www.cendio.com
Bug 7277 - ThinLinc server unusable on Fedora 29 with SELinux
: ThinLinc server unusable on Fedora 29 with SELinux
Status: CLOSED FIXED
: ThinLinc
Other
: trunk
: PC Linux
: P2 Normal
: 4.10.0
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2018-11-08 15:50 by
Modified: 2019-02-15 16:54 (History)
Acceptance Criteria:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2018-11-08 15:50:52
Connecting using the native client or Web Access takes ~2 minutes if the server
is running Fedora 29 and SELinux. Same applies to tlwebadm.

/var/log/audit/audit.log when trying Web Adm:

type=USER_AVC msg=audit(1541688083.263:765): pid=788 uid=81 auid=4294967295
ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: 
denied  { send_msg } for msgtype=method_return dest=:1.1959 spid=1 tpid=19772
scontext=system_u:system_r:init_t:s0
tcontext=system_u:system_r:thinlinc_webadm_t:s0 tclass=dbus permissive=0 
exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus"
AUID="unset" SAUID="dbus"

/var/log/audit/audit.log when trying native client:

type=USER_AVC msg=audit(1541687846.050:724): pid=788 uid=81 auid=4294967295
ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: 
denied  { send_msg } for msgtype=method_return dest=:1.1823 spid=1 tpid=19151
scontext=system_u:system_r:init_t:s0
tcontext=system_u:system_r:thinlinc_master_t:s0 tclass=dbus permissive=0 
exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus"
AUID="unset" SAUID="dbus"

/var/log/audit/audit.log when trying Web Access:

type=USER_AVC msg=audit(1541687089.334:636): pid=788 uid=81 auid=4294967295
ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: 
denied  { send_msg } for msgtype=method_return dest=:1.1
588 spid=1 tpid=17447 scontext=system_u:system_r:init_t:s0
tcontext=system_u:system_r:thinlinc_webaccess_t:s0 tclass=dbus permissive=0 
exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'^]UID="dbu
s" AUID="unset" SAUID="dbus"


strace on tlstunnel seems to indicate that user lookup is the problem, glibc's 
initgroups is the function that seems to hang.

Running 'setenforce 0' makes the problem go away.

Upstream report:

https://bugzilla.redhat.com/show_bug.cgi?id=1647920
------- Comment #1 From cendio 2018-11-08 15:52:43 -------
Also see bug 7203
------- Comment #2 From cendio 2018-11-08 16:02:49 -------
I can reproduce this on Fedora Rawhide (what will become Fedora 30).

I did briefly work though because I had failed to run our SELinux setup, so the
services were running as initrc_t. That breaks session startup in other ways
though, so I still couldn't get a running session.
------- Comment #3 From cendio 2018-11-15 13:47:16 -------
As an alternative to disabling everything, you can put just init_t in
permissive mode:

> $ sudo semanage permissive -a init_t

Setting any of the ThinLinc contexts in permissive has no effect as it is init
that is being denied, not ThinLinc.
------- Comment #4 From cendio 2019-01-08 15:01:54 -------
Red Hat doesn't seem to want to touch the issue. But I've reported the problem
to the upstream refpolicy as well:

https://github.com/SELinuxProject/refpolicy/issues/18

For now we'll have to apply a workaround.
------- Comment #5 From cendio 2019-01-08 17:10:44 -------
I can no longer reproduce this issue on my Fedora Rawhide machine since I
updated it.

I'm fairly sure the cause is that dbus-daemon got replaced by dbus-broker. I
looked at the code for dbus-broker, as well as did some ltrace and gdb tracing.
It seems it only does an SELinux check for method calls, and not for the
response. And since this bug was a problem with the response, the bug is
effectively side stepped.

Need to check what the status of Fedora 29 is though.
------- Comment #6 From cendio 2019-01-09 10:51:51 -------
The switch to dbus-broker will be for Fedora 30, so Fedora 29 will continue to
be affected. It is also only the default, so users can switch back to
dbus-daemon.

I was able to reproduce the bug again on Rawhide by switching back:

> $ sudo systemctl --no-reload disable dbus-broker.service
> $ sudo systemctl --no-reload --global disable dbus-broker.service
> $ sudo systemctl --no-reload enable dbus-daemon.service
> $ sudo systemctl --no-reload --global enable dbus-daemon.service
> $ sudo reboot

Will test an updated ThinLinc SELinux profile next.
------- Comment #7 From cendio 2019-01-09 14:26:16 -------
I found why this happens, and also why this doesn't happen with Fedora 28:

The call that breaks is initgroups("nobody", gr->gr_gid) in tlstunnel as it
calls in to nss_systemd to fill out any supplemental groups. It works on Fedora
28 because nss_systemd didn't have support for initgroups yet there.

However on Fedora 28 it still had support for user lookups, which explains bug
7203. So that bug will also be fixed as a side effect.
------- Comment #9 From cendio 2019-01-09 14:49:41 -------
Fixed now. Tester should check that user lookup works in all services:

 * Log in to a new session via Web Access

 * Use the health page in tlwebadm
------- Comment #10 From cendio 2019-02-15 16:54:21 -------
Verified that I got the problem on Fedora 29 with ThinLinc 4.9.0. I could then
verify that it worked well with build 6042.
 * native client
 * web access
 * web adm