www.cendio.com
Bug 7150 - SELinux AVC when creating session on Fedora 27
: SELinux AVC when creating session on Fedora 27
Status: CLOSED FIXED
: ThinLinc
VSM Agent
: 1.3.1
: PC Unknown
: P2 Normal
: 4.9.0
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2018-04-16 15:28 by
Modified: 2018-04-20 13:41 (History)
Acceptance Criteria:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2018-04-16 15:28:44
I'm getting this AVC whenever a new session is created on Fedora 27:

> type=AVC msg=audit(1523880447.690:3845): avc:  denied  { dac_read_search } for  pid=12248 comm="tl-session" capability=2  scontext=system_u:system_r:thinlinc_session_t:s0 tcontext=system_u:system_r:thinlinc_session_t:s0 tclass=capability permissive=0

An strace however shows no EPERM or EACCESS, so it isn't entirely clear what is
going on. Some googling finds this issue:

https://danwalsh.livejournal.com/77140.html

However we don't trigger unix_chkpwd so it's not that specific bug. The
symptoms are very similar though, so it's probably something along the same
lines.
------- Comment #1 From cendio 2018-04-16 15:33:58 -------
This line in strace matches the AVC timestamp, and is probably the culprit:

> [pid 12248] 14:07:27.690973 access("/run/user/500/bus", F_OK) = 0

/run/user/500 is only accessible by the user so it would require a DAC override
to access that directory by tl-session (which runs as root).

I don't know what generates this access(), but I would guess pam_systemd as I
think it's the only module that fiddles around with dbus.
------- Comment #2 From cendio 2018-04-16 15:48:59 -------
I could confirm that the issue is with /run/user/500/bus as doing chmod o+rwx
on the directory made the AVC go away.
------- Comment #3 From cendio 2018-04-16 16:13:26 -------
Reported to Fedora:

https://bugzilla.redhat.com/show_bug.cgi?id=1567988

Hopefully they can provide some insight.
------- Comment #4 From cendio 2018-04-16 16:23:15 -------
Should have checked our policy closer. We already have dac_override so I guess
we should just add dac_read_search as well. I can see some upstream changes to
that effect as well.
------- Comment #6 From cendio 2018-04-19 10:34:46 -------
Works fine with the change. Tester should check that an AVC is generated with
ThinLinc 4.8.0 but not with trunk.
------- Comment #8 From cendio 2018-04-20 13:41:24 -------
(In reply to comment #6)
> Works fine with the change. Tester should check that an AVC is generated with
> ThinLinc 4.8.0 but not with trunk.

On my Fedora 27 workstation with ThinLinc 4.8.1-5456.x86_64:

> $ sudo ausearch -i -c tl-session | tail -n 1
> type=AVC msg=audit(2018-03-27 09:36:50.829:19081) : avc:  denied  { dac_read_search } 
>   for  pid=26015 comm=tl-session capability=dac_read_search scontext=system_u:system_r:thinlinc_session_t:s0
>   tcontext=system_u:system_r:thinlinc_session_t:s0 tclass=capability permissive=0

After upgrading to ThinLinc 4.9.0-5758, I can't produce new AVC messages on
login.