I'm having some issues with using 'screen' on RHEL7-based systems. It
seems that things like utmp/wtmp writing do not work, which I haven't
looked into yet (which makes 'deflogin' fail), but the one that was
more easily tracked down is things like log files.
$ id
uid=9318(huston) ... context=staff_u:staff_r:staff_t:s0-s0:c0.c1023
$ ls -lZ `which screen`
-rwxr-sr-x. root screen system_u:object_r:screen_exec_t:s0 /usr/bin/screen*
# ps -efZ | grep -i screen
staff_u:staff_r:staff_screen_t:s0-s0:c0.c1023 huston 14296 1 0 Mar02
? 00:06:00 SCREEN
staff_u:staff_r:staff_screen_t:s0-s0:c0.c1023 huston 3432606 3432605
0 10:51 pts/0 00:00:00 screen -raAx
# ls -lZ /home/huston/screenlog.16
-rw-rw-r--. huston huston staff_u:object_r:user_home_dir_t:s0
/home/huston/screenlog.16
This file could only be written after I set permissive mode (or add a
selinux policy that lets allow user_screen_t user_home_dir_t:file {
append create getattr open }; and staff_screen_t user_home_dir_t:file
{ append create getattr open }; which of course works great to create
the file, but then I cannot read it).
Looking through serefpolicy-contrib-3.13.1/screen.te (from
selinux-policy-3.13.1-102.el7_3.16.src.rpm) I see three lines:
userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen")
userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc")
userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf")
Which works for relabeling those files so that screen can read them,
but what I don't see is something that is telling the system that
screen should be creating files as user_home_dir_t, which seems to be
the problem. I would assume they should also be screen_home_t, so
that screen can reopen the files for appending if the logfile is
reopened, but I know not how to do that.
Any insight would be appreaciated - I'm guessing there's something
missing in the reference policy, but I'm not opposed to adding
something to fix it locally until the change makes its way through the
proper channels.
--
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
Princeton University | ICBM Address: 40.346344 -74.652242
345 Lewis Library |"On my ship, the Rocinante, wheeling through
Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus,
(267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
