Bug 7277 - ThinLinc server unusable on Fedora 29 with SELinux
Summary: ThinLinc server unusable on Fedora 29 with SELinux
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Other (show other bugs)
Version: trunk
Hardware: PC Linux
: P2 Normal
Target Milestone: 4.10.0
Assignee: Pierre Ossman
URL:
Keywords: relnotes, samuel_tester
Depends on:
Blocks:
 
Reported: 2018-11-08 15:50 CET by Samuel Mannehed
Modified: 2019-02-15 16:54 CET (History)
1 user (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Samuel Mannehed cendio 2018-11-08 15:50:52 CET 
Connecting using the native client or Web Access takes ~2 minutes if the server is running Fedora 29 and SELinux. Same applies to tlwebadm.

/var/log/audit/audit.log when trying Web Adm:

type=USER_AVC msg=audit(1541688083.263:765): pid=788 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.1959 spid=1 tpid=19772 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:thinlinc_webadm_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"

/var/log/audit/audit.log when trying native client:

type=USER_AVC msg=audit(1541687846.050:724): pid=788 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.1823 spid=1 tpid=19151 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:thinlinc_master_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"

/var/log/audit/audit.log when trying Web Access:

type=USER_AVC msg=audit(1541687089.334:636): pid=788 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.1
588 spid=1 tpid=17447 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:thinlinc_webaccess_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'^]UID="dbu
s" AUID="unset" SAUID="dbus"


strace on tlstunnel seems to indicate that user lookup is the problem, glibc's 
initgroups is the function that seems to hang.

Running 'setenforce 0' makes the problem go away.

Upstream report:

https://bugzilla.redhat.com/show_bug.cgi?id=1647920
Comment 1 Samuel Mannehed cendio 2018-11-08 15:52:43 CET 
Also see bug 7203
Comment 2 Pierre Ossman cendio 2018-11-08 16:02:49 CET 
I can reproduce this on Fedora Rawhide (what will become Fedora 30).

I did briefly work though because I had failed to run our SELinux setup, so the services were running as initrc_t. That breaks session startup in other ways though, so I still couldn't get a running session.
Comment 3 Pierre Ossman cendio 2018-11-15 13:47:16 CET 
As an alternative to disabling everything, you can put just init_t in permissive mode:

> $ sudo semanage permissive -a init_t

Setting any of the ThinLinc contexts in permissive has no effect as it is init that is being denied, not ThinLinc.
Comment 4 Pierre Ossman cendio 2019-01-08 15:01:54 CET 
Red Hat doesn't seem to want to touch the issue. But I've reported the problem to the upstream refpolicy as well:

https://github.com/SELinuxProject/refpolicy/issues/18

For now we'll have to apply a workaround.
Comment 5 Pierre Ossman cendio 2019-01-08 17:10:44 CET 
I can no longer reproduce this issue on my Fedora Rawhide machine since I updated it.

I'm fairly sure the cause is that dbus-daemon got replaced by dbus-broker. I looked at the code for dbus-broker, as well as did some ltrace and gdb tracing. It seems it only does an SELinux check for method calls, and not for the response. And since this bug was a problem with the response, the bug is effectively side stepped.

Need to check what the status of Fedora 29 is though.
Comment 6 Pierre Ossman cendio 2019-01-09 10:51:51 CET 
The switch to dbus-broker will be for Fedora 30, so Fedora 29 will continue to be affected. It is also only the default, so users can switch back to dbus-daemon.

I was able to reproduce the bug again on Rawhide by switching back:

> $ sudo systemctl --no-reload disable dbus-broker.service
> $ sudo systemctl --no-reload --global disable dbus-broker.service
> $ sudo systemctl --no-reload enable dbus-daemon.service
> $ sudo systemctl --no-reload --global enable dbus-daemon.service
> $ sudo reboot

Will test an updated ThinLinc SELinux profile next.
Comment 7 Pierre Ossman cendio 2019-01-09 14:26:16 CET 
I found why this happens, and also why this doesn't happen with Fedora 28:

The call that breaks is initgroups("nobody", gr->gr_gid) in tlstunnel as it calls in to nss_systemd to fill out any supplemental groups. It works on Fedora 28 because nss_systemd didn't have support for initgroups yet there.

However on Fedora 28 it still had support for user lookups, which explains bug 7203. So that bug will also be fixed as a side effect.
Comment 9 Pierre Ossman cendio 2019-01-09 14:49:41 CET 
Fixed now. Tester should check that user lookup works in all services:

 * Log in to a new session via Web Access

 * Use the health page in tlwebadm
Comment 10 Samuel Mannehed cendio 2019-02-15 16:54:21 CET 
Verified that I got the problem on Fedora 29 with ThinLinc 4.9.0. I could then verify that it worked well with build 6042.
 * native client
 * web access
 * web adm
Note You need to log in before you can comment on or make changes to this bug.