Can you add it for both stable and unstable builds? Reproducible: Always
Created attachment 343234 [details] tmux-staff.te
taken here, if any: https://bitbucket.org/csstaub/selinux-policies/raw/f1e8c1d623067afdac6ad116e84a77748e34d918/tmux-staff.te
That suggested policy isn't conform the styleguides sadly. From a high-level look, we would need to allow the screen domains to manage socket files in the screen_tmp_t resources. I'll install tmux later and see if I can reproduce. The create rights within the user_home_dir_t shouldn't be needed as-is, or should contain a type transition to user_home_t as well, although I think it's probably even better to transition to screen_home_t. What is the name of the file it is trying to create?
To be honest, I'm not the author of attached policy. I just get is as advice on #tmux@FreeNode. But, as far, as *I* tested: > mva@laptop ~ $ strace -ff -eopen,stat,access tmux &>tmux.log; cat tmux.log > access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) > open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 > open("/lib64/libutil.so.1", O_RDONLY|O_CLOEXEC) = 3 > open("/lib64/libncurses.so.5", O_RDONLY|O_CLOEXEC) = 3 > open("/usr/lib64/libevent-2.0.so.5", O_RDONLY|O_CLOEXEC) = 3 > open("/lib64/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3 > open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 > open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 > open("/lib64/librt.so.1", O_RDONLY|O_CLOEXEC) = 3 > open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3 > access("/bin/zsh", X_OK) = 0 > access("/home/mva/.tmux.conf", R_OK) = -1 ENOENT (No such file or directory) > [exited] > +++ exited with 0 +++ So, it just tries to _read_ it's config file frome user's home. Btw, I bet, I missed something, since tmux *should* (and did it) also check /etc/tmux, at least.
Starting with a few more obvious fixes first. I needed to add the following: """ allow screen_domain screen_tmp_t:sock_file manage_sock_file_perms; allow screen_domain self:unix_stream_socket { accept listen }; """ The first one is because tmux places its control socket as /tmp/tmux-*/default (without it, tmux just bails out - no error). The second one is to allow the tmux server to listen on this socket. I can get it to work on ttys and devpts, but not when the user has switched role using newrole (no output, although tmux works and I can see whatever I type in an attached window elsewhere).
Second step was to make sure that ~/.tmux.conf is marked as screen_home_t (both in file context and within screen_role_template).
The abovementioned fixes are now in policy (live ebuilds/repo) and will be in rev 13. However, I'm keeping this open as I want to get this fixed for the newrole case as well.
One method would be to patch tmux not to use stdin for writing to TTY. The other one is to open the file descriptor (in newrole) as O_RDWR. For more info, see http://marc.info/?l=selinux&m=136518126930710&w=2 I'm probably going to update newrole to do so. Seems like a simple-enough fix, easily to maintain and makes behavior consistent with what applications expect (even though it isn't exactly correct).
policycoreutils-2.1.13-r10 should fix this, now in hardened-dev overlay (so I can do regression testing)
In main tree, ~arch
Stabilized