When running screen with selinux enforcing I get the following error with no AVC.
[b1gb0y@imarks-ws ~]$ id -Z
user_u:user_r:user_t:s0
[b1gb0y@imarks-ws ~]$ screen
Cannot make directory '/var/run/screen': File exists
When I run screen with selinux in permissive mode it works as expected and generates AVCs. I have tried to run audit2allow against the follow AVCs but the module is not able to load.
234. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir write system_u:object_r:screen_var_run_t:s0 denied 26464
235. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir add_name system_u:object_r:screen_var_run_t:s0 denied 26464
236. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir create user_u:object_r:screen_var_run_t:s0 denied 26464
237. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 92 dir setattr user_u:object_r:screen_var_run_t:s0 denied 26465
238. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 dir write user_u:object_r:screen_var_run_t:s0 denied 26467
239. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 dir add_name user_u:object_r:screen_var_run_t:s0 denied 26467
240. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 fifo_file create user_u:object_r:screen_var_run_t:s0 denied 26467
241. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file read user_u:object_r:screen_var_run_t:s0 denied 26468
242. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file open user_u:object_r:screen_var_run_t:s0 denied 26468
243. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file write user_u:object_r:screen_var_run_t:s0 denied 26471
244. 10/11/2009 12:53:40 screen user_u:user_r:user_t:s0 87 dir remove_name user_u:object_r:screen_var_run_t:s0 denied 26478
245. 10/11/2009 12:53:40 screen user_u:user_r:user_t:s0 87 fifo_file unlink user_u:object_r:screen_var_run_t:s0 denied 26478
ausearch --start today -m avc | audit2allow -M screen
[root@imarks-ws ~]# cat screen.te
module screen 1.0;
require {
type screen_var_run_t;
type user_t;
class dir { write remove_name create add_name setattr };
class fifo_file { read write create unlink open };
}
#============= user_t ==============
allow user_t screen_var_run_t:dir { write remove_name create add_name setattr };
allow user_t screen_var_run_t:fifo_file { read write create unlink open };
semodule -i screen.pp
libsepol.print_missing_requirements: screen's global requirements were not met: type/attribute screen_var_run_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule: Failed!
I know user_u should only be able to write to /tmp and /~ so this may be a bad idea all together..
Any suggests on getting this work would be much appreciated.
Thanks,
Ian
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list