Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-50379

Confined user running tmux cannot pipe panes to external programs

XMLWordPrintable

    • selinux-policy-38.1.47-1.el9
    • No
    • Moderate
    • 1
    • rhel-sst-security-selinux
    • ssg_security
    • 12
    • 1
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • SELINUX 241016 - 241106
    • None

      What were you trying to do that didn't work?

      tmux has the capability to pipe panes to external programs, e.g. to log the output of the window. For this to happen, a user can use the following command: pipe-pane -o "exec cat >> $HOME/somefile.out".

      When the user is confined, e.g. to sysadm_u, such command doesn't work because the Unix socket being created between tmux and the shell produces an AVC after execve time:

      3980  [sysadm_screen_t] 10:05:11.222230 dup2(10<UNIX-STREAM:[32109->32108]> [sysadm_screen_t], 0</dev/null<char 1:3>> [null_device_t]) = 0<UNIX-STREAM:[32109->32108]> [sysadm_screen_t] <0.000012>
 :
3980  [sysadm_screen_t] 10:05:11.222802 execve("/bin/sh" [shell_exec_t], ["sh", "-c", "exec cat >>/home/sysadm/somefile.out"], ... <unfinished ...>
3980  [sysadm_t] 10:05:11.223772 <... execve resumed>) = 0 <0.000864>

      AVC:

      type=PROCTITLE msg=audit(07/24/2024 10:05:11.221:440) : proctitle=sh -c exec cat >>/home/sysadm/somefile.out
type=PATH msg=audit(07/24/2024 10:05:11.221:440) : item=0 name=/lib64/ld-linux-x86-64.so.2 inode=33576090 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(07/24/2024 10:05:11.221:440) : cwd=/home/sysadm
type=EXECVE msg=audit(07/24/2024 10:05:11.221:440) : argc=3 a0=sh a1=-c a2=exec cat >>/home/sysadm/somefile.out
type=SYSCALL msg=audit(07/24/2024 10:05:11.221:440) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5569db2d95fd a1=0x7fff48964a00 a2=0x5569dc9f0980 a3=0x5569db2d9602 items=1 ppid=3936 pid=3980 auid=sysadm uid=sysadm gid=sysadm euid=sysadm suid=sysadm fsuid=sysadm egid=sysadm sgid=sysadm fsgid=sysadm tty=(none) ses=2 comm=sh exe=/usr/bin/bash subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/24/2024 10:05:11.221:440) : avc:  denied  { read write } for  pid=3980 comm=sh path=socket:[32109] dev="sockfs" ino=32109 scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_screen_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0

      Note: the AVC is hidden by default because of some dontaudit rule.

      Please provide the package NVR for which bug is seen:

      selinux-policy-38.1.35-2.el9_4.noarch

      How reproducible:

      Always

      Steps to reproduce

      1. Create a confined user, e.g. to sysadm_u
      2. Create ~/.tmux.conf with content below 
        bind-key H pipe-pane -o "exec cat >>$HOME/somefile.out"
      3. Execute tmux
      4. Hit Ctrl-b H to start logging the output
      5. Type something in the shell

      Expected results

      somefile.out being created and having content

      Actual results

      somefile.out being created but not having any content

              rhn-support-zpytela Zdenek Pytela
              rhn-support-rmetrich Renaud Métrich
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: