Let me know if this is fixed in a more recent release. I've bound the following script to a tmux key, to trim whitespace in stuff in the tmux buffer: - ---------------- #!/bin/sh -e sep="$1" rm -f /tmp/rlp_tmux_buf tmux save-buffer -b 0 /tmp/rlp_tmux_buf if [ "$sep" ] then cat /tmp/rlp_tmux_buf | sed 's/^ *//' | tr '\012' "$sep" >/tmp/rlp_tmux_buf.tmp else cat /tmp/rlp_tmux_buf | sed 's/^ *//' | tr -d '\012' >/tmp/rlp_tmux_buf.tmp fi tmux load-buffer -b 18 /tmp/rlp_tmux_buf.tmp tmux paste-buffer -b 18 rm /tmp/rlp_tmux_buf /tmp/rlp_tmux_buf.tmp - ----------------- This works fine with setenforce 0, but with 1 it: ---- type=AVC msg=audit(08/10/2012 21:29:02.372:479026) : avc: denied { noatsecure } for pid=32042 comm=sh scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=process type=AVC msg=audit(08/10/2012 21:29:02.372:479026) : avc: denied { siginh } for pid=32042 comm=sh scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=process type=AVC msg=audit(08/10/2012 21:29:02.372:479026) : avc: denied { rlimitinh } for pid=32042 comm=sh scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=process type=AVC msg=audit(08/10/2012 21:29:02.372:479026) : avc: denied { read write } for pid=32042 comm=sh path=socket:[7581390] dev=sockfs ino=7581390 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:staff_screen_t:s0 tclass=unix_stream_socket ---- type=AVC msg=audit(08/10/2012 21:29:02.430:479029) : avc: denied { getattr } for pid=32043 comm=rm path=/tmp/rlp_tmux_buf dev=vda2 ino=131116 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:screen_tmp_t:s0 tclass=file ---- type=AVC msg=audit(08/10/2012 21:29:02.431:479030) : avc: denied { unlink } for pid=32043 comm=rm name=rlp_tmux_buf dev=vda2 ino=131116 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:screen_tmp_t:s0 tclass=file (had dontaudit off). audit2allow says: #============= staff_t ============== allow staff_t screen_tmp_t:file { getattr unlink }; allow staff_t staff_screen_t:unix_stream_socket { read write }; which looks remarkably inoffensive to me, but I'm *way* out of practice at this game. What say you? -Robin
Whoops, missed some; like I said, it's been way too long. ---- type=AVC msg=audit(08/11/2012 08:24:28.812:533383) : avc: denied { open } for pid=1364 comm=tmux name=rlp_tmux_buf.tmp dev=vda2 ino=140555 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(08/11/2012 08:24:28.812:533383) : avc: denied { read } for pid=1364 comm=tmux name=rlp_tmux_buf.tmp dev=vda2 ino=140555 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:object_r:user_tmp_t:s0 tclass=file ---- type=AVC msg=audit(08/11/2012 08:24:28.702:533380) : avc: denied { open } for pid=30054 comm=cat name=rlp_tmux_buf dev=vda2 ino=131116 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:screen_tmp_t:s0 tclass=file type=AVC msg=audit(08/11/2012 08:24:28.702:533380) : avc: denied { read } for pid=30054 comm=cat name=rlp_tmux_buf dev=vda2 ino=131116 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:screen_tmp_t:s0 tclass=file So the whole version is: policy_module(mytmuxscripts,1.0.0) require { type staff_t; type staff_screen_t; type screen_tmp_t; type user_tmp_t; class file { getattr unlink read open }; class unix_stream_socket { read write }; } #============= staff_t ============== allow staff_t screen_tmp_t:file { getattr unlink }; allow staff_t staff_screen_t:unix_stream_socket { read write }; allow staff_t screen_tmp_t:file { read open }; #============= staff_screen_t ============== allow staff_screen_t user_tmp_t:file { read open };
I have checked in fixes for this in F18, Since F15 is no longer supported I am closing this with a fixed in rawhide Fixed in selinux-policy-3.11.1-6.fc18.noarch