SElinux issue with tmux and conf file

Dear reader,

My current setup is al follows:
A user device mapped to staff_t and a user laptop mapped to user_t. tmux runs in the, respective, context staff_screen_t and user_screen_t (which they do by default, I did not change this).

When I open tmux on either user I get the following error:
/home/<USER>/.config/tmux/tmux.conf: Permission denied
Which was strange to me, because this directory and file do not even exist by default. My configuration is read from /home/<USER>/.tmux.conf with SELinux context screen_home_t.
tmux works fine if you ignore the error, and even the settings are loaded fine from /home/<USER>/.tmux.conf, but this error stops me from automatically starting software in a tmux screen.

What I have tried so far:

  1. Check for AVC/SELinux denial errors in the logs β†’ Nothing shows up after starting tmux
  2. Setenforce to 0 to check if SELinux is to blame β†’ Yes it is, because then no error message appears
  3. Create /home/<USER>/.config/tmux and /home/<USER>/.config/tmux/tmux.conf β†’ still get the error
  4. Change the context of the files in step 3 to screen_home_t β†’ still get the error

So I am at a loss. I do not want to run in permissive mode and I have tried everything so far. Does anyone have any insights?

1 Like

Starting from v3.1, tmux looks for ~/.config/tmux/tmux.conf in addition to traditional ~/.tmux.conf for configuration files. You can use -f option to specify an alternative configuration file and since your ~/.tmux.conf has right context, you will not get an error.

BTW, how do you start tmux? I start it from terminal manually and it has SELinux context of unconfined_u:unconfined_r:unconfined_t so it can access ~/.config/tmux/tmux.conf as well as ~/.tmux.conf without any error.

2 Likes

I normalle start tmux automatically with a systemd user service:

[Unit]
Description=Weechat IRC Client (in tmux)

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/tmux -2 new-session -d /usr/bin/weechat
ExecStop=/usr/bin/tmux kill-session -t 0

[Install]
WantedBy=default.target

But if I start it manually it also starts with the staff_screen_t or user_screen_t context. Perhaps your user is running unconfined, so tmux also runs unconfined when you start it.

Changing ExecStart=/usr/bin/tmux -2 new-session -d /usr/bin/weechat to ExecStart=/usr/bin/tmux -2 -f /home/device/.tmux.conf new-session -d /usr/bin/weechat is a workaround for now, but not a complete fix. How would I need to set the context for ~/.config/tmux/tmux.conf correctly? I am very confused as to why it cannot manage despite having the same context as ~/.tmux.conf.

Thank you for your workaround by the way, it makes my life much easier.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.