Bug 847426 - Problems with tmux scripts with unconfined disabled
Summary: Problems with tmux scripts with unconfined disabled
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-08-11 05:02 UTC by Robin Powell
Modified: 2012-08-13 19:29 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-08-13 19:29:15 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Robin Powell 2012-08-11 05:02:00 UTC 
Let me know if this is fixed in a more recent release.

I've bound the following script to a tmux key, to trim whitespace in stuff in the tmux buffer:

- ----------------


#!/bin/sh -e

sep="$1"

rm -f /tmp/rlp_tmux_buf
tmux save-buffer -b 0 /tmp/rlp_tmux_buf
if [ "$sep" ]
then
  cat /tmp/rlp_tmux_buf | sed 's/^ *//' | tr '\012' "$sep" >/tmp/rlp_tmux_buf.tmp
else
  cat /tmp/rlp_tmux_buf  | sed 's/^ *//' | tr -d '\012' >/tmp/rlp_tmux_buf.tmp
fi
tmux load-buffer -b 18 /tmp/rlp_tmux_buf.tmp
tmux paste-buffer -b 18
rm /tmp/rlp_tmux_buf /tmp/rlp_tmux_buf.tmp

- -----------------

This works fine with setenforce 0, but with 1 it:


----
type=AVC msg=audit(08/10/2012 21:29:02.372:479026) : avc:  denied  { noatsecure } for  pid=32042 comm=sh scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=process
type=AVC msg=audit(08/10/2012 21:29:02.372:479026) : avc:  denied  { siginh } for  pid=32042 comm=sh scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=process
type=AVC msg=audit(08/10/2012 21:29:02.372:479026) : avc:  denied  { rlimitinh } for  pid=32042 comm=sh scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=process
type=AVC msg=audit(08/10/2012 21:29:02.372:479026) : avc:  denied  { read write } for  pid=32042 comm=sh path=socket:[7581390] dev=sockfs ino=7581390 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:staff_screen_t:s0 tclass=unix_stream_socket
----
type=AVC msg=audit(08/10/2012 21:29:02.430:479029) : avc:  denied  { getattr } for  pid=32043 comm=rm path=/tmp/rlp_tmux_buf dev=vda2 ino=131116 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:screen_tmp_t:s0 tclass=file
----
type=AVC msg=audit(08/10/2012 21:29:02.431:479030) : avc:  denied  { unlink } for  pid=32043 comm=rm name=rlp_tmux_buf dev=vda2 ino=131116 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:screen_tmp_t:s0 tclass=file

(had dontaudit off).

audit2allow says:


#============= staff_t ==============
allow staff_t screen_tmp_t:file { getattr unlink };
allow staff_t staff_screen_t:unix_stream_socket { read write };

which looks remarkably inoffensive to me, but I'm *way* out of practice at this game.  What say you?

-Robin
Comment 1 Robin Powell 2012-08-11 15:56:15 UTC 
Whoops, missed some; like I said, it's been way too long.


----
type=AVC msg=audit(08/11/2012 08:24:28.812:533383) : avc:  denied  { open } for  pid=1364 comm=tmux name=rlp_tmux_buf.tmp dev=vda2 ino=140555 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(08/11/2012 08:24:28.812:533383) : avc:  denied  { read } for  pid=1364 comm=tmux name=rlp_tmux_buf.tmp dev=vda2 ino=140555 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:object_r:user_tmp_t:s0 tclass=file
----
type=AVC msg=audit(08/11/2012 08:24:28.702:533380) : avc:  denied  { open } for  pid=30054 comm=cat name=rlp_tmux_buf dev=vda2 ino=131116 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:screen_tmp_t:s0 tclass=file
type=AVC msg=audit(08/11/2012 08:24:28.702:533380) : avc:  denied  { read } for  pid=30054 comm=cat name=rlp_tmux_buf dev=vda2 ino=131116 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:screen_tmp_t:s0 tclass=file

So the whole version is:


policy_module(mytmuxscripts,1.0.0)

require {                                                                                                                                                                                                  type staff_t;
        type staff_screen_t;
        type screen_tmp_t;
        type user_tmp_t;                                                                                                                                                                                   class file { getattr unlink read open };
        class unix_stream_socket { read write };                                                                                                                                                   }

#============= staff_t ==============                                                                                                                                                              allow staff_t screen_tmp_t:file { getattr unlink };
allow staff_t staff_screen_t:unix_stream_socket { read write };
allow staff_t screen_tmp_t:file { read open };

#============= staff_screen_t ==============
allow staff_screen_t user_tmp_t:file { read open };
Comment 2 Daniel Walsh 2012-08-13 19:29:15 UTC 
I have checked in fixes for this in F18, Since F15 is no longer supported I am closing this with a fixed in rawhide 

Fixed in selinux-policy-3.11.1-6.fc18.noarch
Note You need to log in before you can comment on or make changes to this bug.