www.cendio.com
Bug 4780 - implement SELinux MLS support
: implement SELinux MLS support
Status: CLOSED FIXED
: ThinLinc
Other
: trunk
: PC Unknown
: P2 Normal
: 4.2.0
Assigned To:
:
:
: 4826
:
  Show dependency treegraph
 
Reported: 2013-08-22 15:47 by
Modified: 2014-04-04 14:03 (History)
Acceptance Criteria:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2013-08-22 15:47:51
Some organisations want to use SELinux support for levels and categories (MLS
and MCS). This apparently requires modifications to ThinLinc to work properly
as ThinLinc components might run at levels where the users are prevented
access.
------- Comment #3 From cendio 2013-09-30 13:39:55 -------
Some notes of experiences of enabling MLS on RHEL/CentOS 6:

 - Red Hat has this concerning disclaimer in their MLS chapter " It is not
recommended to use the MLS policy on a system that is running the X Window
System. "[1]

 - You can't log in as root over SSH when MLS is active. You have to enable the
ssh_sysadm_login boolean and uncomment a line in
/etc/selinux/mls/contexts/users/root to get this working.

[1]
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/enabling-mls-in-selinux.html
------- Comment #4 From cendio 2013-09-30 13:45:13 -------
ThinLinc problems:

1. Can't run ./install-server (from root's home directory at least) as it
errors out with "permission denied". 'bash install-server' works fine though.

2. tl-setup fails to configure the firewall:

2013-09-30 13:39:21,516: Creating firewall service 'tlwebadm' using ports
1010:TCP
2013-09-30 13:39:21,516: Enable firewall service 'tlwebadm'
2013-09-30 13:39:21,783: Failed to enable firewall service tlwebadm
2013-09-30 13:39:21,784:     Failed to stop iptables.
2013-09-30 13:39:21,784:     Failed to stop ip6tables.
2013-09-30 13:39:21,784:     Failed to start iptables.
2013-09-30 13:39:21,784:     Failed to start ip6tables.
2013-09-30 13:39:21,784:     
2013-09-30 13:39:21,784: Creating firewall service 'tlmaster' using ports
9000:TCP
2013-09-30 13:39:21,785: Enable firewall service 'tlmaster'
2013-09-30 13:39:22,006: Failed to enable firewall service tlmaster
2013-09-30 13:39:22,006:     Failed to stop iptables.
2013-09-30 13:39:22,007:     Failed to stop ip6tables.
2013-09-30 13:39:22,007:     Failed to start iptables.
2013-09-30 13:39:22,007:     Failed to start ip6tables.
2013-09-30 13:39:22,007:     
2013-09-30 13:39:22,007: Creating firewall service 'tlagent' using ports
904:TCP
2013-09-30 13:39:22,007: Enable firewall service 'tlagent'
2013-09-30 13:39:22,229: Failed to enable firewall service tlagent
2013-09-30 13:39:22,230:     Failed to stop iptables.
2013-09-30 13:39:22,230:     Failed to stop ip6tables.
2013-09-30 13:39:22,230:     Failed to start iptables.
2013-09-30 13:39:22,230:     Failed to start ip6tables.
2013-09-30 13:39:22,230:     
2013-09-30 13:39:22,230: Enable system firewall service 'ssh'
2013-09-30 13:39:22,448: Failed to enable system firewall service ssh
2013-09-30 13:39:22,449:     Failed to stop iptables.
2013-09-30 13:39:22,449:     Failed to stop ip6tables.
2013-09-30 13:39:22,449:     Failed to start iptables.
2013-09-30 13:39:22,449:     Failed to start ip6tables.
2013-09-30 13:39:22,449:     
2013-09-30 13:39:22,449: failed to configure firewall.


3. tl-setup crashes when configuring services:

2013-09-30 13:43:34,732: Installing services...
2013-09-30 13:43:34,732: Installing service 'vsmserver'...
2013-09-30 13:43:35,183: Installing service 'vsmagent'...
2013-09-30 13:43:35,570: Installing service 'tlwebadm'...
2013-09-30 13:43:36,049: Starting services...
2013-09-30 13:43:36,049: Starting service 'vsmagent'...
2013-09-30 13:43:36,112: Traceback (most recent call last):
2013-09-30 13:43:36,113:   File
"/opt/thinlinc/modules/thinlinc/tlsetup/services.py", line 185, in Ii11Ii1I
2013-09-30 13:43:36,113:     O00oO = II1i1Ii11Ii11 ( )
2013-09-30 13:43:36,113:   File
"/opt/thinlinc/modules/thinlinc/tlsetup/services.py", line 153, in
II1i1Ii11Ii11
2013-09-30 13:43:36,113:     if not iiI1IiI ( "vsmagent" ) :
2013-09-30 13:43:36,113:   File
"/opt/thinlinc/modules/thinlinc/tlsetup/services.py", line 104, in iiI1IiI
2013-09-30 13:43:36,113:     close_fds = 1 )
2013-09-30 13:43:36,114:   File "/opt/thinlinc/modules/subprocess.py", line
593, in __init__
2013-09-30 13:43:36,114:     errread, errwrite)
2013-09-30 13:43:36,114:   File "/opt/thinlinc/modules/subprocess.py", line
1079, in _execute_child
2013-09-30 13:43:36,114:     raise child_exception
2013-09-30 13:43:36,114: OSError: [Errno 13] Permission denied
------- Comment #5 From cendio 2013-10-04 09:50:08 -------
1. seems to be Red Hat specific and per design. They lock down root's home
directory a lot more than normal users'. Executes just fine in a normal user's
home directory.

2. and 3. are apparently somewhat expected. You have to use the helper
"run_init" when starting/stopping services. Unfortunately it requires a
password by default, so we can't easily call it from tl-setup. We could be more
graceful about it though. Added bug 4825 about this.
------- Comment #6 From cendio 2013-10-04 11:34:28 -------
Next thinlinc problem: thinlinc-login cannot access the socket that vsmserver
creates. This is because most stuff created in /tmp is not accessible by users.
We should probably start using a more sane directory under /var/run, like most
other daemons. Bug 4826 has been added for this.
------- Comment #7 From cendio 2013-10-04 16:40:58 -------
With bug 4826 and a lot of tweaks to the policy, I can now get functioning
communication via thinlinc-login.

Next it fails to open a PAM session:

Oct  4 16:34:06 dhcp-254-176 tl-session: pam_selinux(thinlinc:session):
conversation failed
Oct  4 16:34:06 dhcp-254-176 tl-session: pam_selinux(thinlinc:session): No
response to query: Would you like to enter a security context? [N] 
Oct  4 16:34:06 dhcp-254-176 tl-session: pam_selinux(thinlinc:session): Unable
to get valid context for tltest

Seems like pam_selinux wants to blab with the user. This does not happen with
ssh though, so I need to check what it does.
------- Comment #8 From cendio 2013-10-09 12:39:23 -------
(In reply to comment #7)
> 
> Seems like pam_selinux wants to blab with the user. This does not happen with
> ssh though, so I need to check what it does.

That was just a fallback path. The real problem was problems with the policy
where I needed to specify more access for tl-session.
------- Comment #9 From cendio 2013-10-09 12:40:52 -------
I can now get a ThinLinc session. It is slightly broken though as some programs
aren't allowed to write to xinit.log (e.g. metacity which promptly crashes
because of this...). Not sure what the proper way is to fix this...
------- Comment #12 From cendio 2013-12-18 11:04:13 -------
This project is abandoned. We will commit the general fixes that were done and
leave full SELinux support for the future.
------- Comment #13 From cendio 2013-12-18 13:11:36 -------
All fixes have been committed.

Tester should verify that ThinLinc still works in enforcing mode. You should
also check that nothing runs under the initrc_t context.
------- Comment #14 From cendio 2013-12-19 14:56:35 -------
Doesn't work properly on RHEL 6. Need to have another look.
------- Comment #15 From cendio 2013-12-20 13:00:41 -------
(In reply to comment #14)
> Doesn't work properly on RHEL 6. Need to have another look.

Fixed in r28257. No idea why I wasn't seeing this problem on Fedora 19.
------- Comment #16 From cendio 2014-04-03 14:34:44 -------
Tested using build 4312, works as expected. ThinLinc processes has correct
context.

$pstree -Z | grep thinlinc

 |-python-thinlinc(`unconfined_u:system_r:thinlinc_agent_t:s0')
 |-python-thinlinc(`unconfined_u:system_r:thinlinc_webadm_t:s0')
 |  `-tlstunnel(`unconfined_u:system_r:thinlinc_webadm_t:s0')
 |-python-thinlinc(`unconfined_u:system_r:thinlinc_master_t:s0')
 |-python-thinlinc(`unconfined_u:system_r:thinlinc_webaccess_t:s0')
 |  `-tlstunnel(`unconfined_u:system_r:thinlinc_webaccess_t:s0')
------- Comment #17 From cendio 2014-04-04 14:03:05 -------
(In reply to comment #16)
> Tested using build 4312, works as expected. ThinLinc processes has correct
> context.
> 
> $pstree -Z | grep thinlinc
> 
>  |-python-thinlinc(`unconfined_u:system_r:thinlinc_agent_t:s0')
>  |-python-thinlinc(`unconfined_u:system_r:thinlinc_webadm_t:s0')
>  |  `-tlstunnel(`unconfined_u:system_r:thinlinc_webadm_t:s0')
>  |-python-thinlinc(`unconfined_u:system_r:thinlinc_master_t:s0')
>  |-python-thinlinc(`unconfined_u:system_r:thinlinc_webaccess_t:s0')
>  |  `-tlstunnel(`unconfined_u:system_r:thinlinc_webaccess_t:s0')

Everything works as expected, tested RHEL6.