SELinux-enabled distributions | ThinLinc by Cendio

The following information relates to installation of ThinLinc on an SELinux-enabled platform.

Overview

ThinLinc is designed to run with reference SELinux policy and users in the unconfined context. It is possible to use ThinLinc with other policies and more restricted contexts, but will most likely require modifications to your policy to accommodate ThinLinc.

The local system policy will optionally be modified by tl-setup during installation. The SELinux module and other policy changes performed can be examined in /opt/thinlinc/share/selinux. Execute the command /opt/thinlinc/share/selinux/install to reapply ThinLinc's policy changes.

NOTE: The ThinLinc policy module is distributed in source form and therefore requires the reference policy build environment. ThinLinc setup will attempt to install this automatically on most distributions, but you may be required to install it manually.

NOTE: The ThinLinc policy module requires reference policy support for user-based access control (UBAC). The reference SELinux policy shipped with Red Hat Enterprise Linux 5 is too old to support UBAC, making it incompatible with the ThinLinc policy module.

ThinLinc can't start sessions (No agent server was available)

If ThinLinc is installed onto a partition that is mounted with the nosuid mount option and SELinux is active, ThinLinc will fail to start user sessions. The connecting user will get an error message saying "ThinLinc login failed (No agent server was available)". The vsmagent service will write the following errors to /var/log/vsmagent.log:

subprocess: execvp: Permission denied
tl-session: tl-xinit exited with status=71

Because of the nosuid mount option, SELinux will deny the vsmagent to transition from the initrc_t to thinlinc_agent_t SELinux context required for correct operation. To work around this problem, remove the nosuid mount option from the partition where ThinLinc is installed and restart the vsmagent service.

Crashing Firefox tabs

On some systems a bug in the default policy settings prevent Firefox 52 ESR from working correctly. All tabs will simply show Gah. Your tab just crashed.. Either a newer version of Firefox must be used, or the local policy must be set to be less restrictive:

$ sudo setsebool -P unconfined_mozilla_plugin_transition off