Bug 847426 - Problems with tmux scripts with unconfined disabled
Problems with tmux scripts with unconfined disabled
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
15
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-11 01:02 EDT by Robin Powell
Modified: 2012-08-13 15:29 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-13 15:29:15 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robin Powell 2012-08-11 01:02:00 EDT
Let me know if this is fixed in a more recent release.

I've bound the following script to a tmux key, to trim whitespace in stuff in the tmux buffer:

- ----------------


#!/bin/sh -e

sep="$1"

rm -f /tmp/rlp_tmux_buf
tmux save-buffer -b 0 /tmp/rlp_tmux_buf
if [ "$sep" ]
then
  cat /tmp/rlp_tmux_buf | sed 's/^ *//' | tr '\012' "$sep" >/tmp/rlp_tmux_buf.tmp
else
  cat /tmp/rlp_tmux_buf  | sed 's/^ *//' | tr -d '\012' >/tmp/rlp_tmux_buf.tmp
fi
tmux load-buffer -b 18 /tmp/rlp_tmux_buf.tmp
tmux paste-buffer -b 18
rm /tmp/rlp_tmux_buf /tmp/rlp_tmux_buf.tmp

- -----------------

This works fine with setenforce 0, but with 1 it:


----
type=AVC msg=audit(08/10/2012 21:29:02.372:479026) : avc:  denied  { noatsecure } for  pid=32042 comm=sh scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=process
type=AVC msg=audit(08/10/2012 21:29:02.372:479026) : avc:  denied  { siginh } for  pid=32042 comm=sh scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=process
type=AVC msg=audit(08/10/2012 21:29:02.372:479026) : avc:  denied  { rlimitinh } for  pid=32042 comm=sh scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=process
type=AVC msg=audit(08/10/2012 21:29:02.372:479026) : avc:  denied  { read write } for  pid=32042 comm=sh path=socket:[7581390] dev=sockfs ino=7581390 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:staff_screen_t:s0 tclass=unix_stream_socket
----
type=AVC msg=audit(08/10/2012 21:29:02.430:479029) : avc:  denied  { getattr } for  pid=32043 comm=rm path=/tmp/rlp_tmux_buf dev=vda2 ino=131116 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:screen_tmp_t:s0 tclass=file
----
type=AVC msg=audit(08/10/2012 21:29:02.431:479030) : avc:  denied  { unlink } for  pid=32043 comm=rm name=rlp_tmux_buf dev=vda2 ino=131116 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:screen_tmp_t:s0 tclass=file

(had dontaudit off).

audit2allow says:


#============= staff_t ==============
allow staff_t screen_tmp_t:file { getattr unlink };
allow staff_t staff_screen_t:unix_stream_socket { read write };

which looks remarkably inoffensive to me, but I'm *way* out of practice at this game.  What say you?

-Robin
Comment 1 Robin Powell 2012-08-11 11:56:15 EDT
Whoops, missed some; like I said, it's been way too long.


----
type=AVC msg=audit(08/11/2012 08:24:28.812:533383) : avc:  denied  { open } for  pid=1364 comm=tmux name=rlp_tmux_buf.tmp dev=vda2 ino=140555 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(08/11/2012 08:24:28.812:533383) : avc:  denied  { read } for  pid=1364 comm=tmux name=rlp_tmux_buf.tmp dev=vda2 ino=140555 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:object_r:user_tmp_t:s0 tclass=file
----
type=AVC msg=audit(08/11/2012 08:24:28.702:533380) : avc:  denied  { open } for  pid=30054 comm=cat name=rlp_tmux_buf dev=vda2 ino=131116 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:screen_tmp_t:s0 tclass=file
type=AVC msg=audit(08/11/2012 08:24:28.702:533380) : avc:  denied  { read } for  pid=30054 comm=cat name=rlp_tmux_buf dev=vda2 ino=131116 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:screen_tmp_t:s0 tclass=file

So the whole version is:


policy_module(mytmuxscripts,1.0.0)

require {                                                                                                                                                                                                  type staff_t;
        type staff_screen_t;
        type screen_tmp_t;
        type user_tmp_t;                                                                                                                                                                                   class file { getattr unlink read open };
        class unix_stream_socket { read write };                                                                                                                                                   }

#============= staff_t ==============                                                                                                                                                              allow staff_t screen_tmp_t:file { getattr unlink };
allow staff_t staff_screen_t:unix_stream_socket { read write };
allow staff_t screen_tmp_t:file { read open };

#============= staff_screen_t ==============
allow staff_screen_t user_tmp_t:file { read open };
Comment 2 Daniel Walsh 2012-08-13 15:29:15 EDT
I have checked in fixes for this in F18, Since F15 is no longer supported I am closing this with a fixed in rawhide 

Fixed in selinux-policy-3.11.1-6.fc18.noarch

Note You need to log in before you can comment on or make changes to this bug.