www.cendio.com
Bug 5733 - cannot start sessions on SELinux systems when pam_limits is used
: cannot start sessions on SELinux systems when pam_limits is used
Status: CLOSED FIXED
: ThinLinc
VSM Agent
: pre-1.0
: PC Unknown
: P2 Normal
: 4.6.0
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2015-12-01 15:26 by
Modified: 2016-04-12 12:25 (History)
Acceptance Criteria:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2015-12-01 15:26:00
On at least RHEL 6 you can break ThinLinc by setting something like this in
limits.conf:

> ossman	soft	nofile	10240
> ossman	hard	nofile	10240

This results in a SELinux AVC:

> type=AVC msg=audit(1448978618.493:1384265): avc:  denied  { setrlimit } for  pid=7296 comm="tl-session" scontext=system_u:system_r:thinlinc_session_t:s0 tcontext=system_u:system_r:thinlinc_session_t:s0 tclass=process

And pam_limits complains in syslog:

> Dec  1 15:03:38 castro tl-session: pam_limits(thinlinc:session): Could not set limit for 'nofile': Permission denied

And finally tl-session fails to open the session:

> 2015-12-01 15:03:38 WARNING tl-session: pam_open_session failed: 6 (Permission denied)
------- Comment #1 From cendio 2015-12-01 15:31:15 -------
Setting it to permissive also gives this AVC:

> type=AVC msg=audit(1448980249.850:1384880): avc:  denied  { sys_resource } for  pid=19241 comm="tl-session" capability=24  scontext=unconfined_u:system_r:thinlinc_session_t:s0 tcontext=unconfined_u:system_r:thinlinc_session_t:s0 tclass=capability
------- Comment #2 From cendio 2015-12-01 15:40:04 -------
This change to our policy gets things working:

> Index: thinlinc.te
> ===================================================================
> --- thinlinc.te      (revision 30989)
> +++ thinlinc.te      (working copy)
> @@ -107,8 +107,8 @@
>  userdom_spec_domtrans_all_users(thinlinc_session_t)
>  userdom_signal_all_users(thinlinc_session_t)
>  
> -allow thinlinc_session_t self:capability { kill chown dac_override fowner setgid setuid };
> -allow thinlinc_session_t self:process { getcap setsched setexec };
> +allow thinlinc_session_t self:capability { kill chown dac_override fowner setgid setuid sys_resource };
> +allow thinlinc_session_t self:process { getcap setsched setexec setrlimit };
>  allow thinlinc_session_t self:fifo_file rw_fifo_file_perms;
>  
>  miscfiles_read_localization(thinlinc_session_t)
------- Comment #4 From cendio 2015-12-02 10:54:14 -------
Also happens on Fedora 23.
------- Comment #6 From cendio 2015-12-02 11:08:07 -------
Checked the reference policy that explicitly adding these permissions is the
correct way to go. So everything is done here.
------- Comment #8 From cendio 2015-12-03 12:27:06 -------
I can't reproduce this error on CentOS 7 with the fix from comment #5 applied.
I've verified that the errors happen when the fix is not applied. I've tested
the fix without errors using these limits: core, nice, nproc, nofiles, data,
fsize, stack, cpu, as, maxlogins, priority, msgqueue.