tclass=dir ---- type=AVC msg=audit(10/07/2011 15:01:59.107:326136) : avc: denied { open } for pid=2936 comm=tmux name=cmdline dev=proc ino=1377528 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:ssh_t:s0 tclass=file type=AVC msg=audit(10/07/2011 15:01:59.107:326136) : avc: denied { read } for pid=2936 comm=tmux name=cmdline dev=proc ino=1377528 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:ssh_t:s0 tclass=file ---- type=AVC msg=audit(10/07/2011 15:01:59.107:326137) : avc: denied { getattr } for pid=2936 comm=tmux path=/proc/25194/cmdline dev=proc ino=1377528 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:ssh_t:s0 tclass=file I assume this will continue to happen with every possible command selinux type, and when the proc check fails tmux hammers at it every second or so (which, by the way Dan, is what led to setroubleshootd taking all my CPU). Here's what I'm currently running in my local tmux module. The last bit is for tmux having sockets in /tmp/, which the version I'm currently running (1.5 from a src rpm) does, but the released Fedora version does not. None the less, it's something you probably want to support. # handle the per-window proc check stuff. allow staff_screen_t ssh_t:dir search; allow staff_screen_t ssh_t:file { read open getattr }; allow staff_screen_t staff_sudo_t:dir search; allow staff_screen_t staff_sudo_t:file { read open getattr }; allow user_screen_t ssh_t:dir search; allow user_screen_t ssh_t:file { read open getattr }; # deal with sockets in /tmp/ manage_dirs_pattern(staff_screen_t, screen_tmp_t, screen_tmp_t); manage_files_pattern(staff_screen_t, screen_tmp_t, screen_tmp_t); manage_dirs_pattern(user_screen_t, screen_tmp_t, screen_tmp_t); manage_files_pattern(user_screen_t, screen_tmp_t, screen_tmp_t); allow user_screen_t screen_tmp_t:sock_file { create getattr write unlink setattr }; allow staff_screen_t screen_tmp_t:sock_file { create getattr write unlink setattr }; -Robin
Here's another example, while I was entering data into "mailx". Note the timestamps. ---- type=AVC msg=audit(10/07/2011 17:28:46.944:342616) : avc: denied { search } for pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st aff_r:user_mail_t:s0 tclass=dir ---- type=AVC msg=audit(10/07/2011 17:28:47.444:342617) : avc: denied { search } for pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st aff_r:user_mail_t:s0 tclass=dir ---- type=AVC msg=audit(10/07/2011 17:28:47.945:342618) : avc: denied { search } for pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st aff_r:user_mail_t:s0 tclass=dir ---- type=AVC msg=audit(10/07/2011 17:28:48.446:342619) : avc: denied { search } for pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st aff_r:user_mail_t:s0 tclass=dir ---- type=AVC msg=audit(10/07/2011 17:28:48.947:342620) : avc: denied { search } for pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st aff_r:user_mail_t:s0 tclass=dir ---- type=AVC msg=audit(10/07/2011 17:28:49.947:342622) : avc: denied { search } for pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st aff_r:user_mail_t:s0 tclass=dir ---- type=AVC msg=audit(10/07/2011 17:28:49.448:342621) : avc: denied { search } for pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st aff_r:user_mail_t:s0 tclass=dir ---- type=AVC msg=audit(10/07/2011 17:28:50.449:342623) : avc: denied { search } for pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st aff_r:user_mail_t:s0 tclass=dir ---- type=AVC msg=audit(10/07/2011 17:28:50.949:342624) : avc: denied { search } for pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st aff_r:user_mail_t:s0 tclass=dir ---- type=AVC msg=audit(10/07/2011 17:28:51.449:342625) : avc: denied { search } for pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st aff_r:user_mail_t:s0 tclass=dir ---- type=AVC msg=audit(10/07/2011 17:28:51.950:342626) : avc: denied { search } for pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st aff_r:user_mail_t:s0 tclass=dir ---- type=AVC msg=audit(10/07/2011 17:28:52.952:342628) : avc: denied { search } for pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st aff_r:user_mail_t:s0 tclass=dir ---- type=AVC msg=audit(10/07/2011 17:28:52.452:342627) : avc: denied { search } for pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st aff_r:user_mail_t:s0 tclass=dir ---- type=AVC msg=audit(10/07/2011 17:28:53.955:342630) : avc: denied { search } for pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st aff_r:user_mail_t:s0 tclass=dir ---- type=AVC msg=audit(10/07/2011 17:28:53.453:342629) : avc: denied { search } for pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st aff_r:user_mail_t:s0 tclass=dir ---- type=AVC msg=audit(10/07/2011 17:28:54.455:342631) : avc: denied { search } for pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st aff_r:user_mail_t:s0 tclass=dir ---- type=AVC msg=audit(10/07/2011 17:28:54.956:342634) : avc: denied { search } for pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st aff_r:user_mail_t:s0 tclass=dir ---- type=AVC msg=audit(10/07/2011 17:28:55.959:342636) : avc: denied { search } for pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st aff_r:user_mail_t:s0 tclass=dir ---- type=AVC msg=audit(10/07/2011 17:28:55.457:342635) : avc: denied { search } for pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st aff_r:user_mail_t:s0 tclass=dir ---- type=AVC msg=audit(10/07/2011 17:28:56.961:342638) : avc: denied { search } for pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st aff_r:user_mail_t:s0 tclass=dir ---- type=AVC msg=audit(10/07/2011 17:28:56.460:342637) : avc: denied { search } for pid=2936 comm=tmux name=19243 dev=proc ino=1457864 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:st aff_r:user_mail_t:s0 tclass=dir
I am fixing issues which relate with reading of domain state. Fixed in selinux-policy-3.9.16-43.fc15 But the sock file should be located in /var/run/tmux which I believe is in Fedora release.
I don't know if your solution is fully general; just in case it isn't, here's another one: type=PATH msg=audit(10/13/2011 16:23:31.430:532091) : item=0 name=/proc/1157/cmdline type=CWD msg=audit(10/13/2011 16:23:31.430:532091) : cwd=/home/rlpowell type=SYSCALL msg=audit(10/13/2011 16:23:31.430:532091) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=179cc40 a1=0 a2=1b6 a3=9 items=1 ppid=1 pid=2936 auid=rlpowell uid=rlpowell gid=rlpowell euid=rlpowell suid=rlpowell fsuid=rlpowell egid=rlpowell sgid=rlpowell fsgid=rlpowell tty=(none) ses=7 comm=tmux exe=/usr/bin/tmux subj=staff_u:staff_r:staff_screen_t:s0 key=(null) type=AVC msg=audit(10/13/2011 16:23:31.430:532091) : avc: denied { search } for pid=2936 comm=tmux name=1157 dev=proc ino=5006644 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:traceroute_t:s0 tclass=dir And yeah, the sock file thing is less interesting/important. -Robin
Miroslav lets add domain_dontaudit_read_all_domains_state(screen_domain)
selinux-policy-3.9.16-48.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-48.fc15
Package selinux-policy-3.9.16-48.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-48.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16023/selinux-policy-3.9.16-48.fc15 then log in and leave karma (feedback).
selinux-policy-3.9.16-48.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to comment #7) > I am fixing issues which relate with reading of domain state. > > Fixed in selinux-policy-3.9.16-43.fc15 > > > But the sock file should be located in /var/run/tmux which I believe is in > Fedora release. Well, here's the *fun* part: it changed. Latest tmux, in Fedora 16: tmux-1.6-1.fc16.x86_64 type=SOCKADDR msg=audit(02/29/2012 00:27:03.214:119263) : saddr=local /tmp//tmux-1000/default type=AVC msg=audit(02/29/2012 00:27:03.214:119263) : avc: denied { create } for pid=25142 comm=tmux name=default scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:object_r:screen_tmp_t:s0 tclass=sock_file But if I downgrade to tmux-1.4-4.fc16.x86_64 , it works fine. I've checked with strace, and the old version is using /var/run/tmux, and the new is using /tmp/ I can make this a bug against them if you like. -Robin
Ok, could you open a new bug for tmux. Why did they change it to use /tmp.
Will do. No idea. -Robin
The tmux bug is https://bugzilla.redhat.com/show_bug.cgi?id=798554 in case you want to follow it. -Robin
The scoket location has been changed "back" to /tmp/ in order to comply with upstreams location. The patch to change to save to /var/run/tmux was a custom modification which I took from the debian package. Debian has since then reverted back to the upstream default too.