Confined User using screen

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I just started playing around with confining users in rawhide using selinux-policy-3.6.32-24.fc12.noarch and am having an issue running screen. 
When running screen with selinux enforcing I get the following error with no AVC.

[b1gb0y@imarks-ws ~]$ id -Z
user_u:user_r:user_t:s0
[b1gb0y@imarks-ws ~]$ screen
Cannot make directory '/var/run/screen': File exists

When I run screen with selinux in permissive mode it works as expected and generates AVCs.  I have tried to run audit2allow against the follow AVCs but the module is not able to load.

234. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir write system_u:object_r:screen_var_run_t:s0 denied 26464
235. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir add_name system_u:object_r:screen_var_run_t:s0 denied 26464
236. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir create user_u:object_r:screen_var_run_t:s0 denied 26464
237. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 92 dir setattr user_u:object_r:screen_var_run_t:s0 denied 26465
238. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 dir write user_u:object_r:screen_var_run_t:s0 denied 26467
239. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 dir add_name user_u:object_r:screen_var_run_t:s0 denied 26467
240. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 fifo_file create user_u:object_r:screen_var_run_t:s0 denied 26467
241. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file read user_u:object_r:screen_var_run_t:s0 denied 26468
242. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file open user_u:object_r:screen_var_run_t:s0 denied 26468
243. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file write user_u:object_r:screen_var_run_t:s0 denied 26471
244. 10/11/2009 12:53:40 screen user_u:user_r:user_t:s0 87 dir remove_name user_u:object_r:screen_var_run_t:s0 denied 26478
245. 10/11/2009 12:53:40 screen user_u:user_r:user_t:s0 87 fifo_file unlink user_u:object_r:screen_var_run_t:s0 denied 26478

 ausearch --start today -m avc | audit2allow -M screen

[root@imarks-ws ~]# cat screen.te

module screen 1.0;

require {
        type screen_var_run_t;
        type user_t;
        class dir { write remove_name create add_name setattr };
        class fifo_file { read write create unlink open };
}

#============= user_t ==============
allow user_t screen_var_run_t:dir { write remove_name create add_name setattr };
allow user_t screen_var_run_t:fifo_file { read write create unlink open };

semodule -i screen.pp
libsepol.print_missing_requirements: screen's global requirements were not met: type/attribute screen_var_run_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!


I know user_u should only be able to write to /tmp and /~ so this may be a bad idea all together.. 
Any suggests on getting this work would be much appreciated.

Thanks,
Ian

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux