File cscreen.patch of Package selinux-policy

commit 5b65e4a8e4d3f4ffce868508de8956b4f63e4233
Author: Robert Frohl <rfrohl@suse.com>
Date:   Tue Jan 27 10:54:23 2026 +0100

    XXX cscreen
    
    type screen_t;
    init_system_domain(screen_t, screen_exec_t)
    type=AVC msg=audit(..): avc:  denied  { execute } for  pid=5127 comm="(screen)" name="screen" dev="vda2" ino=362491 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:screen_exec_t:s0 tclass=file permissive=0
    
    systemd_userdbd_runtime_read_symlinks(screen_t)
    type=AVC msg=audit(..): avc:  denied  { read } for  pid=9593 comm="screen" name="userdb" dev="tmpfs" ino=40 scontext=system_u:system_r:screen_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=0
    
    systemd_manage_userdbd_runtime_sock_files(screen_t)
    type=AVC msg=audit(..): avc:  denied  { write } for  pid=11608 comm="screen" name="io.systemd.DynamicUser" dev="tmpfs" ino=41 scontext=system_u:system_r:screen_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=sock_file permissive=0
    
    auth_read_passwd_file(screen_t)
    type=AVC msg=audit(..): avc:  denied  { read } for  pid=11608 comm="screen" name="passwd" dev="vda2" ino=753750 scontext=system_u:system_r:screen_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0
    
    kernel_stream_connect(screen_t):
    type=AVC msg=audit(..): avc:  denied  { connectto } for  pid=11655 comm="screen" path="/systemd/userdb/io.systemd.DynamicUser" scontext=system_u:system_r:screen_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
    
    term_use_generic_ptys(screen_t):
    type=AVC msg=audit(..): avc:  denied  { read write } for  pid=1349 comm="screen" name="2" dev="devpts" ino=5 scontext=system_u:system_r:screen_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file permissive=1
    type=AVC msg=audit(..): avc:  denied  { open } for  pid=1349 comm="screen" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:screen_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file permissive=1
    type=AVC msg=audit(..): avc:  denied  { ioctl } for  pid=1349 comm="screen" path="/dev/pts/2" dev="devpts" ino=5 ioctlcmd=0x5410 scontext=system_u:system_r:screen_t:s0 tcontext=system_u:object_r:donfig_exec_t:s0 tclass=file permissive=1
    type=AVC msg=audit(..): avc:  denied  { getattr } for  pid=1361 comm="tty" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:screen_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file permissive=1
    
    sysnet_exec_ifconfig(screen_t):
    type=AVC msg=audit(..): avc:  denied  { getattr } for  pid=2727 comm="bash" path="/usr/sbin/ip" dev="vda2" ino=632832 scontext=system_u:system_r:screen_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
    type=AVC msg=audit(..): avc:  denied  { execute } for  pid=2727 comm="bash" name="ip" dev="vda2" ino=632832 scontext=system_u:system_r:screen_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
    type=AVC msg=audit(..): avc:  denied  { read } for  pid=2727 comm="bash" name="ip" dev="vda2" ino=632832 scontext=system_u:system_r:screen_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
    type=AVC msg=audit(..): avc:  denied  { open } for  pid=2738 comm="bash" path="/usr/sbin/ip" dev="vda2" ino=632832 scontext=system_u:system_r:screen_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
    type=AVC msg=audit(..): avc:  denied  { execute_no_trans } for  pid=2738 comm="bash" path="/usr/sbin/ip" dev="vda2" ino=632832 scontext=system_u:system_r:screen_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
    
    term_setattr_generic_ptys(screen_t):
    type=AVC msg=audit(..): avc:  denied  { getattr } for  pid=1361 comm="tty" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:screen_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file permissive=1

diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te
index 67575d20d..a18e0e431 100644
--- a/policy/modules/contrib/screen.te
+++ b/policy/modules/contrib/screen.te
@@ -18,6 +18,30 @@ attribute  screen_domain;
 type screen_exec_t;
 application_executable_file(screen_exec_t)
 
+# XXX: new >>>
+type screen_t;
+init_system_domain(screen_t, screen_exec_t)
+
+systemd_userdbd_runtime_read_symlinks(screen_t)
+systemd_manage_userdbd_runtime_sock_files(screen_t)
+
+auth_read_passwd_file(screen_t)
+kernel_stream_connect(screen_t)
+
+term_setattr_generic_ptys(screen_t)
+term_use_generic_ptys(screen_t)
+
+sysnet_exec_ifconfig(screen_t)
+
+#allow screen_t var_run_t:sock_file { create setattr unlink write };
+#corecmd_exec_bin(screen_t)
+#corecmd_exec_shell(screen_t)
+#files_exec_usr_files(screen_t)
+#files_rw_pid_dirs(screen_t)
+#logging_create_generic_logs(screen_t)
+#term_use_ptmx(screen_t)
+# XXX: <<<
+
 type screen_home_t;
 typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_screen_home_t };
 typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t };