From 4b02c2230d0295521b8a6a2d8c949951c89b4b66 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Fri, 6 Sep 2019 18:43:23 +0200
Subject: [PATCH] authlogin: label utempter correctly on Debian

When starting tmux on Debian, the following audit log appears:

    type=AVC msg=audit(1567781766.314:820): avc:  denied  {
    execute_no_trans } for  pid=6686 comm=746D75783A20736572766572
    path="/usr/lib/x86_64-linux-gnu/utempter/utempter" dev="vda1"
    ino=545302 scontext=sysadm_u:sysadm_r:sysadm_screen_t
    tcontext=system_u:object_r:lib_t tclass=file permissive=0

/usr/lib/x86_64-linux-gnu/utempter/utempter is indeed labeled as
system_u:object_r:lib_t, which is wrong.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 policy/modules/system/authlogin.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index 4a4ac4613..9edac1ae9 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -15,7 +15,7 @@
 
 /usr/kerberos/sbin/login\.krb5 -- gen_context(system_u:object_r:login_exec_t,s0)
 
-/usr/lib/utempter/utempter --	gen_context(system_u:object_r:utempter_exec_t,s0)
+/usr/lib/([^/]+/)?utempter/utempter --	gen_context(system_u:object_r:utempter_exec_t,s0)
 
 /usr/sbin/pam_console_apply	--	gen_context(system_u:object_r:pam_console_exec_t,s0)
 /usr/sbin/pam_timestamp_check	--	gen_context(system_u:object_r:pam_exec_t,s0)