Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-50375

tmux cannot read /root/.tmux.conf when user is confined to sysadm_u

XMLWordPrintable

    • selinux-policy-38.1.47-1.el9
    • No
    • Moderate
    • 1
    • rhel-sst-security-selinux
    • ssg_security
    • 12
    • 2
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • SELINUX 241016 - 241106
    • None

      What were you trying to do that didn't work?

      On systems with confined users, a sysadm, confined to sysadm_u, after sudo'ing, can execute tmux but not have a custom configuration, because tmux, running in sysadm_screen_t context, cannot read /root/.tmux.conf:

      time->Wed Jul 24 09:16:25 2024
type=PROCTITLE msg=audit(1721805385.247:221): proctitle="tmux"
type=SYSCALL msg=audit(1721805385.247:221): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5652f45f4bf0 a2=0 a3=0 items=0 ppid=1 pid=2424 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=746D75783A20736572766572 exe="/usr/bin/tmux" subj=sysadm_u:sysadm_r:sysadm_screen_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1721805385.247:221): avc:  denied  { read } for  pid=2424 comm=746D75783A20736572766572 name=".tmux.conf" dev="dm-0" ino=16779641 scontext=sysadm_u:sysadm_r:sysadm_screen_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:admin_home_t:s0 tclass=file permissive=0

      The reason for getting this AVC is /root/.tmux.conf is not labeled with screen_home_t but default context (admin_home_t).

      Checking the fcontext database, I can see that contexts are missing for /root (it should have same contexts as users in /home):

      [root@vm-rhel9 ~]# semanage fcontext -l | grep screen_home_t
/home/[^/]+/\.screen(/.*)?                         all files          unconfined_u:object_r:screen_home_t:s0 
/home/[^/]+/\.screenrc                             regular file       unconfined_u:object_r:screen_home_t:s0 
/home/[^/]+/\.tmux\.conf                           regular file       unconfined_u:object_r:screen_home_t:s0 
/home/sysadm/\.screen(/.*)?                        all files          sysadm_u:object_r:screen_home_t:s0 
/home/sysadm/\.screenrc                            regular file       sysadm_u:object_r:screen_home_t:s0 
/home/sysadm/\.tmux\.conf                          regular file       sysadm_u:object_r:screen_home_t:s0 
/root/\.screen(/.*)?                               all files          system_u:object_r:screen_home_t:s0

      Additionally, there are missing rules to perform the automatic transition when creating the file, compared to home directories:

      [root@vm-rhel9 ~]# sesearch -T -t user_home_dir_t -c file | grep screen_home_t
type_transition auditadm_t user_home_dir_t:file screen_home_t .screenrc;
type_transition auditadm_t user_home_dir_t:file screen_home_t .tmux.conf;
type_transition secadm_t user_home_dir_t:file screen_home_t .screenrc;
type_transition secadm_t user_home_dir_t:file screen_home_t .tmux.conf;
type_transition staff_t user_home_dir_t:file screen_home_t .screenrc;
type_transition staff_t user_home_dir_t:file screen_home_t .tmux.conf;
type_transition sysadm_t user_home_dir_t:file screen_home_t .screenrc;
type_transition sysadm_t user_home_dir_t:file screen_home_t .tmux.conf;
type_transition user_t user_home_dir_t:file screen_home_t .screenrc;
type_transition user_t user_home_dir_t:file screen_home_t .tmux.conf;

vs

[root@vm-rhel9 ~]# sesearch -T -t admin_home_t -c file | grep screen_home_t
--> none

      Finally, even if all this is fixed, there will be issues writing to the /root directory, compared to /home/xxx because more rules will be missing:

      [root@vm-rhel9 ~]# sesearch -A -s sysadm_screen_t -t user_home_dir_t -c dir -p add_name
allow screen_domain user_home_dir_t:dir { add_name getattr ioctl lock open read remove_name search write };

vs

[root@vm-rhel9 ~]# sesearch -A -s sysadm_screen_t -t admin_home_t -c dir -p add_name
allow screen_domain admin_home_t:dir { add_name ioctl lock read remove_name write };

      This last point is important when users want to log the activity, e.g. through using pipe-pane command.

      Please make sure that admin_home_t has same rules as user_home_dir_t for tmux/screen.

      Please provide the package NVR for which bug is seen:

      selinux-policy-38.1.35-2.el9_4.noarch

      How reproducible:

      Always

      Steps to reproduce

      1. Create /root/.tmux.conf
      2. Login as a user mapped to sysadm_u and sudo
      3. Execute tmux

      Expected results

      /root/.tmux.conf read properly

      Actual results

      Gettting an error when tmux opens:

      /root/.tmux.conf: Permission denied                                                                                      [0/0]

              rhn-support-zpytela Zdenek Pytela
              rhn-support-rmetrich Renaud Métrich
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: