Confined User using screen

Ian Lists ian-list at securitypimp.com
Sun Oct 11 17:22:14 UTC 2009 

I just started playing around with confining users in rawhide using
selinux-policy-3.6.32-24.fc12.noarch and am having an issue running screen.

When running screen with selinux enforcing I get the following error with no
AVC.

[b1gb0y at imarks-ws ~]$ id -Z
user_u:user_r:user_t:s0
[b1gb0y at imarks-ws ~]$ screen
Cannot make directory '/var/run/screen': File exists

When I run screen with selinux in permissive mode it works as expected and
generates AVCs.  I have tried to run audit2allow against the follow AVCs but
the module is not able to load.

234. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir write
system_u:object_r:screen_var_run_t:s0 denied 26464
235. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir add_name
system_u:object_r:screen_var_run_t:s0 denied 26464
236. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir create
user_u:object_r:screen_var_run_t:s0 denied 26464
237. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 92 dir setattr
user_u:object_r:screen_var_run_t:s0 denied 26465
238. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 dir write
user_u:object_r:screen_var_run_t:s0 denied 26467
239. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 dir add_name
user_u:object_r:screen_var_run_t:s0 denied 26467
240. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 fifo_file create
user_u:object_r:screen_var_run_t:s0 denied 26467
241. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file read
user_u:object_r:screen_var_run_t:s0 denied 26468
242. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file open
user_u:object_r:screen_var_run_t:s0 denied 26468
243. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file write
user_u:object_r:screen_var_run_t:s0 denied 26471
244. 10/11/2009 12:53:40 screen user_u:user_r:user_t:s0 87 dir remove_name
user_u:object_r:screen_var_run_t:s0 denied 26478
245. 10/11/2009 12:53:40 screen user_u:user_r:user_t:s0 87 fifo_file unlink
user_u:object_r:screen_var_run_t:s0 denied 26478

 ausearch --start today -m avc | audit2allow -M screen

[root at imarks-ws ~]# cat screen.te

module screen 1.0;

require {
        type screen_var_run_t;
        type user_t;
        class dir { write remove_name create add_name setattr };
        class fifo_file { read write create unlink open };
}

#============= user_t ==============
allow user_t screen_var_run_t:dir { write remove_name create add_name
setattr };
allow user_t screen_var_run_t:fifo_file { read write create unlink open };

semodule -i screen.pp
libsepol.print_missing_requirements: screen's global requirements were not
met: type/attribute screen_var_run_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).
semodule:  Failed!


I know user_u should only be able to write to /tmp and /~ so this may be a
bad idea all together..
Any suggests on getting this work would be much appreciated.

Thanks,
Ian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091011/17c8c0ad/attachment.htm>

More information about the fedora-selinux-list mailing list