www.cendio.com

Bug 7150

Summary: SELinux AVC when creating session on Fedora 27
Product: ThinLinc Reporter: Pierre Ossman <ossman@cendio.se>
Component: VSM AgentAssignee: Pierre Ossman <ossman@cendio.se>
Status: CLOSED FIXED QA Contact: Bugzilla mail exporter <bugzilla-qa@cendio.se>
Severity: Normal    
Priority: P2 CC: astrand@cendio.se, samuel@cendio.se
Version: 1.3.1Keywords: derfian_tester, relnotes
Target Milestone: 4.9.0   
Hardware: PC   
OS: Unknown   
Acceptance Criteria:

Description From cendio 2018-04-16 15:28:44
I'm getting this AVC whenever a new session is created on Fedora 27:

> type=AVC msg=audit(1523880447.690:3845): avc:  denied  { dac_read_search } for  pid=12248 comm="tl-session" capability=2  scontext=system_u:system_r:thinlinc_session_t:s0 tcontext=system_u:system_r:thinlinc_session_t:s0 tclass=capability permissive=0

An strace however shows no EPERM or EACCESS, so it isn't entirely clear what is
going on. Some googling finds this issue:

https://danwalsh.livejournal.com/77140.html

However we don't trigger unix_chkpwd so it's not that specific bug. The
symptoms are very similar though, so it's probably something along the same
lines.
------- Comment #1 From cendio 2018-04-16 15:33:58 -------
This line in strace matches the AVC timestamp, and is probably the culprit:

> [pid 12248] 14:07:27.690973 access("/run/user/500/bus", F_OK) = 0

/run/user/500 is only accessible by the user so it would require a DAC override
to access that directory by tl-session (which runs as root).

I don't know what generates this access(), but I would guess pam_systemd as I
think it's the only module that fiddles around with dbus.
------- Comment #2 From cendio 2018-04-16 15:48:59 -------
I could confirm that the issue is with /run/user/500/bus as doing chmod o+rwx
on the directory made the AVC go away.
------- Comment #3 From cendio 2018-04-16 16:13:26 -------
Reported to Fedora:

https://bugzilla.redhat.com/show_bug.cgi?id=1567988

Hopefully they can provide some insight.
------- Comment #4 From cendio 2018-04-16 16:23:15 -------
Should have checked our policy closer. We already have dac_override so I guess
we should just add dac_read_search as well. I can see some upstream changes to
that effect as well.
------- Comment #6 From cendio 2018-04-19 10:34:46 -------
Works fine with the change. Tester should check that an AVC is generated with
ThinLinc 4.8.0 but not with trunk.
------- Comment #8 From cendio 2018-04-20 13:41:24 -------
(In reply to comment #6)
> Works fine with the change. Tester should check that an AVC is generated with
> ThinLinc 4.8.0 but not with trunk.

On my Fedora 27 workstation with ThinLinc 4.8.1-5456.x86_64:

> $ sudo ausearch -i -c tl-session | tail -n 1
> type=AVC msg=audit(2018-03-27 09:36:50.829:19081) : avc:  denied  { dac_read_search } 
>   for  pid=26015 comm=tl-session capability=dac_read_search scontext=system_u:system_r:thinlinc_session_t:s0
>   tcontext=system_u:system_r:thinlinc_session_t:s0 tclass=capability permissive=0

After upgrading to ThinLinc 4.9.0-5758, I can't produce new AVC messages on
login.