Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 463222 - <sys-apps/policycoreutils-2.1.13-r10 newrole does not open std* as O_RDWR (needed for tmux)
Summary: <sys-apps/policycoreutils-2.1.13-r10 newrole does not open std* as O_RDWR (ne...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
Whiteboard: sec-policy r13 selinux-utils
Depends on:
Reported: 2013-03-25 13:15 UTC by Vadim A. Misbakh-Soloviov (mva)
Modified: 2013-06-16 18:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

tmux-staff.te (tmux-staff.te,549 bytes, text/plain)
2013-03-25 13:16 UTC, Vadim A. Misbakh-Soloviov (mva)

Note You need to log in before you can comment on or make changes to this bug.
Description Vadim A. Misbakh-Soloviov (mva) gentoo-dev 2013-03-25 13:15:46 UTC
Can you add it for both stable and unstable builds?

Reproducible: Always
Comment 1 Vadim A. Misbakh-Soloviov (mva) gentoo-dev 2013-03-25 13:16:24 UTC
Created attachment 343234 [details]
Comment 2 Vadim A. Misbakh-Soloviov (mva) gentoo-dev 2013-03-25 15:19:30 UTC
taken here, if any:
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2013-03-29 12:32:21 UTC
That suggested policy isn't conform the styleguides sadly.

From a high-level look, we would need to allow the screen domains to manage socket files in the screen_tmp_t resources. I'll install tmux later and see if I can reproduce.

The create rights within the user_home_dir_t shouldn't be needed as-is, or should contain a type transition to user_home_t as well, although I think it's probably even better to transition to screen_home_t. What is the name of the file it is trying to create?
Comment 4 Vadim A. Misbakh-Soloviov (mva) gentoo-dev 2013-03-29 15:28:57 UTC
To be honest, I'm not the author of attached policy. I just get is as advice on #tmux@FreeNode.
But, as far, as *I* tested:

> mva@laptop ~ $ strace -ff -eopen,stat,access tmux &>tmux.log; cat tmux.log
> access("/etc/", R_OK)      = -1 ENOENT (No such file or directory)
> open("/etc/", O_RDONLY|O_CLOEXEC) = 3
> open("/lib64/", O_RDONLY|O_CLOEXEC) = 3
> open("/lib64/", O_RDONLY|O_CLOEXEC) = 3
> open("/usr/lib64/", O_RDONLY|O_CLOEXEC) = 3
> open("/lib64/", O_RDONLY|O_CLOEXEC) = 3
> open("/lib64/", O_RDONLY|O_CLOEXEC) = 3
> open("/lib64/", O_RDONLY|O_CLOEXEC) = 3
> open("/lib64/", O_RDONLY|O_CLOEXEC) = 3
> open("/lib64/", O_RDONLY|O_CLOEXEC) = 3
> access("/bin/zsh", X_OK)                = 0
> access("/home/mva/.tmux.conf", R_OK)    = -1 ENOENT (No such file or directory)
> [exited]
> +++ exited with 0 +++

So, it just tries to _read_ it's config file frome user's home.
Btw, I bet, I missed something, since tmux *should* (and did it) also check /etc/tmux, at least.
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2013-04-03 17:16:05 UTC
Starting with a few more obvious fixes first.

I needed to add the following:
allow screen_domain screen_tmp_t:sock_file manage_sock_file_perms;
allow screen_domain self:unix_stream_socket { accept listen };

The first one is because tmux places its control socket as /tmp/tmux-*/default (without it, tmux just bails out - no error).

The second one is to allow the tmux server to listen on this socket.

I can get it to work on ttys and devpts, but not when the user has switched role using newrole (no output, although tmux works and I can see whatever I type in an attached window elsewhere).
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2013-04-03 17:27:52 UTC
Second step was to make sure that ~/.tmux.conf is marked as screen_home_t (both in file context and within screen_role_template).
Comment 7 Sven Vermeulen (RETIRED) gentoo-dev 2013-04-03 18:07:13 UTC
The abovementioned fixes are now in policy (live ebuilds/repo) and will be in rev 13. However, I'm keeping this open as I want to get this fixed for the newrole case as well.
Comment 8 Sven Vermeulen (RETIRED) gentoo-dev 2013-04-11 16:33:57 UTC
One method would be to patch tmux not to use stdin for writing to TTY. The other one is to open the file descriptor (in newrole) as O_RDWR. For more info, see

I'm probably going to update newrole to do so. Seems like a simple-enough fix, easily to maintain and makes behavior consistent with what applications expect (even though it isn't exactly correct).
Comment 9 Sven Vermeulen (RETIRED) gentoo-dev 2013-04-11 17:47:09 UTC
policycoreutils-2.1.13-r10 should fix this, now in hardened-dev overlay (so I can do regression testing)
Comment 10 Sven Vermeulen (RETIRED) gentoo-dev 2013-04-16 10:14:43 UTC
In main tree, ~arch
Comment 11 Sven Vermeulen (RETIRED) gentoo-dev 2013-06-16 18:25:58 UTC